A remote code execution (RCE) vulnerability that existed in the Steam client for at least 10 years was fully patched only in March this year, according to security firm Context Information Security.
In July last year, Valve added modern exploit protections (Address Space Layout Randomisation – ASLR) to the Steam client, thus partially patching the RCE. According to Context senior researcher Tom Court, exploitation following this patch would have simply crashed the client.
Before that, however, all of the 15 million active Steam clients were vulnerable to RCE, the researcher claims.
Source: Infosec Island