Skip to main content

For over a decade a bug in Steam meant someone could take over your PC

On March 22 one of Steam's regular updates was rolled out, complete with fixes to the in-game overlay and problems involving corrupt items on the Steam Workshop. It also dealt with a bug that made it possible for someone to get access to the computer of anyone with Steam run code remotely, effectively taking over their computer.

Security researcher Tom Court has blogged about the bug and its potential misuse, explaining that, "At its core, the vulnerability was a heap corruption within the Steam client library that could be remotely triggered, in an area of code that dealt with fragmented datagram reassembly from multiple received UDP packets."

What that means is that, as he demonstrated in the video below, he could hijack a computer and run software remotely. In this test case it was just a calculator app, but obviously more malicious effects would have been possible.

Fortunately it was fixed quickly once Valve were made aware of the vulnerability, with a patch on the beta branch of Steam going live eight hours after it was discovered. As Court says, "this was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections. The vulnerable code was probably very old, but as it was otherwise in good working order, the developers likely saw no reason to go near it or update their build scripts. The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged."

Thanks, Motherboard.

Jody Macgregor

Jody's first computer was a Commodore 64, so he remembers having to use a code wheel to play Pool of Radiance. A former music journalist who interviewed everyone from Giorgio Moroder to Trent Reznor, Jody also co-hosted Australia's first radio show about videogames, Zed Games. He's written for Rock Paper Shotgun, The Big Issue, GamesRadar, Zam, Glixel, and Playboy.com, whose cheques with the bunny logo made for fun conversations at the bank. Jody's first article for PC Gamer was published in 2015, he edited PC Gamer Indie from 2017 to 2018, and actually did play every Warhammer videogame.