Valve updates Steam over escalation of privilege security flaw - but accused of ignoring other vulnerabilities

Valve Software claims to have released a fix for the zero-day local escalation of privilege security flaw recently discovered in its Steam gaming software.

However, the security researchers who discovered the flaw are not satisfied with the solution and warn that the company is ignoring a number of local privilege escalation (LPE) vulnerabilities in the popular Steam gaming service.

The vulnerability in the Windows version of Steam was first reported by security researcher Vasily Kravets, who said that the flaw lies within the Steam Client Service, and could let any user run arbitrary code with LocalSystem privileges by using only a limited set of commands.

Kravets also claimed that the flaw could be easily exploited by unprivileged users to start or stop the Steam Client Service. According to Kravets, the issue was reported to Valve Software, but was rejected by the company for being "out of scope".

Vasily therefore released details of the vulnerability on 7th August - forcing Valve to take action.

Another security researcher, Matt Nelson, also discovered the same vulnerability in the Steam Client and reported it to Valve Software, but was also told that the issue can't be fixed because it was "out of scope".

Valve's decision led to an outcry among Steam users - which has more than one billion accounts and more than 90 million daily users - and forced the company to reconsider its decision.

Finally, on Friday, the company announced that it was releasing a fix for the issue.

After examining the patch, the researchers revealed that they were not satisfied with Valve's solution.

They claim that while the company may have patched one flaw within the Steam Client Service, other gaping security holes still exist in the service, which could be used by attackers to elevate privileges via DLL hijacking.

According to Nelson, the vulnerability arises as the "USERS" group gets full permission to access the Steam installation folder at C:\Program Files (x86)\Steam.

Because of that full permission, an attacker could easily replace DLLs (within the Steam installation folder) with malicious files, giving the attacker administrative access to the system.

"Yeah, C:\Program Files (x86)\Steam being completely open is a terrible issue that has been present for quite some time. They do attempt to do some signature validation on those files, but I doubt its sufficient," Nelson told BleepingComputer.

Valve's Steam is the most popular digital distribution platform for games.

In addition to providing an online store for the sale of PC games running on Windows, Linux and MacOS, it also provides the infrastructure for developers to run online multiplayer games, and to patch and update their software. It also sells software tools, although these are largely oriented towards game development.

However, the company has been accused of being lackadaisical in response to emerging competitive threats, operating a toxic corporate culture despite its supposed flat, egalitarian structure and, worst of all, failing to rapidly fix vulnerabilities reported to it via its own bug bounty programme.

It is worth noting here that in 2011, hackers compromised the systems of Valve Software and stole customer data from the firm's Steam gaming service.

Last year, Valve Software paid a $25,000 bug bounty to a hacker for discovering Steam 'free games' exploit that could have been used to generate free game keys.