Until recently, a remote code execution vulnerability in Steam sat unnoticed by Valve for at least a decade, leaving millions of users at risk of attack. Luckily for all involved, it seems that malicious actors were not privy to the security bug either. Valve has since released a patch that partially addresses the vulnerability, so even if an attacker does attempt to exploit it, taking over a victim's PC is highly unlikely.
Tom Court, a security researcher with Context, the company that alerted Valve to the vulnerability, discussed the bug in detail in a blog post. He gave credit to Valve for quickly responding to the issue once it was made aware, noting that Context alerted Valve on February 20, 2018, and that it was fixed in the beta branch less than 12 hours later. It was then pushed out the masses a few weeks later on March 22.
"At its core, the vulnerability was a heap corruption within the Steam client library that could be remotely triggered, in an area of code that dealt with fragmented datagram reassembly from multiple received UDP packets," Court explains. "The Steam client communicates using a custom protocol—the 'Steam' protocol—which is delivered on top of UDP."
Without taking a deep dive into the technical bits, an attacker could have exploited the security hole by sending modified UDP packets to any of the "15 million active [Steam] clients," causing a buffer overflow. Ultimately, an attacker could have taken complete control of a system by exploiting the vulnerability.
"The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged. The fact that such a simple bug with such serious consequences has existed in such a popular software platform for so many years may be surprising to find in 2018 and should serve as encouragement to all vulnerability researchers to find and report more of them!," Court added.
It's also worth noting that Valve compiled its Steam code last July with modern exploit protections enabled. While the bug was still present from then until March, the worst an attacker could do with it is cause a victim's Steam client to crash.