Valve patches 10-year-old exploitable bug in Steam
MANILA, Philippines - Tom Court, a senior researcher at cybersecurity firm Context, said popular game distribution platform Steam had a 10-year old bug that would have left its users vulnerable to remote code execution attacks.
In a blog post, Court explained Steam users could have been easily victimized due to a lack of modern exploit protection. He also uploaded a video showing the issue in action.
Valve, Steam's developers, found out about the bug when Court reported it to them last February. To their credit, it was said to have been resolved in the beta branch in less than 12 hours. The fix was then pushed to the stable branch where it was rolled out as a patch last March.
They already made the vulnerability much harder to exploit in July of last year by implementing new security features in Steam’s desktop client but, it was not until March of this year where users could rest easy knowing the bug was completely fixed.
Court said this was likely caused by an oversight and reminds developers to constantly review old code even if they are still functional to ensure they are bug-free.
“The fact that such a simple bug with such serious consequences has existed in such a popular software platform for so many years may be surprising to find in 2018 and should serve as encouragement to all vulnerability researchers to find and report more of them,” he said. – Rappler.com