Valve waited 15 months to patch high-severity flaw. A hacker pounced
(credit: Valve)
Researchers have unearthed four game modes that could successfully exploit a critical vulnerability that remained unpatched in the popular Dota 2 video game for 15 months after a fix had become available.
The vulnerability, tracked as CVE-2021-38003, resided in the open source JavaScript engine from Google known as V8, which is incorporated into Dota 2. Although Google patched the vulnerability in October 2021, Dota 2 developer Valve didn't update its software to use the patched V8 engine until last month after researchers privately alerted the company that the critical vulnerability was being targeted.
Unclear intentionsA hacker took advantage of the delay by publishing a custom game mode last March that exploited the vulnerability, researchers from security firm Avast said. That same month, the same hacker published three additional game modes that very likely also exploited the vulnerability. Besides patching the vulnerability last month, Valve also removed all four modes.