A vulnerability in Valve’s Source Engine allowed hackers to take control of gamers’ PCs. According to OneUpSecurity, hackers targeted games such as CS:GO, Left 4 Dead 2, and Team Fortress 2 as vessels to inject malicious code. The culprits used custom assets in user-created maps to carry the malware. In fact, tests triggered the code by killing the player’s character. That’s just plain mean.
What a Way to Die
OneUpSecurity’s Justin Taff reported on the exploit last week. The researchers made Valve aware of the issue prior to publication, though. Taff revealed that the “Source SDK contained a buffer overflow vulnerability which allowed remote code execution on clients and servers”. Taff tested the vulnerability by creating a custom ragdoll model: triggering the ragdoll animation by killing a character would execute the malicious code. Double-owned.
Problem Solved
Thankfully, Taff reports that Valve “swiftly” patched the Source vulnerability. He adds, though, that exploiting games to spread malicious code is an increasing danger. Of course, the perceived lack of risk means many don’t consider games to be a potential medium for viruses. Taff warns gamers to not install games on work devices and restrict gaming machines to untrusted networks. Air-gaps between public and private networks are also potentially exploitable, he says.
