Update 2 (April 23, 1 a.m. EST): Valve is now also addressing leaks regarding Team Fortress 2, tweeting a series of similar messages: "We continue to investigate, but have found no reason for TF2 players to be wary or avoid the current build. We have found no reason to be wary or avoid the current build."
Update: Valve has reviewed the code in question (derived from CS:GO, but including very old parts of Team Fortress 2) and says it does not consider it dangerous. However, they will "continue to investigate." Here is the full statement Valve sent to PC Gamer:
"We have reviewed the leaked code and believe it is a repost of a limited CS:GO engine code depot that was released to our partners in late 2017 and originally leaked in 2018 We believe it was originally leaked in 2018. From this review, we have found no reason for players to be wary or avoid the current build (as always, it is recommended to play on official servers for maximum security).
"We will continue to investigate the situation and if we find something that proves otherwise, we will inform the press and players. In the meantime, if anyone has more information about the leak, please contact Valve's security page (https://www.valvesoftware.com/en/security))にその情報を報告する最善の方法が記載されています。"
A similar message was shared on the official CS:GO Twitter:
Original story Team Fortress 2 and Counter- Strike: Global Offensive source code was reportedly leaked to the public today, raising fears that player security could be compromised.
The source of the leak is not known at this time, but according to SteamDB the code is from 2017-18 and was previously released to licensees of the Source engine.
Tyler McVicker of the Valve News Network, who regularly reports on Valve leaks and rumors, in a Twitch stream Claiming that it was from a member of the Source engine modding team, Lever Softworks, McVicker said he took steps to "contain" the leak after he alerted Valve to the leak and received no response. The person who leaked the code today, he said, was not the person who originally leaked the code, but a disgruntled former member of Lever who was recently ousted from the group.
"I did not leak this source code, and in fact I never had it," he said. And my small group of Source Engine developers were discussing the leak and how to contain it and how to keep it from becoming critical mass on this Lever Softworks Discord server."
"Unfortunately, if it did reach critical mass, it would not hurt any particular individual. This is because if the source code is leaked, Valve loses the ability to develop using that source code.
In a subsequent conversation, McVicker said that the leaked content did not originate from his group at all. He said, "It turns out that the person who leaked it to 4chan didn't get the code from anyone associated with me, or from anyone else at all. We have all the records, so we went back and looked and we didn't give this person anything."
[22Instead, he reiterated his statement that he and several other modders had tried to keep the leak rumors confined to a few "niche" communities in the modeling scene. It was a largely successful effort until a confrontation with the current leaker led to today's events.
"I never had access [to the leaked source code], nor did I want to. I didn't want anything to do with it. Because if something this big leaked out, a lot of legitimate developers would be hurt and a lot of communities would be destroyed. And unfortunately, the damage is now done."
One plus side that Mr. McVicker sees is that since this leak is not really "new" at all, he is hoping that the risk to players is not anything close to the worst-case scenario.
One plus side that Mr. McVicker sees is that he hopes that the risk to players is not anywhere near the worst-case scenario because this leak is not actually "new" at all. He said, "This stuff was already leaked two years ago, and anyone who was deep in the community or knew the engine well enough understood that the code was already out there. In other words, a truly professional malicious actor likely already had access to this code."
McVicker did not identify the original "source engine development community" leaker he referred to, nor the leaker today. However, his story is corroborated by Jaycie Erysdren, another Valve enthusiast.
While the source of the leak is still unclear, the more immediate issue is the report of a remote code execution bug found in the source code, as noted in this TF2 subreddit thread. If such a vulnerability exists, unscrupulous programmers could use it to compromise the security of TF2 and CS:GO players. Remote code execution, as the name implies, is the ability to remotely execute code or commands on another person's PC.
This report was of such concern that Team Fortress and CS:GO community servers Creators.TF and Red Sun Over Paradise temporarily took their servers offline.
"Allegedly, we have already discovered a remote code execution exploit that can be used to execute malicious code on your clients, and there may be many more of this kind in the future," Red Sun's official Discord notice states. The official Red Sun Discord notice states. We recommend that you do not play the game on our online servers until Valve allows you to do so."
(Note: No new vulnerabilities have been identified at this time; see the update at the beginning of this article for Valve's response, "We have found no reason for players to be wary or avoid the current build.")
This is the first RCE bug in a Source Engine game would not be the first time a "buffer overflow vulnerability" was found; in 2017, TF2, CS:GO, Portal 2, and others were targeted by an exploit that could be triggered by simply shooting an enemy. In that case, however, the bug was discovered by a security research firm, which notified Valve, which then fixed the bug and made it public. This leak may reveal a new RCE before Valve fixes it.
McVicker states in the video that he provided Valve's legal team with all the information he had.
.
Comments