Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years (bleepingcomputer.com) 77

Valve developers have recently patched a severe security flaw that affected all versions of the Steam gaming client released in the past ten years. From a report: According to Tom Court, a security researcher with Context Information Security, the one who discovered the flaw, the vulnerability would have allowed an attacker to execute malicious code on any of Steam's 15 million gaming clients. In the jargon of security researchers, this is a remote code execution (RCE) flaw because exploitation was possible via network requests, without needing access to the victim's computer. Court says an attacker was only required to send malformed UDP packets to a target's Steam client, which would have triggered the bug and allowed him to run malicious code on the target's PC.
This discussion has been archived. No new comments can be posted.

Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years

Comments Filter:
  • by Bodhammer ( 559311 ) on Thursday May 31, 2018 @12:37PM (#56706476)
    First post! Yeah!
  • by Anonymous Coward

    "bugs" like these are so peculiar in that they simply do not happen by themselves. Someone intentionally did this, and the question is who. Valve, or someone else?

    • some one who has a lot of bit coin.

    • by GrumpySteen ( 1250194 ) on Thursday May 31, 2018 @01:18PM (#56706782)

      It's an overflow bug. There's nothing peculiar or rare about it.

      • by Pinky's Brain ( 1158667 ) on Thursday May 31, 2018 @01:24PM (#56706832)

        To paraphrase Sadiq Khan, buffer overflows are part and parcel of programming in C(++).

        • by AC-x ( 735297 )

          Oh look, it's that misquote again! What he actually said was:

          "Part and parcel of programming in C/C++ is you’ve got to be prepared for these things, you’ve got to be vigilant, you’ve got to support the coders doing an incredibly hard job. We must never accept buffer overflows being successful, we must never accept that black hats can destroy our life or destroy the way we lead our lives."

          • Yet isn't it curious how some languages can have no buffer overflow exploits at all.

            It's almost like some language features are inherently inferior, with only emotional appeals to a supposed equality and inertia forcing us down the same inferior path with the same inferior results for decades on end, the equality never materializing.

            • by hlavac ( 914630 )
              Have a look at Rust, it is a genuine step forward to avoid problems that are inherent in C/C++
              • by Mashiki ( 184564 )

                Aren't they busy making CoC's that penalize people for just wanting to code, and ignoring identity politics?

  • Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?

    • by AvitarX ( 172628 )

      It could be a loophole in a poorly locked down corporate setting.

      A lot of companies allow people to install software on their laptop, and a lot of people treat work laptops as personal to an extent (I'm not saying any of this is good, just reality). I could see an info leak from a malicious employee attacking another employee in a network that relies on perimeter security.

    • by dissy ( 172727 ) on Thursday May 31, 2018 @12:53PM (#56706576)

      Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?

      An attack sourced from the Internet would be highly unlikely, or more specifically would be zero percent for the vast majority of Steam users.

      LAN attacks are more realistic, especially if one is the LAN party hosting type.

      Malware that makes it behind the NAT could also be used to exploit this.
      PC infecting malware for certain could be used to reach and infect other systems running Steam on the LAN other than the infected one.

      Can web browsers do UDP from their sandbox these days?
      There have been browser based malware in the past that utilized TCP sockets to attack home routers web interfaces from the inside LAN side.
      While I admit I don't know, part of me still hopes UDP is a thing kept out of the javascript and sandbox passing commands available to the browser, but fear I could be wrong...

    • If you have a machine not directly connected to the Internet, your ISP sucks and so does your ability to find an alternate way to obtain modern connectivity. Being enumerable is another matter, but those of us who want to connect back home keep at least one permanent IP. It might be reasonable to use a privacy-extension one for all outgoing connections and the permanent one only for incoming, but I for one never bothered to care enough (and radv is troublesome if you have many VMs of multiple types inside

    • Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?

      Depending on whether anybody malicious was aware of this exploit, the likelihood is quite high [reuters.com].

    • It could be exploited without a direct connection by spoofing the source IP address of a server the client is already talking to and generating a reasonable fake packet matching others recently received by the client. So if you could get access to hardware between the client/server you could exploit this on the client.

      More details here: https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client [contextis.com]

      • I hate how Slashdot doesn't let you mod in the same article you post. This is the singularly most informative post in the entire thread. Thank you!

    • If someone has a laptop they take around and use on Wi-Fi, this could be an issue.

    • There are many ways that UDP packets can traverse NAT (see UDP hole punching for example). There are lots of applications, especially in games, where UDP makes more sense than TCP. If I know the public IP address of a Steam user, with a bit of guess work and a sending a lot of packets to their router I could impersonate a legitimate UDP sender and get their router to forward the UDP packets to their machine. So yes, this exploit is bad.
    • by Agripa ( 139780 )

      Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?

      Since very few consumers use a VLAN for their local network, their system can be attacked by compromised systems on their LAN.

  • So what? (Score:5, Insightful)

    by gweihir ( 88907 ) on Thursday May 31, 2018 @12:59PM (#56706628)

    The only thing that means is that Valve is not writing new and really bad code all the time, they actually and sanely keep what works and improve it. Yes, sometimes that takes long, but nobody with an actual clue is surprised by that.

  • by fluffernutter ( 1411889 ) on Thursday May 31, 2018 @01:32PM (#56706902)
    Great, so now are they going to prevent it from hanging like a bitch if you start windows without a network?
  • What is the news here? Bugs exist until they are discovered, this could be years or even never. Tom wants his fifteen minutes? Oh it is bleeping computer, explains everything.
  • I know PC gaming is (at times) waning vs console, especially in say, sales of a ported game.
    (Example GTAV, PS3, 360, PS4, Xbox One and PC) the PC version /generally/ would sell less.

    However.
    The PC library with it's true backwards compatibility and age, the immense volume, the new Chinese customers, seriously 15 million?
    I would've happily believed Steam has an install base of at least 50 to 100million PCs at any time.

    Very surprising.

    • I think the numbers are getting confused. Perhaps they were confusing it with the often thrown around concurrent users number, which has been around 15 million.

      https://www.vinereport.com/art... [vinereport.com]

      The actual total number of installed clients is much, much, much larger for sure.

  • Wait, so I can just send malformed UDP packets to anyone on the internet, and their computer will pick it up without having firewall rules or port forwarding configured in their routers? I was not aware that internet technology had regressed to the 1990s.

"Hello again, Peabody here..." -- Mister Peabody

Working...