As with many of the problems and exploits that are detected in the different applications, this time it was a researcher belonging to the security firm Context, we are specifically talking about Tom court, which has just officially published a series of documents showing the existence of a small problem that has been found in the software of the Steam desktop client, which has been present, although you may not believe it, for the last 10 years.
Cocretely we are talking about a vulnerability that, despite what you may have read out there, since there are places where it seems that the problem is being softened, any hacker with sufficient knowledge, if they manage to exploit it, could even reach take control of any computer that had that client installed. The worst thing about this whole issue is that, despite the fact that the exploit has been present in the application for the last 10 years, no person with enough knowledge to be able to harm a user has been able to discover the vulnerability.
Tom Court has been the security expert capable of finding one of the worst vulnerabilities of the Steam computer client
Going into a little more detail and as Tom Court himself has commented, we are talking about a problem with the security of the very simple application and, above all and perhaps this has been the greatest risk, very easy to use by any hacker. To get an idea, tell you that the main problem with Steam software that has been installed on more than 15 million computers in the last ten years is that it lacked protection against new exploit developments.
As Tom Court himself has commented, apparently, thanks to this vulnerability, any hacker could have managed to get take control of any computer, completely revealing all the information of its owner or user, including the system credentials and other services. The best thing about all this news is that, for once and perhaps due to the simplicity of these exploits, there is no indication that any hacker has taken advantage of this terrible security flaw.
We had to wait until 2018 for Valve to solve this security problem on Steam
All this information has come to light after Valve, predictably part of this problem was solved in July 2017Specifically, it seems, the most dangerous part of the vulnerability was removed. After this update curiously the software still had a bug, albeit a minor one since this only caused the client to crash and the hacker could only remotely deploy malicious code on the victim's machine. In fact and to demonstrate this failure, Tom Court himself made a video, you have it right at the beginning of the extended entry, where he himself launches the calculator application remotely taking advantage of this failure.
As is often the case, Tom Court informed Valve of this failure and, since it was discovered, it has been without review until February 20 of this year 2018, date on which the beta version of the client solved this vulnerability. On March 22, this version stopped being beta and finally reached all users. As a detail, tell you that in the release notes you can find a line where Tom Court himself is thanked.
At least and this time, despite the fact that too much time has passed since the vulnerability was detected until it has finally been resolved, the truth is that Valve at all times heeded Tom Court's comments and has collaborated with him to correct the failure, something that contrasts with the measures presented by other types of companies where this type of contact is not usually paid attention.
Further information: Context