Valve has released a fix for a zero-day Steam Client local privilege escalation (LPE) vulnerability. The vulnerability was caused by the “Steam Client Service”” Windows service giving the “”USERS”” group full permission on any subkey under the HKLMSoftwareWow6432 NodeValveSteamApps Registry key when the service was restarted. This could then allow them to elevate the privileges of any program they wish on the computer
Source: security