Published: 07/08/2019 Updated: 28/08/2019
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 6.6 | Impact Score: 5.9 | Exploitability Score: 0.7
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wow6432Node\Valve\Steam has explicit "Full control" for the Users group, which allows local users to gain NT AUTHORITY\SYSTEM access.

Vulnerability Trend

Affected Products

Vendor Product Versions
ValvesoftwareSteam Client2019-08-07

Recent Articles

IT threat evolution Q3 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 29 Nov 2019

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network:
In Q3 2019, we discovered an extremely unpleasant incident with the popular CamScanner app on Google Play. The new version of the app contained an ad library inside with the Trojan dropper Necro built in. Judging by the reviews on Google Play, the dropper’s task was to activate paid subscriptions, although it ...

Second Steam Zero-Day Impacts Over 96 Million Windows Users
BleepingComputer • Sergiu Gatlan • 21 Aug 2019

A second Steam Windows client zero-day privilege escalation vulnerability affecting over 96 million users has been publicly disclosed today by Russian researcher Vasily Kravets.
This happens after Valve disputed the significance of the previous Steam 0day disclosed by Kravets on Twitter and banned him out of their HackerOne bug bounty program.
Seeing that this vulnerability impacts only the Steam Windows client, with Steam having over 100 million registered users and 96.28% of th...

Steam Security Saga Continues with Vulnerability Fix Bypass
BleepingComputer • Lawrence Abrams • 16 Aug 2019

A bypass for a recent Steam vulnerability that could allow malware or a local attacker to gain admin privileges has been disclosed on Twitter. This new method allows an attacker to bypass the fix created by Steam and exploit the vulnerability again.
If you have not been following the Steam vulnerability story that has been going on for the past week, here is a little recap.
Last week, security researchers Matt Nelson and Vasily Kravets disclosed a vulnerability in Steam that ...