Valve Only Just Got Around to Fixing a 10-Year-Old Steam Vulnerability

steam games valve
Steam. (c) Valve

According to Tom Court, a security researcher at Contextis, a serious vulnerability has been present and exploitable in Steam for at least 10 years.

Court said the bug left all 125 million Steam users vulnerable until Valve patched it this March.

"This bug could have been used as the basis for a highly reliable exploit," Court wrote. "This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections."

By exploiting the bug, hackers could execute code on the victim's machine, as the above proof-of-concept video makes clear.

In July 2017, Valve added ASLR protection to the Steam desktop client which made this flaw somewhat more difficult to take advantage of. Court reported the bug to Valve on Feb. 20 of this year; it was resolved in the beta branch within 12 hours, then pushed to the stable branch, where it was rolled out as a patch in March.

The company publicly thanked Court in the release notes of a Steam client updated from Apr. 4, 2018.

"The fact that such a simple bug with such serious consequences has existed in such a popular software platform for so many years may be surprising to find in 2018 and should serve as encouragement to all vulnerability researchers to find and report more of them!" Court wrote.

According to Valve, there is no sign that malicious hackers exploited the vulnerability, but you should ensure your Steam client is fully updated anyway. It's just good practice.

"The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged," said Court.

For more technical details, check out Court's blog post here titled "Frag Grenade! A Remote Code Execution Vulnerability in the Steam Client."

Feel free to let us know your thoughts about this former Steam vulnerability in the comments section below