Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years (bleepingcomputer.com) 77
Valve developers have recently patched a severe security flaw that affected all versions of the Steam gaming client released in the past ten years. From a report: According to Tom Court, a security researcher with Context Information Security, the one who discovered the flaw, the vulnerability would have allowed an attacker to execute malicious code on any of Steam's 15 million gaming clients. In the jargon of security researchers, this is a remote code execution (RCE) flaw because exploitation was possible via network requests, without needing access to the victim's computer. Court says an attacker was only required to send malformed UDP packets to a target's Steam client, which would have triggered the bug and allowed him to run malicious code on the target's PC.
This steams me!!! (Score:4, Funny)
Re: (Score:1)
Isn't the internet great?.... Russians can post anything they want, anytime to destabilize the US... and generate hate.
By design, not a bug (Score:1)
"bugs" like these are so peculiar in that they simply do not happen by themselves. Someone intentionally did this, and the question is who. Valve, or someone else?
Re: (Score:2)
some one who has a lot of bit coin.
Re:By design, not a bug (Score:5, Insightful)
It's an overflow bug. There's nothing peculiar or rare about it.
Re:By design, not a bug (Score:4, Funny)
To paraphrase Sadiq Khan, buffer overflows are part and parcel of programming in C(++).
Re: (Score:2)
Oh look, it's that misquote again! What he actually said was:
"Part and parcel of programming in C/C++ is you’ve got to be prepared for these things, you’ve got to be vigilant, you’ve got to support the coders doing an incredibly hard job. We must never accept buffer overflows being successful, we must never accept that black hats can destroy our life or destroy the way we lead our lives."
Re: (Score:3)
Yet isn't it curious how some languages can have no buffer overflow exploits at all.
It's almost like some language features are inherently inferior, with only emotional appeals to a supposed equality and inertia forcing us down the same inferior path with the same inferior results for decades on end, the equality never materializing.
Re: (Score:2)
Re: (Score:2)
Aren't they busy making CoC's that penalize people for just wanting to code, and ignoring identity politics?
Likelyhood of attack? (Score:2)
Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?
Re: (Score:1)
It could be a loophole in a poorly locked down corporate setting.
A lot of companies allow people to install software on their laptop, and a lot of people treat work laptops as personal to an extent (I'm not saying any of this is good, just reality). I could see an info leak from a malicious employee attacking another employee in a network that relies on perimeter security.
Re: (Score:1)
It's almost like most corporate hacks happen when people break obvious rules and common smart computer practices...
Re:Likelyhood of attack? (Score:5, Insightful)
Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?
An attack sourced from the Internet would be highly unlikely, or more specifically would be zero percent for the vast majority of Steam users.
LAN attacks are more realistic, especially if one is the LAN party hosting type.
Malware that makes it behind the NAT could also be used to exploit this.
PC infecting malware for certain could be used to reach and infect other systems running Steam on the LAN other than the infected one.
Can web browsers do UDP from their sandbox these days?
There have been browser based malware in the past that utilized TCP sockets to attack home routers web interfaces from the inside LAN side.
While I admit I don't know, part of me still hopes UDP is a thing kept out of the javascript and sandbox passing commands available to the browser, but fear I could be wrong...
Re: (Score:1)
While not strictly a requirement for network multiplayer games on the recent two Nintendo consoles, it's the only way to disable the NAT/TCP response port randomization security feature on most consumer-grade home routers, which does break pretty much all of them, though not always immediately unless there is other traffic passing through the router at that point.
Re: (Score:1)
(On Steam it's only a problem I've seen with Hammerwatch, and only if you're the host.)
Re: (Score:2)
If you have a machine not directly connected to the Internet, your ISP sucks and so does your ability to find an alternate way to obtain modern connectivity. Being enumerable is another matter, but those of us who want to connect back home keep at least one permanent IP. It might be reasonable to use a privacy-extension one for all outgoing connections and the permanent one only for incoming, but I for one never bothered to care enough (and radv is troublesome if you have many VMs of multiple types inside
Re: (Score:2)
Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?
Depending on whether anybody malicious was aware of this exploit, the likelihood is quite high [reuters.com].
Re: (Score:2)
It could be exploited without a direct connection by spoofing the source IP address of a server the client is already talking to and generating a reasonable fake packet matching others recently received by the client. So if you could get access to hardware between the client/server you could exploit this on the client.
More details here: https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client [contextis.com]
Re: (Score:2)
I hate how Slashdot doesn't let you mod in the same article you post. This is the singularly most informative post in the entire thread. Thank you!
Re: (Score:2)
If someone has a laptop they take around and use on Wi-Fi, this could be an issue.
Re:Likelyhood of attack? Answer - high (Score:2)
Re: (Score:2)
Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?
Since very few consumers use a VLAN for their local network, their system can be attacked by compromised systems on their LAN.
So what? (Score:5, Insightful)
The only thing that means is that Valve is not writing new and really bad code all the time, they actually and sanely keep what works and improve it. Yes, sometimes that takes long, but nobody with an actual clue is surprised by that.
Re: (Score:2)
That "Steam Guard code" is just crap. I work a lot of hours so I don't have much free time, and it just sucks waiting on the email with the code so I can login to be allowed to play a game I own. By the time I finally get the code to login, I've usually moved on to doing something else.
Re: (Score:3)
Steam Desktop Authenticator
Gr8 (Score:3)
Bug was addressed within hours of being reported. (Score:2)
Wait only 15 million gaming clients? (Score:2)
I know PC gaming is (at times) waning vs console, especially in say, sales of a ported game. /generally/ would sell less.
(Example GTAV, PS3, 360, PS4, Xbox One and PC) the PC version
However.
The PC library with it's true backwards compatibility and age, the immense volume, the new Chinese customers, seriously 15 million?
I would've happily believed Steam has an install base of at least 50 to 100million PCs at any time.
Very surprising.
Re: (Score:2)
I think the numbers are getting confused. Perhaps they were confusing it with the often thrown around concurrent users number, which has been around 15 million.
https://www.vinereport.com/art... [vinereport.com]
The actual total number of installed clients is much, much, much larger for sure.
Wait... (Score:2)