Valve developers have recently patched a severe security flaw that affected all versions of the Steam gaming client released in the past ten years.
According to Tom Court, a security researcher with Context Information Security, the one who discovered the flaw, the vulnerability would have allowed an attacker to execute malicious code on any of Steam's 15 million gaming clients.
Vulnerability exploitable remotely via network packets
In the jargon of security researchers, this is a remote code execution (RCE) flaw because exploitation was possible via network requests, without needing access to the victim's computer.
Court says an attacker was only required to send malformed UDP packets to a target's Steam client, which would have triggered the bug and allowed him to run malicious code on the target's PC.
The root cause of this vulnerability is a buffer overflow in one of Steam's many internal libraries —and more specifically in Steam's code that dealt with fragmented UDP datagram reassembly.
Bug accidentally half-patched last July
The Context security researcher says exploitation of this flaw would have been trivial up until July 2017, when Valve added
ASLR protection to the Steam desktop client.
The added security feature made exploitation more difficult, causing only a crash of the Steam client in subsequent editions.