Steam News – Steam Remote Code Exploit Left Every Steam User Vulnerable for Over a Decade
Can I Run It?
Have your say
Most Demanding Score?
Tom Court, a security researcher at Contextis, has published details of a Remote Code Execution (RCE) flaw in the Steam client that has left every Steam user in the past 13 years vulnerable to a potential exploit.
The good news is that Court notified Valve of the vulnerability on February 20th, 2018, and Valve pushed a fix to its beta branch within just eight hours. A month later, on March 22nd, a fix was issued for the stable branch. As far as fixes go, “Valve now hold the top spot in the (imaginary) Context fastest-to-fix leaderboard”, wrote Court.
As for the problem itself, this nasty little bug was likely caused by a “simple oversight,” and would have theoretically been very easy to exploit. In a nutshell, this vulnerability was a heap corruption within the Steam client library that could be remotely triggered. Ordinarily, heap corruptions would be difficult to take advantage of, but custom memory allocator Steam uses is far more predictable, opening the door to a “highly reliable exploit.” Luckily, it appears the right people discovered it before it could become a major issue.
“This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections,” explains Court. “The vulnerable code was probably very old, but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts.”
Court reckons that each and every Steam user could’ve been caught out by this RCE bug, allowing would-be hackers to take total control of a system. It’s kind of amazing this flaw has been hanging around for a decade, but it sounds a if Valve wasn’t going back and checking its old code to ensure it was up to modern security standards.
Here’s a look at the exploit in action, demonstrating how an attacker could remotely launch the Windows calculator app on another system running Windows 10.