On March 22 one of Steam’s regular updates was rolled out, complete with fixes to the in-game overlay and problems involving corrupt items on the Steam Workshop. It also dealt with a bug that made it possible for someone to get access to the computer of anyone with Steam run code remotely, effectively taking over their computer.
Security researcher Tom Court has blogged about the bug and its potential misuse, explaining that, “At its core, the vulnerability was a heap corruption within the Steam client library that could be remotely triggered, in an area of code that dealt with fragmented datagram reassembly from multiple received UDP packets.”
What that means is that, as he demonstrated in the video below, he could hijack a computer and run software remotely. In this test case it was just a calculator app, but obviously more malicious effects would have been possible.
Fortunately it was fixed quickly once Valve were made aware of the vulnerability, with a patch on the beta branch of Steam going live eight hours after it was discovered. As Court says, “this was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections. The vulnerable code was probably very old, but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts. The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged.”