Steam Users Were Vulnerable To A Serious Exploit For A Decade

Steam has millions of active users. That’s a staggeringly large amount of people to be left vulnerable to cyber attacks for a decade.

And yet, that’s exactly what happened. There’s been an exploitable bug – which has since been addressed – in Steam for the past 10 years, and any hacker that took advantage of it would have been able to invade the computers of any Steam user. This bug was first written about by Tom Court, a security researcher at Contextis. According to Court, any hacker with the right technical know-how could have used the bug to execute code on another person’s machine, and then used the intrusion to seize full control of the victim’s computer.

Valve first dealt with the bug in July 2017. The company implemented an address space layout randomization update in the Steam desktop client, making it much more difficult for hackers to exploit the bug. Valve then completely patched away the vulnerability this past April.

Court referred to the bug as “relatively straightforward to exploit,” but added that Valve probably didn’t patch it sooner because the company didn’t think it needed to. “The vulnerable code was probably very old,” Court wrote, “but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts.”

This has been a difficult couple of weeks for Valve already. The company recently revealed that Apple announced its decision to block Valve’s app from releasing on the iOS App Store.

Go to Source