"Valve Waited 15 Months to Patch High-Severity Flaw. A Hacker Pounced"

Researchers have discovered four game modes that could exploit a vulnerability in the popular Dota 2 video game. The vulnerability remained unpatched for 15 months after a fix was released. It existed in Google's V8 open-source JavaScript engine, which is included in Dota 2. Although Google addressed the problem in October 2021, Dota 2 developer Valve did not update its software to use the patched V8 engine until last month, despite researchers privately alerting the company that the critical flaw was being exploited. According to researchers at the security firm Avast, a hacker took advantage of the delayed update by publishing a custom game mode last March that exploited the vulnerability, tracked as CVE-2021-38003. In the same month, the hacker released three other game modes that likely exploited the vulnerability. Custom modes are additions or entirely new games that run on top of Dota 2. They allow individuals with even the most basic programming skills to bring their game ideas to life and then submit them to Valve. The game developer verifies the entries and publishes those that are accepted. This article continues to discuss the exploitation of a critical vulnerability that remained unpatched in the popular Dota 2 video game for 15 months after a fix had become available.

Ars Technica reports "Valve Waited 15 Months to Patch High-Severity Flaw. A Hacker Pounced"