Steam fixed a bug that reportedly left PCs vulnerable for over 10 years

Good thing it's gone -- it was apparently a nasty one.

Sean Hollister Senior Editor / Reviews

When his parents denied him a Super NES, he got mad. When they traded a prize Sega Genesis for a 2400 baud modem, he got even. Years of Internet shareware, eBay'd possessions and video game testing jobs after that, he joined Engadget. He helped found The Verge, and later served as Gizmodo's reviews editor. When he's not madly testing laptops, apps, virtual reality experiences, and whatever new gadget will supposedly change the world, he likes to kick back with some games, a good Nerf blaster, and a bottle of Tejava.

See full bio

Sean Hollister

May 31, 2018 10:58 a.m. PT

"Remote code execution vulnerability" isn't a phrase you want to hear when talking about your PC. It means someone could hack into your computer and launch nefarious programs without even being in the room. But according to Contextis security researcher Tom Court (via Motherboard), Valve's popular Steam game launcher has featured a remote code execution vulnerability for over a decade now.

The good news: It's already fixed.

The fix happened quickly, too: Court says he told Valve about the bug on Feb. 20, and the company pushed out an initial fix just 8 hours later. By March 22, the bug was completely eliminated, according to Court.

The bad news: If it's as bad as Court says it was (and demonstrates in the video above), millions upon millions of PC gamers were vulnerable for a very long time. Steam has as many as 15 million active users at any given moment, and total users are estimated above 125 million.

Valve didn't immediately respond to a request for comment, but an April changelog for the Steam Client does thank Court by name.

Watch this: The Steam Link app brings your games to the small screen

01:36