Valve Waited 15 Months To Patch High Severity Flaw. A Hacker Pounced.

reader comments

33 with 0 posters participating

Share this story

Researchers have unearthed four game modes that could successfully exploit a critical vulnerability that remained unpatched in the popular Dota 2 video game for 15 months after a fix had become available.

The vulnerability, tracked as CVE-2021-38003, resided in the open source JavaScript engine from Google known as V8, which is incorporated into Dota 2. Although Google patched the vulnerability in October 2021, Dota 2 developer Valve didn’t update its software to use the patched V8 engine until last month after researchers privately alerted the company that the critical vulnerability was being targeted.

Unclear intentions

A hacker took advantage of the delay by publishing a custom game mode last March that exploited the vulnerability, researchers from security firm Avast said. That same month, the same hacker published three additional game modes that very likely also exploited the vulnerability. Besides patching the vulnerability last month, Valve also removed all four modes.

Custom modes are extensions or even completely new games that run on top of Dota 2. They allow people with even basic programming experience to implement their ideas for a game and then submit them to Valve. The game maker then puts the submissions through a verification process and, if they’re approved, publishes them.

The first game mode published by Valve appears to be a proof-of-concept project for exploiting the vulnerability. It was titled “test

Read more

Explore the site

More from the blog

Latest News