A security flaw within the Steam client present in all versions released in the last ten years has finally been fixed by Valve. It allowed cybercriminals to execute malicious code capable of affecting the platform's more than 15 million users.
The breach was discovered by Tom Court, a security specialist at consultancy Context Information Security. According to him, it is a remote code execution failure, as hackers could make network requests without accessing the victim's machine.
To communicate with the client, Steam sends UDP (User Datagram Protocol) packets, equivalent to the TCP (Transmission Control Protocol) which is usually faster. Court states that the hacker only needed to send a malformed UDP packet.
Then the Steam client would come across the bug, max out the memory limits (buffer overflow) in one of its libraries and made it vulnerable to malicious code.
Valve had already happened to partially fix the problem in July 2017. According to Court, Steam has gained ASLR protection, which makes it harder to pinpoint which part out of device memory a program is running.
The improvement complicated malicious activities, but did not end them. In February, Court gave details about the flaw to Valve, who released a definitive fix on April 4. With almost two months for users to update the program, the expert released a detailed report on the Context website.
With information: BleepingComputer.