100 Million Steam Gamers Exposed to Zero-Day Flaw
By: Jim Stickley and Tina Davis
August 18, 2019
Millions of popular Steam gaming platform users are at risk of a zero-day escalation attack. A recent discovery exposed a vulnerability for Steam gamers using the Windows 10 platform, putting those users at risk of an attacker gaining access and control of a device. That’s bad news for Steam fans, as their different programs can be pirated by a hacker with elevated access rights due to the flaw. Concerns are this bug can lead to a Steam user’s device being infected by malware, and no gamer wants that. Unfortunately, it’s a very easy attack to launch.
The security researcher who discovered the vulnerability found that it takes little work for a hacker to gain and change access privileges with Steam. The researcher found that a new registry key can be modified by creating a subkey and then restarting services. This allows certain SYSTEM privileges on Windows to be modified, which allow an attacker to launch other services with increased SYSTEM privileges. That’s a scary prospect, especially considering how many children are Steam fans and use their own or their parents’ devices to play. Those running Windows 10 and Steam are open to having malware installed that can steal passwords, data, and much more. Game over.
This Steam flaw is exposed as a zero-day vulnerability, meaning the amount of time it takes to launch an attack has zero days, or is being actively exploited. There is very little time between when the vulnerability is discovered and the time it takes for attack. Valve Corporation, owners of Steam, is involved in this security glitch. After Valve was first notified about the bug, they determined it “Not Applicable.” Concerned by Valve’s initial inaction, a security researcher waited 45 days before making the vulnerability public. Valve now acknowledges the weakness and made a security patch available.
There are steps gamers, parents and other users can take to minimize exposure to security flaws. Since it’s never too early to be safe online, parents should educate their children about cyber-smarts. Make sure kids download apps in your presence and pay attention to the many pop-up windows asking for access to unnecessary information. Those with bad intent use pop-up permissions to infiltrate sensitive data like name, age, location, and contacts. Always download from official sites and never sideload apps from questionable sources. Email phishing is also a hacker favorite, so beware of emails from strange senders and never click on email links or attachments.
Of course, this goes with all devices that run software; that includes gaming systems--when updates are available, apply them immediately as they often contain fixes for security bugs. Good advice for all internet-connected devices, when you’re done playing Steam or done for the day, always shut the system down.