Jump to content

Steam had a decade-old security flaw that could allow someone to take over your PC


Recommended Posts

Posted

Sometimes, vulnerabilities can hang around for years and years without being discovered, and a remote code execution flaw found in Steam has reportedly been a gaping hole in the side of Valve’s gaming service for no less than a decade – although it has now been patched.

As Motherboard reports, Tom Court, a security expert at Context, believes that the exploit had been present in Steam for at least 10 years, and every user of the service could potentially have had this leveraged against them during that period.

However, as we mentioned, the good news is that the exploit has already been patched by Valve, and in fact this particular vulnerability was fixed back in March.

How serious was the problem? Court describes the bug as ‘simple’ and ‘straightforward to exploit’, worryingly, and the vulnerability could potentially have allowed a malicious party to execute code on the target PC running Steam, subsequently letting them take control of the machine.

So, yeah. It was pretty serious, then.

Speedy response

On the positive side for Valve, this vulnerability was made harder to exploit last July when the firm implemented a new security measure: ASLR (address space layout randomization).

But it was still a potential hole until Court reported the problem to Valve, with the company also being quick to respond – he praised the firm for the fact that within eight hours of receiving his email, it had applied a fixed to the beta version of the Steam client.

Court concludes that the code in which the vulnerability resided was likely very old, and the developers probably hadn’t been anywhere near it in a long time as a result.

The lesson? Software developers should take the time to review old chunks of code in the light of contemporary security standards, probing for issues such as this which may have been hanging around for ages.

Generally speaking, there are probably a host of these sort of flaws scattered about the world of PC software, when you consider the sheer amount of apps and services out there. The worry is that if developers or a friendly white hat security researcher don’t find them first, they could be actively exploited against an entire user base.

0zXt3Of-Kzw

View the full article

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.