Employees of American companies have fixed the bug six months later.
In the library Valve Source SDK discovered vulnerability allows to execute arbitrary code on a users computer playing releases from Valve and install various malware (ransomware, banking Trojans, crypto currency miners, etc.).
The problem arose because of the openness of the tools that Valve provides to users. Many games on the Source engine use a library Source SDK that allows third-party companies and independent developers to upload games various third-party textures, effects, and death animations.
As noted by the researcher from the company One Up Security Justin Taft (Robert Taft), who drew attention to the problem, attack scenarios can be several. One of them is as follows: an attacker creates malicious ragdoll model (death animations of the character), introducing the file exploit. When a user connects to third party servers controlled by the hacker on his computer downloaded malicious resources and at the death of his character in the game is executed the malicious code.
Specialists One Up Security informed Valve about the vulnerability and that has fixed the problem in a number of games including Counter-Strike: Global Offensive, Team Fortress 2, Left 4 Dead 2, Portal 2 and Half-Life 2: Deathmatch.
Source SDK – a set of utilities for creating mods for the Source engine, available for free via the Steam players.
Steam – service digital distribution of computer games and programs, owned by Valve. Steam performs the functions of service activation, downloading via the Internet, automatic updates and news for games the Valve, and a third party agreement with Valve.
© 2017, paradox. All rights reserved.