A remote code execution vulnerability has been discovered in the Steam gaming client that could allow attackers to bypass user account controls.
Steam was the online gaming environment developed by Valve and used by some 54 million players.
On 17 September, London-based penetration tester Graham Sutherland (@gsuberland) disclosed the flaw to Valve via its support ticket system. He included full technical details and a potential fix.
In an addendum sent five days later, he said malware could from guest gain administrative rights by waiting for Steam to escalate privileges before exploiting the vulnerability.
Sutherland disclosed details of the flaw on his blog after Valve closed the support ticket and failed to follow up with him on whether it was moving to patch the vulnerability.
Why do we still have to drop 0day to get vendors to play nice and fix their shit? *sigh*— Graham Sutherland (@gsuberland) October 11, 2013
"I have discovered a vulnerability within the Steam client application that allows for arbitrary memory copies to be initiated within the Steam process. These issues can be triggered at multiple crash sites, and range in severity from unexploitable crash (denial of service) to full compromise of the process.
Valve has been contacted for comment.
Other researchers writing on Reddit said they had had success reporting flaws to security(AT)steampowered.com.
Technical details of the vulnerability were available on Sutherland's blog.
The disclosure came almost exactly a year after a series of vulnerabilities were reported in the Steam platform that included overflows, the ability to write arbitrary text to file and direct victims to external payloads.
And in August this year, Steam users were found to be targeted by the Ramnit trojan that stole login credentials from victims.