-
chevron_right
Valve waited 15 months to patch high-severity flaw. A hacker pounced
news.movim.eu / ArsTechnica · Thursday, 9 February, 2023 - 23:07
Researchers have unearthed four game modes that could successfully exploit a critical vulnerability that remained unpatched in the popular Dota 2 video game for 15 months after a fix had become available.
The vulnerability, tracked as CVE-2021-38003 , resided in the open source JavaScript engine from Google known as V8, which is incorporated into Dota 2 . Although Google patched the vulnerability in October 2021, Dota 2 developer Valve didn’t update its software to use the patched V8 engine until last month after researchers privately alerted the company that the critical vulnerability was being targeted.
Unclear intentions
A hacker took advantage of the delay by publishing a custom game mode last March that exploited the vulnerability, researchers from security firm Avast said . That same month, the same hacker published three additional game modes that very likely also exploited the vulnerability. Besides patching the vulnerability last month, Valve also removed all four modes.