Valve has finally fixed a security vulnerability in Counter-Strike: Global Offensive that could be used by hackers to gain remote control of a player's PC - an issue the company had reportedly known about for two years by the time its existence was publicised last week.
News of the exploit was circulated in a tweet by not-for-profit reverse-engineering group The Secret Club. It explained one of its members, Florian, had contacted Valve two years prior to report a remote code execution flaw which made it possible for a hacker to take over a target's PC by tricking them into accepting a Counter-Strike: Global Offensive Steam invite.
Although the exploit - one of several vulnerabilities reported to Valve by Secret Club members - had the potential to affect any game utilising Source Engine, The Secret Club stressed only CS:GO was still verifiably at risk. "We cannot say for sure if and when things have been patched in other games throughout the time without us being notified about it," it wrote.
Following The Secret Club's post, others began sharing stories of reporting bugs to Valve and receiving no response. As Florian put it in conversation with Vice's Motherboard, "Valve's response has been a complete disappointment right from the start. Our experience has always been slow response times, with little to no patches being pushed to production. They truly don't care about the security and integrity of their games."
However, it seems the increased scrutiny around the exploit resulting from The Secret Club's tweet finally spurred Valve into action, and the company has now patched the Counter-Strike vulnerability. "Good news!," Florian wrote in a follow-up tweet over the weekend, "Valve fixed my recent exploit and gave me permissions to disclose details." Florian says he's currently working on a detailed technical write-up, which he plans to release soon.
A separate remote code execution flaw, which can be triggered in Team Fortress 2 by joining a community server, was also highlighted by The Secret Club last week. This too is said to have been reported to Valve two years ago, but in this instance, is still awaiting a fix.