If you thought it was only Windows 10 that was having a tough time, think again. Microsoft recently confirmed new wormable vulnerabilities across every major version of Windows and now there’s a new problem for millions of Windows 7, Windows 8.1 and Windows 10 users.
Picked up by the always excellent BleepingComputer, a new Steam Windows client zero-day privilege escalation vulnerability has been published by Russian researcher Vasily Kravets just weeks after he discovered a similar earlier hack. And it affects every single version of Windows running the Steam client.
“[W]ith Steam having over 100 million registered users and 96.28% of them are running Windows according to the Steam Hardware & Software Survey: July 2019, the systems of roughly 96 million of them are currently affected,” explains BleepingComputer. And Windows 10 accounts for over 71% of them.
The vulnerability allows attackers to elevate their permissions on a target computer using a technique known as BaitAndSwitch through the Steam client.
“Achieving maximum privileges can lead to much more disastrous consequences,” explains Kravets. “For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft any PC user’s private data – is just a small portion of what could be done.” He also illustrates this in a pair of videos, one of which you can see below.
For its part, Valve has acknowledged the problem and also apologised to Kravets after it banned him from the company’s HackerOne bug bounty program after his first hack (Kravets released this new one in protest). As for a fix, Valve said it has put some fixes into its beta channel but the vast majority of users are outside this and still waiting for a full fix.
While a lot can be laid at Microsoft’s door for its recent mistakes and subtle deceptions, this one is on Valve. That said, the result is the same: once again, millions of Windows users have seen their systems compromised and they won’t care whose fault it is.