As Microsoft attempts to bring more value to its Windows 10 games store, the company, unfortunately, overlooked a critical bug in the process. A flaw allowed hackers to gain heightened permissions on someone’s PC using a game downloaded from the Windows Store, but a fix is already available.
What Was the Flaw in Microsoft Store Games?
The exploit was discovered by IOActive Labs, who discovered the flaw back in June. Microsoft has since released a patch that fixes this flaw, which meant that IOActive could publicly reveal the bug without hackers using the information for themselves.
IOActive Labs discovered the flaw when Microsoft pushed a new update to its Windows 10 game store. This update allowed users to download and install mods that customized how the game ran and looked.
A researcher in IOActive Labs was interested in how Microsoft allowed mod installations. In the past, games downloaded from the Microsoft Store tended to be run in a sandbox environment, so users had to go through extra hoops to run their mods within the game. How did Microsoft make the process so easy?
As it turns out, a moddable game asks for elevated permissions from the operating system. As such, the researcher then began fiddling with how the game was installed to see if they could exploit this heightened permission.
Sure enough, after some tweaking, the researcher used a game installation to create a shell that ran on a special System level, even if the victim’s user privileges don’t normally allow it. This then allows the attacker to delete or overwrite files they should otherwise be unable to touch.
Are Microsoft Store Games Unsafe to Download?
Fortunately, this exploit was found by a researcher instead of a hacker. If a researcher gets there first, they tend to work out how the exploit works then inform the developer in secret.
Hackers will actively exploit the flaw until it’s patched, keeping the method a secret from the developer. This is particularly dangerous, as the hackers can abuse the exploit unchecked until the developer finds out and steps in
As such, because the exploit was kept in the dark since its discovery, it’s highly unlikely that a hacker has used this flaw themselves. On the MRSC Portal, Microsoft lists the exploit as a proof-of-concept attack, with no proof of the exploit leaking into public knowledge.
If you’re still a little worried about this exploit, go ahead and run Windows Update to get all the latest security fixes. Microsoft has already fixed this exploit, so by keeping your PC updated, you keep your PC safe too.
If you want to, you can further manage Windows Updates to act as you want it to. If you’ve turned off Windows Updates because it tends to annoy you when you’re busy, it’s worth seeing how you can tailor it to your needs instead of delaying important security patches.
Staying Safe From Malicious Windows 10 Exploits
While the Windows Store exploit sounds pretty scary, you already have everything you need to protect yourself from the threat. Always keep your PC updated so that you get all the latest security patches from Microsoft, even from threats that nobody else knows about yet!
If you need more proof that keeping your PC updated is a good idea, you only need to look back at Microsoft’s August 2020 update. The update squashed over 120 exploits, 17 of which were listed as “critical.”
Editorial credit: ymgerman / Shutterstock.com