Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years (bleepingcomputer.com)

Posted by msmash on Thursday May 31, 2018 @05:30AM from the better-late-than-never dept.

Valve developers have recently patched a severe security flaw that affected all versions of the Steam gaming client released in the past ten years. From a report: According to Tom Court, a security researcher with Context Information Security, the one who discovered the flaw, the vulnerability would have allowed an attacker to execute malicious code on any of Steam's 15 million gaming clients. In the jargon of security researchers, this is a remote code execution (RCE) flaw because exploitation was possible via network requests, without needing access to the victim's computer. Court says an attacker was only required to send malformed UDP packets to a target's Steam client, which would have triggered the bug and allowed him to run malicious code on the target's PC.

31 of 77 comments (clear)

Min score:

Reason:

Sort:

This steams me!!! by Bodhammer · 2018-05-31 05:37 · Score: 4, Funny

First post! Yeah!

--
"I say we take off, nuke the site from orbit. It's the only way to be sure."
By design, not a bug by Anonymous Coward · 2018-05-31 05:43 · Score: 1

"bugs" like these are so peculiar in that they simply do not happen by themselves. Someone intentionally did this, and the question is who. Valve, or someone else?
1. Re:By design, not a bug by Joe_Dragon · 2018-05-31 05:59 · Score: 1
  
  some one who has a lot of bit coin.
2. Re:By design, not a bug by GrumpySteen · 2018-05-31 06:18 · Score: 4, Insightful
  
  It's an overflow bug. There's nothing peculiar or rare about it.
3. Re:By design, not a bug by Pinky's+Brain · 2018-05-31 06:24 · Score: 3, Funny
  
  To paraphrase Sadiq Khan, buffer overflows are part and parcel of programming in C(++).
4. Re:By design, not a bug by AC-x · 2018-05-31 14:55 · Score: 1
  
  Oh look, it's that misquote again! What he actually said was:
  "Part and parcel of programming in C/C++ is you’ve got to be prepared for these things, you’ve got to be vigilant, you’ve got to support the coders doing an incredibly hard job. We must never accept buffer overflows being successful, we must never accept that black hats can destroy our life or destroy the way we lead our lives."
5. Re:By design, not a bug by Pinky's+Brain · 2018-05-31 15:39 · Score: 2
  
  Yet isn't it curious how some languages can have no buffer overflow exploits at all.
  It's almost like some language features are inherently inferior, with only emotional appeals to a supposed equality and inertia forcing us down the same inferior path with the same inferior results for decades on end, the equality never materializing.
6. Re:By design, not a bug by hlavac · 2018-05-31 20:58 · Score: 1
  
  Have a look at Rust, it is a genuine step forward to avoid problems that are inherent in C/C++
7. Re:By design, not a bug by Mashiki · 2018-06-01 01:08 · Score: 1
  
  Aren't they busy making CoC's that penalize people for just wanting to code, and ignoring identity politics?
  
  --
  Om, nomnomnom...
Likelyhood of attack? by ilsaloving · 2018-05-31 05:45 · Score: 1

Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?
1. Re:Likelyhood of attack? by AvitarX · 2018-05-31 05:51 · Score: 1
  
  It could be a loophole in a poorly locked down corporate setting.
  A lot of companies allow people to install software on their laptop, and a lot of people treat work laptops as personal to an extent (I'm not saying any of this is good, just reality). I could see an info leak from a malicious employee attacking another employee in a network that relies on perimeter security.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
2. Re:Likelyhood of attack? by dissy · 2018-05-31 05:53 · Score: 4, Insightful
  
  Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?
  An attack sourced from the Internet would be highly unlikely, or more specifically would be zero percent for the vast majority of Steam users.
  LAN attacks are more realistic, especially if one is the LAN party hosting type.
  Malware that makes it behind the NAT could also be used to exploit this.
  PC infecting malware for certain could be used to reach and infect other systems running Steam on the LAN other than the infected one.
  Can web browsers do UDP from their sandbox these days?
  There have been browser based malware in the past that utilized TCP sockets to attack home routers web interfaces from the inside LAN side.
  While I admit I don't know, part of me still hopes UDP is a thing kept out of the javascript and sandbox passing commands available to the browser, but fear I could be wrong...
3. Re:Likelyhood of attack? by KiloByte · 2018-05-31 06:05 · Score: 1
  
  If you have a machine not directly connected to the Internet, your ISP sucks and so does your ability to find an alternate way to obtain modern connectivity. Being enumerable is another matter, but those of us who want to connect back home keep at least one permanent IP. It might be reasonable to use a privacy-extension one for all outgoing connections and the permanent one only for incoming, but I for one never bothered to care enough (and radv is troublesome if you have many VMs of multiple types inside your desktop).
  Obviously, most people run Steam on some smelly Windows, but 1. Steam works on Linux too (although x86 only), and 2. Windows laptops see hostile networks the moment you take them outside home anyway.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
4. Re:Likelyhood of attack? by chispito · 2018-05-31 06:08 · Score: 1
  
  Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?
  Depending on whether anybody malicious was aware of this exploit, the likelihood is quite high.
  
  --
  The Daddy casts sleep on the Baby. The Baby resists!
5. Re:Likelyhood of attack? by The+MAZZTer · 2018-05-31 06:18 · Score: 1
  
  It could be exploited without a direct connection by spoofing the source IP address of a server the client is already talking to and generating a reasonable fake packet matching others recently received by the client. So if you could get access to hardware between the client/server you could exploit this on the client.
  More details here: https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client
6. Re:Likelyhood of attack? by ctilsie242 · 2018-05-31 06:20 · Score: 1
  
  If someone has a laptop they take around and use on Wi-Fi, this could be an issue.
7. Re:Likelyhood of attack? by AvitarX · 2018-05-31 08:59 · Score: 1
  
  It's almost like most corporate hacks happen when people break obvious rules and common smart computer practices...
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
8. Re: Likelyhood of attack? by Narcocide · 2018-05-31 11:58 · Score: 1
  
  While not strictly a requirement for network multiplayer games on the recent two Nintendo consoles, it's the only way to disable the NAT/TCP response port randomization security feature on most consumer-grade home routers, which does break pretty much all of them, though not always immediately unless there is other traffic passing through the router at that point.
9. Re: Likelyhood of attack? by Narcocide · 2018-05-31 11:59 · Score: 1
  
  (On Steam it's only a problem I've seen with Hammerwatch, and only if you're the host.)
10. Re:Likelyhood of attack? by Agripa · 2018-06-01 04:47 · Score: 1
  
  Unless someone has their machine connected directly to the internet (in which case you've got a whole lot of bigger problems), what's the likelyhood that this would actually be exploited?
  Since very few consumers use a VLAN for their local network, their system can be attacked by compromised systems on their LAN.
11. Re:Likelyhood of attack? by ilsaloving · 2018-06-01 05:40 · Score: 1
  
  I hate how Slashdot doesn't let you mod in the same article you post. This is the singularly most informative post in the entire thread. Thank you!
So what? by gweihir · 2018-05-31 05:59 · Score: 4, Insightful

The only thing that means is that Valve is not writing new and really bad code all the time, they actually and sanely keep what works and improve it. Yes, sometimes that takes long, but nobody with an actual clue is surprised by that.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Nice, but when will they fix their auth... by greenwow · 2018-05-31 06:08 · Score: 1

That "Steam Guard code" is just crap. I work a lot of hours so I don't have much free time, and it just sucks waiting on the email with the code so I can login to be allowed to play a game I own. By the time I finally get the code to login, I've usually moved on to doing something else.
Gr8 by fluffernutter · 2018-05-31 06:32 · Score: 2

Great, so now are they going to prevent it from hanging like a bitch if you start windows without a network?

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Bug was addressed within hours of being reported. by Fly+Swatter · 2018-05-31 08:49 · Score: 1

What is the news here? Bugs exist until they are discovered, this could be years or even never. Tom wants his fifteen minutes? Oh it is bleeping computer, explains everything.
Re:Trump will die in prison either way though. by Tulsa_Time · 2018-05-31 09:45 · Score: 1

Isn't the internet great?.... Russians can post anything they want, anytime to destabilize the US... and generate hate.

--
5 out of 6 people enjoy Russian Roulette & 6 out of 7 Dwarfs are not Happy
Re:Likelyhood of attack? Answer - high by FeelGood314 · 2018-05-31 11:44 · Score: 1

There are many ways that UDP packets can traverse NAT (see UDP hole punching for example). There are lots of applications, especially in games, where UDP makes more sense than TCP. If I know the public IP address of a Steam user, with a bit of guess work and a sending a lot of packets to their router I could impersonate a legitimate UDP sender and get their router to forward the UDP packets to their machine. So yes, this exploit is bad.
Wait only 15 million gaming clients? by AbRASiON · 2018-05-31 12:59 · Score: 1

I know PC gaming is (at times) waning vs console, especially in say, sales of a ported game.
(Example GTAV, PS3, 360, PS4, Xbox One and PC) the PC version /generally/ would sell less.
However.
The PC library with it's true backwards compatibility and age, the immense volume, the new Chinese customers, seriously 15 million?
I would've happily believed Steam has an install base of at least 50 to 100million PCs at any time.
Very surprising.
1. Re:Wait only 15 million gaming clients? by thecombatwombat · 2018-05-31 19:35 · Score: 1
  
  I think the numbers are getting confused. Perhaps they were confusing it with the often thrown around concurrent users number, which has been around 15 million.
  https://www.vinereport.com/art...
  The actual total number of installed clients is much, much, much larger for sure.
Re:Nice, but when will they fix their auth... by ChoGGi · 2018-05-31 19:19 · Score: 2

Steam Desktop Authenticator
Wait... by skovnymfe · 2018-06-01 06:05 · Score: 1

Wait, so I can just send malformed UDP packets to anyone on the internet, and their computer will pick it up without having firewall rules or port forwarding configured in their routers? I was not aware that internet technology had regressed to the 1990s.