Home / Channel / General Tech / Steam bug that allowed attackers to control your PC was left unaddressed for ten years

Steam bug that allowed attackers to control your PC was left unaddressed for ten years

For the past 10 years, Valve’s Steam client has been vulnerable from a bug that could have resulted in remote code execution (RCE) in all 15 million clients on the platform. Luckily, security researcher Tom Court revealed the bug before any damage could be done, resulting in Valve finally patching it out on March 22nd.

“At its core, the vulnerability was a heap corruption within the Steam client library that could be remotely triggered, in an area of code that dealt with fragmented datagram reassembly from multiple received UDP packets,” explains Court in his blog.

The RCE vulnerability, that essentially allowed attackers to hijack a computer and remotely run software as they choose, was eventually patched out in July 2017, “when Valve (finally) compiled their code with modern exploit protections enabled.” This meant that for the final year until the stable patch was released, any attack would have “simply caused a client crash” instead.

Court and his cohorts made Valve aware of the vulnerability on 20th February, 2018, in which the company responded just 8 hours later with a fix applied to the beta version of the client. One month later, the stable patch was finally released for the live client.

“This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections. The vulnerable code was probably very old, but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts,” explains Court.

“The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged.”

KitGuru Says: As a general user, it’s easy to point the finger and ask how something like this could be missed for so long, but remember that identifying and fixing a lot of bugs is the digital equivalent of a needle in a haystack. Still, as Court says, ageing code should really be checked more often.

Become a Patron!

Check Also

Leo Says 77 – Intel ‘fesses up about Arrow Lake Core Ultra 200S

The launch of the new Intel Core Ultra 200S family of CPUs along with Z890 motherboards was a thorny process. KitGuru suffered along with pretty much every other review site on the planet and you may have noticed we held off from reviewing of the Core Ultra 9 285K, Core Ultra 7 265K and Core Ultra 5 245K as it is clear to us that Intel has some work to do before this platform is ready for action.