Report: Steam Had A Bug For 10 Years That Could Allow Hackers To Take Over Your PC

A researcher at security firm Context has published the details of an exploit they found in PC gaming giant Steam's desktop client. The nasty bug has reportedly been around for the last 10 years and left millions of users' PCs open to being remotely commandeered by hackers.

Image: Steam/Gizmodo

Context's Tom Court published his findings on yesterday and outlined the technical details of what he called "a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections".

According to Court, the really bad version of this vulnerability was patched by Steam's makers, Valve, last July. We have no indication that an attacker took advantage of the security hole, but if they had, he says, they could have employed remote code execution "in all 15 million active clients" - taking over complete control of the victim's system.

Valve issued a partial fix for the bug after compiling its ancient but still functional code with modern exploit protections enabled, according to Court.

A version of the bug was still present after the July fix, but even in a worst-case scenario, it could only cause a client crash, Court wrote. Unfortunately, when combined with a separate info-leak vulnerability, it could still be used by an attacker to deploy malicious code remotely on a victim's machine.

You can read all the details of how it worked here, and Court uploaded a video of himself remotely launching the calculator app on a separate machine through the Steam client's flaw.

We've reached out to Valve for comment on the report but didn't recieve an immediate reply. Court says he reported the issue to Valve on February 20 and a fix was uploaded to the beta branch within 12 hours. It became part of the stable update on March 22, and Court was thanked by name in the release notes.

Thanks to reverse engineering, Valve's protocol has been publicly documented over the years, and Court writes that it hasn't changed "significantly" since it was first documented in 2008.

Court writes that the moral of the story is even old code that works great still needs to be reviewed by developers constantly to ensure it meets current security standards.

"The fact that such a simple bug with such serious consequences has existed in such a popular software platform for so many years may be surprising to find in 2018 and should serve as encouragement to all vulnerability researchers to find and report more of them," he wrote. He also gave Valve high marks for its quick response and execution in the responsible disclosure process.

[Context via Motherboard]


Comments

    Court says he reported the issue to Valve on February 20 and a fix was uploaded to the beta branch within 12 hours. It became part of the stable update on March 22, and Court was thanked by name in the release notes.

    I think this is the most important part of the article. A fix in testing within 12 hours is outstanding. And for a product like steam rolling that fix into production in a month is similarly great.

    I'm not a fan of Steam (it has it's issues) but this is a great example of Valve acting responsibly and should serve as the template for other tech companies when security issues are pointed out to them.

    Oh, and I like the fact that Court sat on the findings until well after the bug was fixed before releasing information about it. That's a responsible security researcher. Unlike some of the ones we've seen lately who make bugs public without giving the companies a chance to fix them.

      Lot better than the behaviour around the Tegra exploits we've seen recently.

        I'd missed those, they look nasty but at least seem to be limited to physical access.

        I was actually thinking more about the mob who reported some AMD cpu vulnerabilities and immediately released info. The one that looked like it might actually have been an attempt at stock price manipulation so they could make a big profit.

    This would explain those moments when I played like a brain dead zombie. Hackers had taken over.

    Hmmm... Yes... I've been hacked... a lot... a whole lot.

Join the discussion!

Trending Stories Right Now