Valve Fixes Zero-Day Steam Flaw Allowing Privilege Escalation AttacksValve set a zero-day Steam privilege escalation that was first deemed “non-applicable” and “out-of-scope.” The hacker who told them about the bug thinks the patch isn’t really successful and can be bypassed. Gamers are encouraged to think about the launchers they use as unprivileged users, and to run games. On June 15, security researcher Vasily Kravets sent Valve an urgent notice outlining a zero-day vulnerability plaguing the Steam Client Service. The issue with the flaw is that it enables an intruder to run a software program on any Windows 10 computer that has the Steam Client installed with the highest possible admin rights. The number of Steam accounts is about a billion, while the number of daily active users is only short of a hundred million people, so we’re talking about a serious danger with a large surface of attack. All that said Valve completely disregarded the report of the researcher classifying the bug as “not applicable” and refusing to pay any bounty to Kravets for his discovery. Valve initially refused to fix the zero-day as they thought the intruder would need to reach the target computer physically. However Kravets objected to this and called for another member of HackerOne to seek the idea proof and report it to Valve again. This second attempt was again refused, so it looked like Valve wasn’t planning to address the severe privilege escalation vulnerability which posed a risk to so many people. It sounds like we were heard. Thanks to everyone who helped share report. Nice to see Valve move right. Felix aka [ xi-tauw ] (@PsiDragon) August 10, 2019 With the situation under active development now coming more important fixes on the Steam Client Service are bound to come soon and malicious actors will surely try to use the revealed proof of concept to launch successful attacks. What gamers can do to stay safe is not to grant game executables admin rights to prevent Windows “User Account Control” (Uae) from being disabled, and to stop the installation of games that come from small new and unknown developers. As the researcher points out, Steam is actually a security risk to your machine allowing thousands of third-party applications to run high privileges on your device.