Valve Finally Fixes The Steam Remote Code Execution Flaw
They Finally Got To The Source Of The Problem
When you are logged into Steam, generally your only concern was protecting your wallet and avoiding bad trades with strangers. However there was a much more sinister issue which Valve knew about but had not fixed until the people who discovered the remote code execution made it public.
There was a flaw in the Source Engine which allowed a nefarious person to gain control of your machine with a simple Steam invite. For whatever reason, when you accept an invite there was no actual limitation on what program was launched by that invite and a crafty hacker could launch anything they felt like on your machine.
That is just one vector for the remote code execution to be leveraged, for instance a person of low morals could create a public TF2 server, wait until there were a number of users playing and then leverage the security flaw to launch code on the machines of every single person connected to the server. The same goes for CS:GO and other less popular Source Engine games.
Now that it has been patched, Secret Group is working on releasing the full technical details on the flaw to the public. If you are curious what the bug was you should keep an eye out on their Twitter feed, which Rock, Paper, SHOTGUN linked to in their post.
Two years ago, secret club member @floesen_ reported a remote code execution flaw affecting all source engine games. It can be triggered through a Steam invite.