An exploit in the Counter-Strike: Global Offensive Source (SDK) engine was removed in a June update, according a report from software security company One Up Security yesterday.
The vulnerability allowed users in CS:GO community browser and third-party servers to hack into another player’s computer merely through killing them on a custom map.
When a player was killed, the server would process the user’s player model into a modified ragdoll state different from the normal animation, effectively loading a Remote Access Trojan (RAT) onto the victim’s computer. An RAT is a type of malware that can override administrative control over a user’s PC.
Apparently multiple third-party modifications are also at risk, according to Justin Taft of One Up Security. Taft suggested that an Address Space Layout Randomization (ASLR) mitigation bypass, which prevents computer memory corruption, could possibly prevent affected vulnerabilities in the Source engine from further harming your computer.
Valve added a bullet point to their June 16 update regarding the exploit, noting that they fixed a “potential exploit in the CS:GO engine.” The developer’s subtle memo on the situation didn’t gain much attention until it was reported by One Up Security.
To ensure your computer is safe from the updated vulnerability in the future, it’s best to disable third-party downloads. This can be achieved by typing the following commands into the developer console: “cl_allowdownload 0” and “cl_downloadfilter all.” These commands tell your game client to not allow downloads, while also filtering all server downloads during gameplay.
The aforementioned inputs also apply to other games that run on the Source engine, such as Team Fortress 2, Half Life, Portal 2, and Left 4 Dead 2.
Thank goodness Valve was made aware of this problem for the sake of third-party server denizens.