Recently on Twitter, @the_secret_club, a not-for-profit reverse-engineering group, has reported that a remote code execution flaw that affects all source engine games hasn't been fixed even though Valve has known about it for years in some cases. This is perhaps seen best here, where the flaw is being demonstrated by accepting a Steam invite:
Obviously, this is not ideal, and for some games such as Team Fortress 2, this was reported as far back as two years ago. This particular flaw can be triggered by joining a community server and has not yet been patched.
There's also a third showcase where secret club shows off a remote code execution 0-day for CS:GO that was reported to Valve 5 months ago. As is the theme of the rest of this article so far, there's been no response or fix. For good measure secret club showed another Source Engine remote code execution exploit that's triggered by joining a community server.
So yeah, that's not good. We've emailed Valve asking when they plan on fixing the exploits/flaws and when they plan on fulfilling bounty payments for those who reported the exploits/flaws through the proper channels. If and when we receive a response this article will be updated. Until then, stay tuned to TechRaptor for more details.
Quick Take
I understand that Valve is a company with a lot of things on its plate, but at the same time, this is inexcusable. Even as someone who knows virtually nothing about flaws, exploits, and everything in between, this really should have been fixed a long time ago. If someone is resorting to posting the exploits publicly so that a critical issue is finally fixed, that means there was a failure in communication that must be addressed. Hopefully, this is fixed soon so that it never happens again.
What do you think of this news? Does this surprise you that Valve hasn't fixed an exploit/flaw that's literally two years old? Let us know in the comments!
