Steam fixes 10-year-old critical remote code execution vulnerability

A vulnerability in the Steam client was an open door to hackers for more than 10 years. The vulnerability was discovered by security researcher Tom Court of Contextis, who warned Steam and the good news is that it was quickly shut down by Steam developers Valve.

According to Court, Steam software allowed malicious hackers to carry remote code execution attacks. In this way, it was possible to control a user’s machine – The vulnerability was highly critical since more than 15 million people are using Steam.

This happened because Steam sent UDP (User Datagram Protocol) packets to communicate with the client. The UDP packet is similar to TCP (Transmission Control Protocol), however, it is faster. To exploit the vulnerability, an attacker only had to send an altered UDP packet.

Steam fixes 10-year-old critical remote code execution vulnerability

According to Valve, there is no indication that malicious hackers took advantage of the vulnerability

“The error was caused by the absence of a simple check to ensure that for the first packet of a fragmented datagram the specific packet size is less than or equal to the total length of the datagram. present for all subsequent packets carrying fragments of the datagram,” noted the researcher in his blog.

After the Steam client encountered this failure, the memory limits of the software were popped up in one of the libraries. In this way, the client became a door open to hackers.

According to Valve, there is no indication that malicious hackers took advantage of the vulnerability. If you have Steam on your machine, ensure that the latest version is installed.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.