The exploit is particularly nasty, but there is an easy way to fix it.
Unfortunately, when Microsoft tried to bring more value to its Windows 10 games store, the company overlooked a critical flaw. A bug allowed hackers to use a game downloaded from the Windows Store to gain elevated permissions on someone else's PC. However, a fix is already available.
What was the bug in Microsoft Store games?
The exploit was discovered by IOActive Labs, which discovered the bug back in June. Microsoft has since released a patch that fixes this bug. This meant IOActive could publicly expose the bug without hackers using the information for themselves.
IOActive Labs discovered the bug when Microsoft released a new update for its Windows 10 game store. This update allowed users to download and install mods that customized how the game ran and looked.
A researcher at IOActive Labs was interested in how Microsoft allowed mod installations. In the past, games downloaded from the Microsoft Store have typically run in a sandbox environment, so users had to go through additional frames to run their mods from within the game. How did Microsoft make the process so easy?
As it turns out, a modifiable game requests elevated privileges from the operating system. As such, the researcher began experimenting with how the game was installed to see if they could take advantage of this increased permission.
Sure enough, after some tweaking, the researcher used a game installation to create a shell that would run at a special system level, even if the victim's user rights normally wouldn't allow it. In this way, the attacker can delete or overwrite files that he would otherwise not be able to touch.
Are Microsoft Store games unsafe to download?
Fortunately, this exploit was found by a researcher instead of a hacker. When a researcher gets there first, he tends to figure out how the exploit works and then secretly informs the developer.
Hackers will actively exploit the bug until it is patched and keep the method secret from the developer. This is especially dangerous as the hackers can abuse the exploit without verification until the developer finds out and takes action
Since the exploit has been kept in the dark since it was discovered, it is highly unlikely that a hacker could have used this bug themselves. In the MRSC portal, Microsoft lists the exploit as a proof-of-concept attack without any evidence that the exploit has become publicly known.
If you're still a little worried about this exploit, run Windows Update for the latest security fixes. Microsoft has already fixed this exploit. So, by keeping your PC up to date, you are protecting your PC too.
If you want, you can keep managing Windows Updates to act the way you want. If you've turned Windows Updates off because it annoys you when you're busy, you should know how to customize it to suit your needs instead of delaying important security patches.
How to manage Windows Update in Windows 10
For control freaks, Windows Update is a nightmare. It works in the background, making sure your system is safe and functioning smoothly. We'll show you how it works and what you can customize.
Protection against malicious Windows 10 exploits
While the Windows Store exploit sounds pretty scary, you already have everything you need to protect yourself from the threat. Always keep your PC up to date so you can get the latest security patches from Microsoft, even from threats no one else knows about!
When you need more evidence that keeping your PC up to date is a good idea, all you have to do is look back on Microsoft's August 2020 update. The update suppressed over 120 exploits, 17 of which were rated "critical".
Editorial Credit: ymgerman / Shutterstock.com
The Microsoft patch for August 2020 fixes 120 security exploits
Annoying as they may be, it is always important that Windows Updates install security patches when they are released.
About the author
(291 articles published)
A BSc graduate in Computer Science with a deep passion for everything related to safety. After working for an indie game studio, he found his passion for writing and decided to use his skills to write about all things technical.
More from Simon Batt
Subscribe to our newsletter
Subscribe to our newsletter for tech tips, reviews, free e-books, and exclusive deals!
One more step …!
Please confirm your email address in the email we just sent you.