Security firm ReVuln has analysed the browser protocol that Steam servers use to execute commands via users' browsers. During the analysis, the company's researchers discovered security issues that could potentially allow attackers to infect PCs with malicious code such as spyware.

Among other things, Valve's Steam platform is used to distribute games and also functions as a central hub of the company's digital rights management concept. During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games, for example via:

steam://run/id/language/url_encoded_parameters

In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system via a batch file that they had created in the autostart folder. Popular games such as Half-Life 2 and Team Fortress 2 use the Source engine and are distributed through Valve's Steam platform. In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer.

Browsers such as Internet Explorer, Chrome and Firefox display an alert when steam:// URLs are called; only Safari passes them on without any warning. In their "Steam Browser Protocol Insecurity " report, the researchers also discuss ways of bypassing these alerts or at least hiding "the dodgy part of the URL".

This means that the Steam platform potentially presents a significant risk for PCs – this includes Windows PCs, and especially Macs, where the default Safari browser directly executes the Steam URLs. While Valve is working on a version of the Steam game distribution platform for Linux, the software is not yet publicly available; however, the company plans to release a limited beta in the coming weeks.

Considering that a new 0-day exploit seems to be found whenever someone examines the popular gaming platforms for security issues, gamers should seriously consider their options in terms of separating their entertainment from their sensitive data. Running a dedicated gaming PC on a separate network offers the best protection, but it also requires considerable effort and expense. A second instance of Windows on the same PC is not quite as safe, but it does considerably reduce the attack surface. At the very least, gamers could set up a dedicated gaming account with restricted privileges.

ReVuln is a company that sells information about unpatched security issues to businesses and governments; therefore, one of its paying customers may well already be in possession of functioning exploits for the Steam platform.

(crve)