This blog post explains the story behind a bug which had existed in the Steam client for at least the last ten years, and until last July would have resulted in remote code execution (RCE) in all 15 million active clients.
Article Link: https://www.contextis.com/site/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client