A new research report on Valve's Steam
has highlighted how the program can be used to launch malicious code attacks, thanks to flaws in how browser commands are passed between Steam and browsers like Chrome, IE, Opera, and Firefox.
First, it's important to understand that Steam itself isn't the (S)ource of the vulnerability. As Figure 1 illustrates, the attack vector presupposes that a machine has already been compromised in some fashion.
The relevant vulnerabilities all revolve around the Steam browser and how Steam:// commands are treated by the third-party browsers they interact with. Browsers based on Firefox will execute Steam:// protocol handlers without any warnings; IE9 will warn (but dodgy URLs can be obfuscated). Chrome will warn with the full URL displayed, at least. Figure 2 explains how Steam's browser can be used to load malware.
The user clicks on a YouTube video within Steam. This bounces the user to YouTube, where he clicks on another link. The attack injects itself at this point, using Steam's browser to redirect the user to a website containing further exploits or malware. Alternately, the attacker could use this vector to exploit vulnerabilities in game engines directly. The video below illustrates how integer buffer overflows in the Unreal Engine, Source
, and Steam's backup software can be exploited to run potentially malicious code.
We reached out to Valve for information on this issue but had not received any comment by press time. The problem, in this case, is that Steam's ubiquity make it a tempting exploit target. Malware authors typically target exploits they can use on as many systems as possible; Steam is easily the most popular digital distribution platform in PC gaming. This is the sort of security vulnerability that's difficult to pinpoint but important to resolve; Steam doesn't create the problem, but it provides a further avenue for hackers to exploit.
The simplest way for users to protect themselves from the vulnerability (if you know what you're doing) is to open RegEdit and navigate to "HKEY_CLASSES_ROOT\steam\shell\open\command." This field will read ""C:\Program Files (x86)\Steam\steam.exe" "%1" by default. Change this to C:\Windows\Notepad.exe, C:\Windows\Calc.exe, or any other executable you prefer. Once done, any attempt to run commands from steam:\\ will simply launch Notepad instead.
Valve has typically been proactive on Steam security and will hopefully act to patch this issue as soon as possible. Fixing the problem should be relatively simple, though the buffer overruns in specific game engines that make exploits possible are a more complicated topic. The Source engine flaws, however, are under Valve's direct control, and the engine's popularity makes it another huge target for hackers looking to hit a wide swath of users for minimal effort. Closing the Steam loopholes would, at least, reduce the chances that a malware author could put themselves in a position to take advantage of the vulnerabilities.