Quote:A second Steam Windows client zero-day privilege escalation vulnerability affecting over 96 million users has been publicly disclosed today by Russian researcher Vasily Kravets.
 
This happens after Valve disputed the significance of the previous Steam 0day disclosed by Kravets on Twitter and banned him out of their HackerOne bug bounty program.
 
Seeing that this vulnerability impacts only the Steam Windows client, with Steam having over 100 million registered users and 96.28% of them are running Windows according to the Steam Hardware & Software Survey: July 2019, the systems of roughly 96 millions of them are currently affected. 
 
The privilege escalation (also known as an elevation of privilege or local privilege escalation) security flaw disclosed today by Kravets can allow attackers with limited rights to use a technique known as BaitAndSwitch to run executables using the Steam Client Service's  NT AUTHORITY\SYSTEM elevated permissions.
 
This would allow potential attackers to launch a three-stage attack, getting remote code execution privileges by exploiting a vulnerability in a Steam game, a Windows app, or the OS itself, subsequently elevating privileges on the compromised device and running a malicious payload using SYSTEM permissions.
 
As Kravets detailed in his write-up, "achieving maximum privileges can lead to much more disastrous consequences. For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft any PC user’s private data — is just a small portion of what could be done."

Quote:Almost 48 hours after security researcher Vasily Kravets (PsiDragon) released his proof of concept (PoC) for a second vulnerability in Steam client for Windows leading to privilege escalation, Valve released a beta update that allegedly fixes the bugs.