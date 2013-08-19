Valve has pushed out a fix for a zero-day Steam Client local privilege escalation (LPE) vulnerability, but researchers say there are still other LPE vulnerabilities that are being ignored.

Security researchers Matt Nelson and Vasily Kravets both recently discovered the same vulnerability in the widely used Steam Client software and were told that Valve would not be fixing it because it was "out of scope" of their vulnerability reporting program. After the massive outcry generated by this decision, Valve has changed its mind and released a fix. Unfortunately, though, another similarly reported vulnerability still exists.

The recently reported zero-day vulnerability was caused by the "Steam Client Service" Windows service giving the "USERS" group full permissions on any subkey under the HKLM\Software\Wow6432Node\Valve\Steam\Apps Registry key when the service was restarted.

With this knowledge in hand, the researchers figured out that they could create a link under this Registry key to another key that they did not have permission. When they restarted the Steam Client Service, the service would give that link full permission and thus also give the researchers permission to any other key in the Registry. This could then allow them to elevate the privileges of any program they wish on the computer, including malware.