A researcher at security firm Context has published the details of an exploit they found in PC gaming giant Steam’s desktop client. The nasty bug has reportedly been around for the last 10 years and left millions of users’ PCs open to being remotely commandeered by hackers.
Context’s Tom Court published his findings on Wednesday and outlined the technical details of what he called “a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections.”
According to Court, the really bad version of this vulnerability was patched by Steam’s makers, Valve, last July. We have no indication that an attacker took advantage of the security hole, but if they had, he says, they could have employed remote code execution “in all 15 million active clients”—taking over complete control of the victim’s system. Valve issued a partial fix for the bug after compiling its ancient but still functional code with modern exploit protections enabled, according to Court.
A version of the bug was still present after the July fix, but even in a worst-case scenario, it could only cause a client crash, Court wrote. Unfortunately, when combined with a separate info-leak vulnerability, it could still be used by an attacker to deploy malicious code remotely on a victim’s machine. You can read all the details of how it worked here, and Court uploaded a video of himself remotely launching the calculator app on a separate machine through the Steam client’s flaw.
We’ve reached out to Valve for comment on the report but didn’t recieve an immediate reply. Court says he reported the issue to Valve on February 20 and a fix was uploaded to the beta branch within 12 hours. It became part of the stable update on March 22, and Court was thanked by name in the release notes.
Thanks to reverse engineering, Valve’s protocol has been publicly documented over the years, and Court writes that it hasn’t changed “significantly” since it was first documented in 2008.
Court writes that the moral of the story is even old code that works great still needs to be reviewed by developers constantly to ensure it meets current security standards. “The fact that such a simple bug with such serious consequences has existed in such a popular software platform for so many years may be surprising to find in 2018 and should serve as encouragement to all vulnerability researchers to find and report more of them,” he wrote. He also gave Valve high marks for its quick response and execution in the responsible disclosure process.