Skip to main content

Steam flaw could let hackers crash your PC or Mac — what you need to know

steam
(Image credit: Future)

Steam's desktop client for Windows, macOS and Linux is generally a pretty safe program, but even the safest programs can have potentially devastating holes in their security. 

That was the case back in September, when researchers discovered four dangerous vulnerabilities in Valve’s gaming platform. The bad news is that these flaws could have compromised your multiplayer match — or your whole computer. The good news is that you probably already have the patch that fixes them.

Back in September, Check Point, a Tel Aviv-based cybersecurity firm, discovered four potentially very nasty vulnerabilities in Steam. Specifically, the flaws were present in Steam Sockets, a toolkit that many third-party developers use to help their online games run smoothly on Steam.

Believe it or not, you probably don’t need to install a new patch to protect yourself from these flaws. That's because, in all likelihood, you’ve already installed it. 

Check Point alerted Valve to the vulnerabilities back in September, and Valve patched the issue two weeks later. The companies have waited this long to say anything to ensure that malefactors couldn’t take advantage of the vulnerabilities once Check Point revealed them.

Steam's desktop client software on Windows, Mac and Linux patches itself automatically — as do games, especially if you want to play them online. Unless you’ve specifically told your Steam desktop software not to download and install updates (and as a result have had to play everything in offline mode for the last three months), you’ve almost certainly installed the requisite fix already. 

If you haven’t turned Steam on in that time, though, it’s probably worth booting up the desktop program and installing the latest version.

How could a Steam hacker hijack your PC?

Without going into too much technical detail, the flaws ranged in severity from “high” to “critical,” as they could theoretically compromise a game — or a computer — without any input from the victim. 

The attacker could simply join a multiplayer server, then send malicious code directly to the end-user. The user would have no choice except to accept it. Crashing a game mid-match this way would be easy; hijacking a computer would be somewhat more difficult, but still within the realm of possibility.

Since the patch came out three months ago and Steam games require you to update before you play them online, there’s fortunately not much risk involved with these particular flaws anymore. 

Even better, there’s no indication that they were ever exploited in the wild. It’s a perfect example of security companies and software providers working together to fix issues before they ever pose a direct threat to the end-user.

On the other hand, it’s a good reminder that even big, popular, safe programs like Steam often have flaws lurking in the deep recesses of the code. This is probably not the last Steam vulnerability that researchers will ever discover, so be smart and keep your games updated before you play online.

Marshall Honorof

Marshall Honorof is an editor for Tom's Guide, covering gaming hardware, security and streaming video. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.