News

Valve closes ten-year-old vulnerability in Steam

By admin
Spread the love

Steam turned out to contain a vulnerability that had been in all software clients for at least ten years. Until July last year, the vulnerability was relatively easy to exploit and it was possible to execute code remotely.

The nature of the problem lay with Valve’s Steam protocol, writes Tom Court of security company Contextis. That protocol did not check the length of a first data packet of a fragmented datagram. That opens the door to a buffer overflow specific to the Steam client library that builds fragmented datagrams from received udp packets.

In July last year, Valve added address space layout randomization protection to the client. Since then, the vulnerability has not simply been exploited, but exploitation leads to crashes. However, the leak has been in place since at least 2008, Contextis claims, and abuse was still possible after July 2017 with additional information about the memory location of the Steam app.

The company notified Valve of the find on February 20 of this year, and 12 hours later, the company had fixed the issue in the beta client. The fix was implemented in the stable client on March 22. “It was a simple bug that was relatively easy to exploit due to the lack of modern security,” Court wrote.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

Blizzard will release certain games via Steam, starting with Overwatch 2

News

EU Council determines position on security requirements for digital products

News

Microsoft and Activision Blizzard postpone acquisition deadline until October

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Meta introduces open source language model Llama 2, works on PCs and phones

Exit mobile version