Hackers will grab any and every opportunity they can to take control and infect your PC. Running a good security solution, using common sense, and applying software patches as soon as they appear keeps you (mostly) safe.

But One Up Security discovered a new attack vector that's sure to catch many people off guard. It was possible to get your PC infected by dying in several of Valve's multiplayer games. You simply die and a trojan infects your machine.

The vulnerability was traced back to Valve's Source game engine Software Development Kit (SDK). There was a buffer overflow caused by a missing bounds check in the code, which in turn allowed for remote code execution. In this case, the buffer overflow was triggered when a player died and the death ragdoll model is loaded.

As the Source engine allows for custom content, a custom ragdoll model can be packed with extra data and used in-game. So at the point the player dies and this ragdoll becomes active, the remote code is allowed to execute and a trojan infects the PC the game is running on. Amusingly, your machine is essentially being infected by a malicious ragdoll.

Thankfully Valve patched the vulnerability within a day of being informed by One Up Security researcher Justin Taft. That's good news because it was present in Counter-Strike: Global Offensive, Team Fortress 2, Half-Life Deathmatch: Source, Portal 2, and Left 4 Dead 2, all of which are very popular games.

Further Reading

PC Game Reviews