Steam Client had a Remote Code Execution Vulnerability for at Least 10 Years

Discussion in 'HardForum Tech News' started by DooKey, Jun 1, 2018.

  1. DooKey

    DooKey [H]ardness Supreme

    Messages:
    8,102
    Joined:
    Apr 25, 2001
    Don't delete your Steam client. The vulnerability has been fixed, but the simple fact of the matter is it was just sitting there for at least ten years. This was a nasty vulnerability that would allow remote code execution on the computer hosting the client. There were no known attacks using this vector, but if there had been it wouldn't have been nice. The good news is after discovering the vulnerability the folks at Context Information Security notified Valve and they released a fix within 8 hours earlier this year. That's a quick response. The moral of the story is all software no matter how secure it seems to be is still a possible vector for malware or worse. Ronald Reagan said it best.....trust, but verify. Keep up the good work white hats.

    The bug was caused by the absence of a simple check to ensure that, for the first packet of a fragmented datagram, the specified packet length was less than or equal to the total datagram length. This seems like a simple oversight, given that the check was present for all subsequent packets carrying fragments of the datagram.
     
    Last edited: Jun 1, 2018
    DejaWiz likes this.
  2. Jim Kim

    Jim Kim 2[H]4U

    Messages:
    3,499
    Joined:
    May 24, 2012
    Nuts.
    At least it got fixed.
     
  3. M76

    M76 [H]ardForum Junkie

    Messages:
    9,455
    Joined:
    Jun 12, 2012
    A door that nobody knew about and nobody discovered in 10 years might as well be a wall.
     
  4. IcePickFreak

    IcePickFreak [H]ard|Gawd

    Messages:
    1,120
    Joined:
    Dec 1, 2010
    You should see the Meltdown/Spectre threads. ;)
     
  5. JavaLava

    JavaLava [H]Lite

    Messages:
    99
    Joined:
    Apr 3, 2018
    Eh they fixed it once they found out about it. No one knew about it until then...even the malicious people who intend to do harm.

    In this day and age...I think we will see more of this unfortunately. As cyber security becomes more and more important...more research teams are going to find vulnerabilities like this. Just hope the proper attention are given to them when they are found.
     
  6. Chris_B

    Chris_B [H]ardness Supreme

    Messages:
    4,995
    Joined:
    May 29, 2001
    They were too busy counting the steam takings and putting Half Life 3 on the shelf to notice. :mad:
     
  7. Meeho

    Meeho [H]ardness Supreme

    Messages:
    4,470
    Joined:
    Aug 16, 2010
    How do we know?