If you play CS:GO, Half-Life, Team Fortress 2 or Left 4 Dead, you may want to be wary of any Steam invitations you get.
That's because the Source engine, which powers CS:GO and several other games, seems to include an exploitable vulnerability that could let cybercriminals to inject malware via Valve's popular gaming platform.
The Valve Security Team acknowledged the problem and are working hard with Valve games developer Valve Corporation to fix it soon.
Josh Silvestri, another developer at Valve Corporation, described the issue this way:
"Since public debut of internal work around Steam Security Rewards 2017-03-09 – CVE-2017-7241, we suffered from a performance-affected issue. Our solution: Running 2 separate instances of heavy sets ' 'd3d8.dll'-related code in parallel. These forked instances load heavy sets to Deep targets despite running in parallel. Risky for a regular user, but should alleviate the issue."
The loophole is the same that was recently exploited by hackers in March by hijacking steam accounts of targets in the U.K, where Valve is based with recognition identity. Despite the apparent security issue, Valve representatives at The Next Web, another site conducting the report based on the research, maintained that there was "no discernible risk to your games".
Be aware of the Steam security campaign (including security scans) and avoid accepting these submissions.
Update When presenting at the Source Summit, Valve released a statement.
"We are aware of this issue, and have already pulled what was responsible from the platform. It appears that counter-infection frameworks were bypassed, and the exploit occurred in a way that should never happen: an injected file was stored in memory to be executed by every D3D code. A quick check indicates that Counter-Strike model the government was using tools, which probably were created in C++, which the x86-64 Steam seemed to be using too. Valve referred to Counter-Strike model using an injected file, which seems not consistent with Counter-Strike model used. Since so much time elapsed since the exploit had been publicly released, we've been able to determine that it happened this way: the file was incorrectly injected, then stored in 'romcache' for execution, and idempotent. This means, that despite the user being prompted by Steam to update it, it still can't be updated."
In other words, Valve is still investigating how the issue was targeted in the first place. They support the company's statement, "As long as we have more specific information to share, we will update this post", clarifying that this is a "trade secret".
" We disclose vulnerability information to the affected companies and in the public performance review process, within 48 hours if no fix has already
That's because the Source engine, which powers CS:GO and several other games, seems to include an exploitable vulnerability that could let cybercriminals to inject malware via Valve's popular gaming platform.
The Valve Security Team acknowledged the problem and are working hard with Valve games developer Valve Corporation to fix it soon.
Josh Silvestri, another developer at Valve Corporation, described the issue this way:
"Since public debut of internal work around Steam Security Rewards 2017-03-09 – CVE-2017-7241, we suffered from a performance-affected issue. Our solution: Running 2 separate instances of heavy sets ' 'd3d8.dll'-related code in parallel. These forked instances load heavy sets to Deep targets despite running in parallel. Risky for a regular user, but should alleviate the issue."
The loophole is the same that was recently exploited by hackers in March by hijacking steam accounts of targets in the U.K, where Valve is based with recognition identity. Despite the apparent security issue, Valve representatives at The Next Web, another site conducting the report based on the research, maintained that there was "no discernible risk to your games".
Be aware of the Steam security campaign (including security scans) and avoid accepting these submissions.
Update When presenting at the Source Summit, Valve released a statement.
"We are aware of this issue, and have already pulled what was responsible from the platform. It appears that counter-infection frameworks were bypassed, and the exploit occurred in a way that should never happen: an injected file was stored in memory to be executed by every D3D code. A quick check indicates that Counter-Strike model the government was using tools, which probably were created in C++, which the x86-64 Steam seemed to be using too. Valve referred to Counter-Strike model using an injected file, which seems not consistent with Counter-Strike model used. Since so much time elapsed since the exploit had been publicly released, we've been able to determine that it happened this way: the file was incorrectly injected, then stored in 'romcache' for execution, and idempotent. This means, that despite the user being prompted by Steam to update it, it still can't be updated."
In other words, Valve is still investigating how the issue was targeted in the first place. They support the company's statement, "As long as we have more specific information to share, we will update this post", clarifying that this is a "trade secret".
" We disclose vulnerability information to the affected companies and in the public performance review process, within 48 hours if no fix has already
g
