The developers at Valve have fixed a bug that has been in the Steam Client for the past 10 years. Tom Court a security researcher from Context Information Security discovered the flaw which would allow the attacker to execute malicious code on all of Steams 15 million gaming clients.
The flaw was made possible when the exploitation takes place in the form of network requests without the prior access to the victims PC. Court also said that the attacker only needs some malicious UDP packets sent over the network without the need to access the victim’s computer meaning the bug could then be triggered allowing the attacker to run malicious code. The main cause of this error is a buffer overflow in one of the steams internal libraries. Most of the Steam code is fragmented in the user datagram protocol assembly. The Context researcher said that exploitation of this particular flaw would have been more straightforward prior to July 2017 at which time Valve added the ASLR protection to the data streams.
After that time an attacker would still have been successful at abusing the bug which also leaves a lot of exposed memory and also the location of the Steam application. The issue is currently fixed in the Steam Client and Valve received the information about the update earlier this year and within the 12 hours of the report a beta version of the Steam Client was launched and the final fix was scheduled.
Tom Court has published the report after two months of the bug discovery and technical details about the proof-of-concept video. It is better to update your Steam Client if you haven’t updated the software lately.
Take your time to comment on this article.