Facepalm: Stories like this highlight the fact that a developer's work is never done and that modern security standards can bring to light flaws in code long thought to be rock solid.
Valve recently patched a bug in its Steam client that has quietly existed for at least the past decade. Until last July, it could have been used to remotely execute code according to the man who discovered it.
Security researcher Tom Court with Context Information Security reported the bug to Valve on February 20, 2018. In less than eight hours, he said, a patch had been dispatched to the beta client to address the matter. The official fix landed on the main Steam client in late March.
The vulnerability, at its core, was a heap corruption within the Steam client library in an area of code that handled fragmented datagram reassembly from multiple received UDP packets. Specifically, the bug was caused by the absence of a simple check to ensure that for the first packet of a fragmented datagram, the specified packet length was less than or equal to the total datagram length.
Court described it as a basic bug – likely a simple oversight considering the check was present for all subsequent packs – made relatively straightforward to exploit due to a lack of modern exploit protections. The fact that such a simple bug with such serious consequences has existed in such a popular platform for so many years, he added, should serve as a lesson to developers to periodically include aging code and system builds in reviews to ensure it conforms to modern security standards.
Once Valve started implementing ASLR last July, exploitation would have only caused a client crash.