+- Red Security (https://redsecurity.info/cc)
+-- Forum: General (https://redsecurity.info/cc/forumdisplay.php?fid=1)
+--- Forum: News (https://redsecurity.info/cc/forumdisplay.php?fid=4)
+--- Thread: News Steam Windows Client Facing Zero Day: Valve Appearing Complacent (/showthread.php?tid=1212)
Steam Windows Client Facing Zero Day: Valve Appearing Complacent - Mad-Architect - 08-09-2019
![[Image: dims?quality=85&image_uri=https%3A%2F%2F...c64009523f]](https://o.aolcdn.com/images/dims?quality=85&image_uri=https%3A%2F%2Fo.aolcdn.com%2Fimages%2Fdims%3Fcrop%3D5674%252C3805%252C0%252C0%26quality%3D85%26format%3Djpg%26resize%3D1600%252C1073%26image_uri%3Dhttp%253A%252F%252Fo.aolcdn.com%252Fhss%252Fstorage%252Fmidas%252F7933faf36b0a57fbf11f83e05d8a6960%252F205264755%252FRTX35ORW.jpeg%26client%3Da1acac3e1b3290917d92%26signature%3D13523566c1aff4fb8c6cd9baaddac6c241fd17c6&client=amp-blogside-v2&signature=8c898836f06b308ceda5dc1c3a18e0c64009523f)
Steam is facing some scrutiny after a Zero Day that has affected some 125 million users, is seemingly ignored by Valve, and was even labeled as N/A. Afterwards the threat was closed. This drew criticism from the security as well as the their own community. Miainly, the Zero-Day was ignored. that because the Zero-Day didn't fit into the scope of their bounty program.
The Zero-Day itself, is as follows, the vulnerability resides in the Steam Client Service. When the SDDL was reviewed, it was discovered that any user in the "Users" group can start and stop any program. Apparently, Users have permissions for all keys and subkeys.
While the report was filed, it doesn't seem like Valve will be addressing the Zero-Day, if it has been addressed, they have not given an official report.
Original article can be found here
That was the news folks, have a good day, and stay safe out there.
--Mad-Architect