Recently, some information came out regarding a major security hole that has been in Steam for almost a decade. This security hole could have allowed people to control someone else’s computer for nefarious purposes.
Tom Court, a security researcher at the IT security consultant firm Contexis Information Security posted blog post last Wednesday about a major security hole he helped discover in the Steam client. Up until last July, this security hole could allow someone to exploit a bug to cause Remote Code Execution (RCE) in all active Steam clients. From last July onward, when Steam compiled their code with modern exploit protections enabled, the bug would cause a crash, and RCE could only happen at that point in combination with a separate info-leak vulnerability. The vulnerability was reported to Valve on February 20 and they fixed the bug in the beta branch less than twelve hours later. The security hole was completely fixed in an update to the stable branch on March 22, 2018.
How did this bug work, exactly? Tom Court has a more detailed description on his blog post, but the basics are as follows:
At its core, the vulnerability was a heap corruption within the Steam client library that could be remotely triggered, in an area of code that dealt with fragmented datagram reassembly from multiple received UDP packets.
Tom gave an example of what this could do in a video where he uses this vulnerability to simply open up the Calculator program in a fully patched version of Windows 10:
As far as anyone knows, no machines were affected by the exploit, but it’s an important reminder as to why Internet security is a very important topic, no matter how big or small your outfit. Tom also imparted an important lesson for developers:
This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections. The vulnerable code was probably very old, but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts. The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged.