For most of the past decade, it has theoretically been possible to hijack someone’s PC via Steam, according to IT security consultant firm Context Information Security. Don’t panic or go setting your PC on fire, though – as far as anyone is aware, no machines were hacked through this method. While no known harm from using the exploit exists, it’s a solid reminder as to why internet security is something that everyone needs to keep on top of, no matter how big or small your outfit.
Tom Court, the security boffin who identified and helped Valve close up the loophole also provided a proof-of-concept video, showing a relatively benign application of the exploit (launching Windows Calculator on a vulnerable machine), and it’s not hard to see how this could be used for evil instead of basic mathematics. The exact mechanics of how the exploit work are far too technical for me to wrap my mostly word-and-sawdust-filled brain about, but coders may find something of interest in Court’s official blog-post on the subject here.
The loophole was mostly closed back in July of last year, when Valve recompiled Steam using modern exploit protections. It could still have theoretically caused some damage (it would cause a crash if activated, rather than allowing full remote code execution) but the threat was greatly reduced. Context first discovered the issue back in February of this year and informed Valve, and while an initial patch was quick to come out, the stable branch of Steam didn’t receive the fix until the 22nd of March.
Credit where credit’s due, though; Context Information Security contacted Valve the moment they’d found this exploit, and within 8 hours a beta-branch patch had been published, making them one of the fastest-to-react companies that Context have ever had to deal with. Valve may have nobody willing to answer emails, but apparently they’ve got some very fast-working coders on staff. The full patch-notes for the client update on March 21st can be found here.
Thanks to Motherboard for spotting this story.