Security researcher Vasily Kravets warns of second zero-day Steam vulnerability

Valve banned Kravets from its security notification programme after he was forced to go public on a rejected security flaw

Russian security researcher Vasily Kravets has released details of another zero-day vulnerability affecting Valve's Steam gaming client.

This is the second zero-day vulnerability disclosed by Kravets to the public domain in the past two weeks - but this time Kravets was forced to go public after Steam banned him from its notification programme.

We all have a vulnerable piece of software on our computers because Valve wanted to stick their heads in the sand and act like children

Kravets said that after he notified Valve about the first bug and subsequently went public about it after his warnings were ignored, he was banned from submitting new bug reports to the company via its HackerOne platform. He therefore had no choice but to publicly disclose the new zero-day flaw.

"I received a lot of feedback. But Valve didn't say a single word, HackerOne sent a huge letter and, mostly, kept silence," Kravets wrote in a blog post.

"Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection programme (the rest of H1 is still available though)."

The second zero-day discovered by Kravets is another elevation of privilege/local privilege escalation (EoP/LPE) flaw in the Steam client, which could enable a malicious programme to get admin rights through Valve's Steam app.

Steam is by far the most popular online platform for PC gaming with thousands of games and apps. However, it has been criticised for insufficient curation of its store, setting a low bar for inclusion, enabling hundreds of poor quality games to be hawked on its platform.

According to Kravets, the bug can be exploited in three steps:

Like the first bug, the second one also requires an attacker to have access to the target system and the ability to write files locally. If these conditions are met, the attacker could use the Steam app to execute malicious DLL files. Eventually, the flaw could potentially give the attacker a greater control over the system, allowing them to further download other malware on the target system.

The story around Valve's Steam client service started earlier this month when Kravets disclosed an EoP/LPE flaw affecting the Steam service. Kravets said he reported the flaw to Valve, but his report was rejected by the company for being out of scope.

On 7th August, Kravets released the details of the flaw in public domain, with the hope that it "will bring Steam developers to make some security improvements".

Although Valve initially said that it won't fix the bug, the decision eventually led to massive outcry among Steam users, which forced the company to release a fix for the flaw.

But, the patch released by Valve was proved to be insufficient as another researcher claimed that he had found an easy way to bypass the patch.

Well-known security researcher Matt Nelson said that the vulnerability arises as the "USERS" group gets full permission to access the Steam installation folder at C:\Program Files (x86)\Steam.

He also revealed that had reported the same bug to the company via its HackerOne programme, but got a similar response from the company. Online, Valve has been criticised for arrogance for failing to take legitimate security reports seriously.

"Right now, we all have a vulnerable piece of software on our computers because Valve wanted to stick their heads in the sand and act like children instead of taking InfoSec seriously," commented gaming industry consultant Angelus de Mortiel.