Valve has released a beta version of its Steam Client software for Windows which resolves a privilege escalation vulnerability it had previously dismissed as being unworthy of its attentions.
The world's most popular digital distribution platform for games, Valve's Steam offers a range of additional features above and beyond allowing you to spend your hard-earned cash on software: The modern Steam client does everything from streaming games to lower-powered devices around the house to keeping your save games synchronised between multiple computers - and, as a Russian security research discovered, comes with the added 'feature' of allowing any software to escalate to administrative privileges on Windows.
Researcher Vasily Kravets had originally reported the serious security flaw to Valve through the HackerOne bug bounty programme, but had been rebuffed as the flaw being outside of the scope of Valve's bounty programme. Kravets even went so far as to accuse Valve of potentially inserting, or at least maintaining, the privilege escalation vulnerability as a deliberate back door into client systems, saying that 'it looks like Valve wants these EoP [escalation of privilege] vulnerabilities to be present in the software.'
Thankfully, Valve appears to be working to dispel that particular claim: The company has released a beta version of its Steam software which claims to fix the issue, removing the ability for any software with the ability to write to the Windows Registry to use Steam as a means of gaining administrative-level privileges and taking over the entire system.
Released late Friday, then re-released with an additional bug fix on Saturday, the latest Steam Client Beta claims it has 'fixed [the] privilege escalation exploit using symbolic links in Windows registry,' though details are not provided. What is also not mentioned is why the bug report was initially dismissed, nor why privilege escalation vulnerabilities are now specifically excluded from the company's bug bounty programme - a move which makes it considerably less likely a security researcher will bother to look for and report such issues to the company in the future.
Valve has not yet indicated when the fix will be available for those not running the beta branch of the Steam client.
March 25 2020 | 14:00