Valve left a safety flaw in Dota 2 for 2 years till somebody tried to take advantage of it
In context: Released in 2013, Dota 2 stays probably the most widespread multiplayer experiences amongst MOBA followers. Over the course of 15 months, tens of millions of Dota 2 gamers may have been susceptible to distant code execution attributable to Valve’s carelessness.
Valve is infamous for taking time to make a brand new Half-Life sport (any new sport, actually) or counting to a few. The digital distribution large, co-founded by Gabe Newell, seems to be lax a couple of harmful safety breach that put gamers of certainly one of its hottest video games in danger and despatched hackers working wild with malicious experiments.
The free-to-play MOBA sport Dota 2 continues to be vastly widespread, regardless that it was initially launched almost 10 years in the past on July 9, 2013. Like many different video games, Dota 2 is embedded by Google for the Chromium/Chrome venture. The basic drawback right here is that, till lately, Valve was utilizing an outdated model of the V8 engine compiled in December 2018.
The greater than four-year-old model is riddled with probably harmful safety holes. To make issues worse Dota 2 would not run V8 with any sandbox safety. Criminals may exploit this situation to remotely run malicious code concentrating on Dota gamers. According to Avast, that is what occurred earlier than Valve lastly up to date the V8 engine.
Avast researchers found that an unknown hacker was testing a possible exploit for CVE-2021-38003, a particularly harmful safety flaw within the V8 engine with a severity score of 8.8/10. At first, hackers examined what seemed to be benign by releasing a brand new customized sport mode (a approach for gamers to change their Dota 2 expertise) that embedded exploit code for CVE-2021-38003.
Google patched CVE-2021-38003 in October 2021. Meanwhile, unknown hackers started experimenting in March 2022. Dota 2 builders did not trouble to repair the difficulty till January 2023, when Avast knowledgeable them of its findings. Further evaluation revealed that different exploits had been unsuccessful, and the true motivation of the Dota 2 hacker stays unknown.