A security researcher has detailed a serious vulnerability in the Steam gaming client that exposed users to remote code execution for more than 10 years, but the good news is that Steam has fixed the issue.

Described Wednesday by Context Information Security Ltd.’s Tom Court, the vulnerability is a “heap corruption within the Steam client library.” A heap corruption occurs when a program damages the allocator’s view of the heap, a heap being an area of prereserved memory that a program can use to store data.

In this case, the issue occurred in the area of code that handled reassembly from received User Datagram Protocol or UDP packets. The Steam client lacked a check to ensure that the first packet of data received was less than or equal to what it should have been. Without going deeper into all the technical details, the net result of the vulnerability is that it could allow an attacker to take over a targeted computer running Steam.

“This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections,” Court said.

Court informed Valve Corp., the owners of Steam, of the vulnerability Feb. 20 and the company issued a patch as part of a beta release of the gaming client 12 hours later. The patch was pushed to all users via an update March 22.

Although there’s no evidence that the vulnerability was ever exploited, Court argued that the case highlights the need for companies to review older code.

“The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards, even if the actual functionality of the code has remained unchanged,” Court noted. “The fact that such a simple bug with such serious consequences has existed in such a popular software platform for so many years may be surprising to find in 2018 and should serve as encouragement to all vulnerability researchers to find and report more of them!”

Photo: Pablo029/Wikimedia Commons