Skip to main content

Die In 'TF2,' Get Hacked IRL? Valve Patches Source SDK Vulnerability

Aside from a broken controller, dying in a video game doesn't usually have any real-world ramifications. A vulnerability in Valve's Source SDK, however, could have allowed someone to compromise your system by killing you in a game like Team Fortress 2 or Counter Strike: Global Offensive. But don't worry--the company that discovered the vulnerability, One Up Security, said Valve has already released a patch.

One Up Security said that the Source SDK contained "a buffer overflow vulnerability which allowed remote code execution on clients and servers." The vulnerability was exploited by loading a specially crafted ragdoll--the models you see when your character dies in a game--when you were killed. In the company's example, dying in Team Fortress 2 resulted in a dummy remote access Trojan being installed on your system.

Anyone who plays video games knows how often virtual characters die, which means they know how worrisome it would be to have someone compromise your device by killing you. The Source SDK's popularity doesn't help--Valve uses Source in the Half-Life, Left 4 Dead, and Portal series as well as the games mentioned above. Other developers use the SDK to make add-ons, some of which are completes games in their own right.

This vulnerability shows how video games could be used against their players. One Up Security explained in a blog post:

Video games are interesting targets for exploitation, not only technically but also logistically. As video games are common inside employee break rooms and homes of employees, exploitation of a vulnerability could be used in a targeted attack to jump the air gap to a private network. Additionally, discovering a remote code execution vulnerability in a popular video game can be used to quickly create a bot net or spread ransomware.

The good news is that Valve took care of the problem in June, when it was first discovered. One Up Security said that Valve actually released fixes for "their more popular titles" a day after the vulnerability was disclosed. If you're still worried about problems in Source games, though, One Up Security said you should use the "cl_allowdownload 0" and "cl_downloadfilter all" commands to disable downloads of third-party content.

The company also recommended not allowing games to be installed on work machines. Many businesses probably have that policy anyway, but knowing that games pose a security risk as well as a threat to employee productivity could convince more businesses to forbid game downloads. (Just don't tell our bosses.)