Zero-day security hole found in Steam

Valve’s Steam distribution-cum-social-gaming platform receives adulation from most PC gamers, but its security track record could be better. Last year, Steam servers were hacked, and an encrypted database containing user information was leaked. Now, security site The H reports that Steam is vulnerable to a zero-day exploit.

The problem lies with steam:// URLs, which the Steam client app registers upon installation. You can see steam:// links all over the Steam store; they usually open up the client to a specific page, but according to The H, they can also be used to open games and connect to multiplayer servers.

In the simplest case, an attacker can use [the URL protocol] to interfere with the parameters that are submitted to the program. For example, the Source engine’s command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system via a batch file that they had created in the autostart folder. Popular games such as Half-Life 2 and Team Fortress 2 use the Source engine and are distributed through Valve’s Steam platform. In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer.

Until Valve can address the vulnerability, the H recommends that folks game on a "dedicated gaming PC on a separate network." Failing that, installing a copy of Windows on a separate partition and keeping your games there provides some measure of safety.

Comments closed
    • aim18
    • 7 years ago
    • MadManOriginal
    • 7 years ago

    All I care about is what do I need to do to avoid this until it’s fixed without going to the extreme of having a second OS install.

    Can I run the Steam application itself with no worries? I am guessing yes, since it sounds like the vulnerability depends upon regular web browsers and Valve’s servers haven’t been hacked.

    OR – is this such a basic vulnerability that even links in the Steam application which are created by Vavle and go to other pages in the Steam application are vulnerable?

    Should I just not click on any external links in the Steam application which then open a web browser window to avoid exploits? (ex: metacritic reviews)

      • indeego
      • 7 years ago

      FAQ
       Is this a Windows-only issue?
      – No. If you can install and run Steam on your OS then you are
      vulnerable.
       Is this a browser-only issue?
      – No. Anything that is able to process common URL links can be used as
      a trigger.
       Is this a Safari-only issue?
      – No. Safari is just one of the possible triggers.
       Will browsers always show a warning/popup to the user?
      – No. Users can suppress the warning for steam:// links by using the
      browser settings. This is quite common for gamers that use the Steam
      protocol to join online game servers.
       Are the issues related only to the four games you listed?
      – No. Games usually share the same engine (i.e. Source Engine, Unreal
      Engine, and so on), so an engine related bug affects several games.
       Did you test all the games available on Steam?
      – No. Our only purpose was to detail the Steam Browser Protocol issues.
      Moreover with our examples we covered two different engines (Source
      and Unreal) and two well known MMOs.
       Is the retailinstall issue remotely exploitable?
      – Yes.
       Does the victim user have to click on a malicious steam:// link?
      – No. In fact all the links used in our PoC video point to normal HTML
      pages.
       Does the victim user always see the real link shown in the browser status
      bar?
      – No.
       Are users using only the Steam browser safe?
      – No. As demonstrated in the YouTube bouncing scenario.

      I can’t replicate some of the bugs shown in the video. Why?
      – Because after our public paper, Valve has just limited the con_logfile
      command15 and APB has just removed a legacy command.

    • Sam125
    • 7 years ago

    Look on the bright side. You steam users might get something out of it. When the Playstation Network was hacked, everyone received two free games. Granted, aside from Dead Nation the free games weren’t all that great but hey, you don’t look a gift horse in the mouth.

    Also, as a side note: X-COM:EU is amazingly fun. (I have the PS3 version) I think it’s at least as good as the original although the tactical aspect really has been streamlined or dumbed-down depending on how you want to look at it and the strategic part of the game is much more constrained but quite a bit deeper than the original. However, if you like to micromanage [b<]everything[/b<] like in the original then you'll hate the new X-Com as the new UI and changes to the game have made micromanaging really unnecessary.

    • yogibbear
    • 7 years ago

    ” Failing that, installing a copy of Windows on a separate partition and keeping your games there provides some measure of safety.”

    And. Breathes sigh of RELIEF. Doesn’t everyone do this?

    Cum-on SSDs BABY!

      • rrr
      • 7 years ago

      I don’t cum on any of my hardware, but whatever floats your boat.

    • yogibbear
    • 7 years ago

    This techreport-cum-sausagefest verbage is putting me off. Seriously is that grammatically correct and I’m just being a prude or what?

      • ludi
      • 7 years ago

      It is Latin, it is an ordinary conjunction, and it is usually pronounced with a slight vowel inflection (aboutl haflway between “coom” and “cohm”). You may have most recently heard it at a graduation ceremony, for example, “magna cum laude” (with highest honors).

      Of course, now that The Internet has completely spoiled the word with an unrelated use, nobody knows that.

      • Spotpuff
      • 7 years ago

      First ars, now techreport.

      • indeego
      • 7 years ago

      You should go to a salon and get a facial and freshen up. It’ll put you in a better mood.

    • Shambles
    • 7 years ago

    The real question is why are people using safari in the first place? The other browsers all warn you when trying to run steam:// URLs. It’s only safari that lets this run silently.

    • Walkintarget
    • 7 years ago

    Is this the hack that gives us all free games at the Steam store, just like what happened to EA earlier this week ??

    🙁 Sorry, I had to do that.

    Now, with that out of the way … until Valve patches this, I will just play some games that I bought retail and registered via Steam. I have a non-Steam shortcut for many of those games, so that is entirely safe to use. The video does leave many of the details out, but it really was only a matter of time … they are such a big, juicy target.

    • Glix
    • 7 years ago

    Can’t believe there isn’t as big an outcry as there was against Ubisoft.

    It is the exact same vulnerability with which EVERYONE(media included) bashed on Ubisoft for doing.

    “Ubisoft DRM exploit opens PCs to security risk”
    “Major security vulnerability discovered in Ubisoft UPlay DRM”
    “Ubisoft UPlay has serious security vulnerability”
    [u<][b<]TR: "Ubisoft DRM allegedly installs backdoor"[/b<][/u<] Compared to: "Zero-day security hole found in Steam" It's the same malicious vector used in which the user has to use a dodgy link in order to exploit the vulnerability (or be forced to click through JS). Dons flame proof coat. :p

      • sweatshopking
      • 7 years ago

      are you suggesting there might be bias or double standards in the highly opinionated tech world?

      • HisDivineOrder
      • 7 years ago

      Hm. I’ll tell you why I’m not as angry. Steam has given me a lot of awesome games for awesome prices over the years, has reinvigorated PC gaming across the board when MS left it to die, and Valve as a company has been wholly awesome in so many different and yet awesome ways. Awesome in awesome ways.

      Ubisoft on the other hand has a known history of being crap. They tried to lock people out of their own game based only on the fact they lost their ISP for a second. They would rather torture their paying customers than accept a few pirates got their title (messed up priorities there) and they were one of the first publishers to move to the $60 PC game. Their UPlay is crap with crap configuration tools (you can’t even change your user name after they transferred a lot of old users from their store to their new system, resulting in people getting unique names like Store1222020 instead of a user name of their choosing). They have a tendency to badmouth PC gaming in public while making all that money on the side and rather conveniently forgetting they ever made that money, considering PC gaming in public a hole in their boat, leaking money. If Ubisoft had their way, they’d stop making PC titles based on their management’s opinions, yet they keep right on making PC titles, just delaying them six months or so to keep them from affecting their numbers. Yet PC piracy is what kills every title regardless of when it was released. If their latest game sold poorly, IT MUST BE PC PIRACY TO BLAME!

      It’s like giving Valve a break for missing something after doing so many great things versus me not giving Ubisoft the benefit of the doubt because they’ve done nothing BUT things like this. That’s why there’s a double standard. One company has earned the scorn after many years of trying to piss me off. The other company invented Steam sales, invented an achievement system for PC before MS realized that PC gaming would not piss off and die, and practically invented the PC indie scene again.

      Are you telling me you don’t take what someone’s done before they made a mistake in account when comparing what they’ve done to someone else? Ubisoft has a known history of doing crap and they deserve all the scorn they got. Valve, I’ll cut ’em a break. We got a Steam sale coming soon for Halloween, another Steam sale for BF 3 weeks after that, and then the biggest Steam Sale for 2012 a few weeks after that.

      When Ubisoft has given me a few more games and updates their damn profile to let me change my user name from Store(Random Numbers), then I might give them some slack. Until then, their history leaves me very unforgiving because theirs is a history of crap just like this.

        • Glix
        • 7 years ago

        I do, and I also remember the outcry when Steam came along.

        Everyone’s experience of Steam varies, granted.

        However, this and the recent EULA are steadily steering me away from Steam. I don’t see a reason to be attached to client side applications.

        Would be nice if they started taking steps of minimising Steam or a Steam Lite version. I don’t touch the community stuff, and not sure why Steam needs these extra (potential backdoors) features added.

      • The Egg
      • 7 years ago

      This isn’t anywhere near the “exact same” as Ubisoft. Ubisoft’s vulnerability was due to overzealous DRM which installed a browser plugin without the user’s knowledge. Ubisoft exposed the user in the name of being obtrusive and nefarious, while Steam’s vulnerability was nothing along those lines.

      • superjawes
      • 7 years ago

      I like SSK’s comment…

      But unlike Ubisoft, Valve/Steam hasn’t been nearly as intrusive with DRM. With Ubisoft, gamers had already been abused for years under the banner of anti-piracy, and after all that, it was the same Ubisoft DRM that caused a major vulnerability. Steam does a much better job of providing more functionality with the DRM and has been fairly good toward gamers. That’s why they will largely get a free pass for stuff like this.

      • Game_boy
      • 7 years ago

      Steam has the same RDF as Apple had until recently. Because PC gamers are dependent on it, they will defend it from any and all criticism without regard for whether the DRM is actually needed or the program has issues. No one is ‘anti-Steam’, but it is a legitimate position.

      When was the last time Valve talked about a video game? All I hear is about non-game software, movie makers, Big Picture, Valve console, hollow talk about ‘business models’ like ‘free to play’ and sales economics.

        • BobbinThreadbare
        • 7 years ago

        CS:GO came out just 3 months ago.

          • Game_boy
          • 7 years ago

          I said talked. The game was put to to no hype, no sales, and no success on the Esports/tournament thing Valve was pushing for.

          Valve aren’t hyping their games, they’re hyping non-games and nebulous business model BS.

      • RandomGamer342
      • 7 years ago

      Steam needs you to click yes after opening the link unless you’re using safari, ubisoft relied on a secret browser plugin.

      Oh, and ubisoft’s had access to every file on your system, while this steam one is a bypass requiring another one to do true damage

      The severity of both of them are quite different.

      (The steam one uses an exploit as well, the ubisoft one was just shoddily programmed and ran whatever the heck you threw at it without checking for misuse AT ALL)

    • Arclight
    • 7 years ago

    This is zero day vulneability? I thought the term applies only for software that will never be patched. I expect Valve to fix this in the near future since vulnerability has been made public.

      • Glix
      • 7 years ago

      No… zero day means the vulnerability has existed since product launch and has never been addressed.

        • Arclight
        • 7 years ago

        [quote=”Glix”<]No... zero day means the vulnerability has existed since product launch and has never been addressed.[/quote<] Yes, i understand but i thought that it also has to never be fixed in order to qualify (since the manufacturer doesn't have any plans to do so, like for industrial software used in factories and such).

          • ColeLT1
          • 7 years ago

          Glix is right, zero day means that an attack happened on day 0 of knowledge of the hole.

          • khands
          • 7 years ago

          I’ve always understood it as something that hasn’t been addressed yet but has always existed, not that it will never be addressed, I’m sure some one at Valve will fix it.

      • stdRaichu
      • 7 years ago

      A zero-day exploit refers to something that is already being actively exploited before the vulnerability is identified. i.e. there are zero days in between detection of the vulnerability and the first known exploit.

    • The Egg
    • 7 years ago

    It’s frustrating that neither this, nor the linked article explain exactly how an attack is carried out. After reading, it’s my [b<]assumption[/b<] that a user would need to click a malicious "steam://" URL and then ignore the browser warning. Rather than completely disconnect all gaming PCs from the internet for an undisclosed length of time (and face future vulnerabilities even after a patch), wouldn't it be easier to just disassociate the steam:// protocol from opening Steam??

      • Ryu Connor
      • 7 years ago

      Unfortunately the Steam browser protocol is a fundamental piece of how Steam operates. It can’t simply be removed.

        • Duck
        • 7 years ago

        No it isn’t! I was about to say how I don’t even want or use it as it is. I’m sure it can be removed too with no ill effects.

        For me, games are bought through Firefox. Steam is launched via a Windows shortcut. Games can then be installed or launched from Steam. I would have thought that was true enough for most Steam users.

          • Ryu Connor
          • 7 years ago

          [quote<]STEAM BROWSER PROTOCOL Steam, like other software, uses its own URL handler to enhance experience by integrating web-based functionality directly in its own platform. Steam uses the steam:// URL protocol in order to: [list<] [*<]Install and uninstall games [/*<][*<]Backup, validate and defrag game files [/*<][*<]Connect to game servers [/*<][*<]Run games [/*<][*<]Reach various pages and sections where it’s possible to buy or activate games, download tools, read news, check user profiles and so on[/*<][/list<][/quote<] [quote<][list<] [*<]Does the victim user have to click on a malicious steam:// link?[/*<][/list<] – No. In fact all the links used in our PoC video point to normal HTML pages.[/quote<] [quote<][list<] [*<]Is this a browser-only issue?[/*<][/list<] – No. Anything that is able to process common URL links can be used as a trigger[/quote<] It is a fundamental piece of Steam. It cannot simply be removed.

            • superjawes
            • 7 years ago

            fundamental*

            And: OneDoesNotSimplyRemoveSteamBrowserProtocol.jpeg

            • Duck
            • 7 years ago

            Bah! It never used to be like this even when Steam had steam:// links going on. I realized this after reinstalling Windows and simply copying over the Steam folder. Everything worked fine despite the steam:// protocol being not registerd on the system.

            • Ryu Connor
            • 7 years ago

            I see now. A point of confusion, we’re talking about two different things.

            The Steam browser protocol cannot be disabled or removed from Steam to fix this. (My point)

            You can disable the handler in the OS though in order to limit your vulnerabilty to the attack. (Your point)

            Limit is the key word though. The flaw still exists in Steam and thus can still be cleverly exploited. It is not just a “don’t click this” type of exploit.

            • BobbinThreadbare
            • 7 years ago

            To get a modified steam:// link into steam itself you would first have to hack their website, at which point you could just put a link to any arbitrary program you wanted anyways.

            • Ryu Connor
            • 7 years ago

            Don’t forget the friends wall page, community discussions, or the overlay Steam browser.

            These are all vectors inside Steam.

            • willmore
            • 7 years ago

            Or embed it in a news story that they aggregate.

      • stdRaichu
      • 7 years ago

      OK, from my understanding of the process you can do something like this:

      Malicious steam:// link to open, say, your TF2 game and connect to a server
      Shortcut includes an argument to create a logfile on your local machine (e.g. c:\autoexec.bat)
      TF2 server you’re connected to splurges out some text to the aforementioned logfile (e.g. format c:)

      • The Egg
      • 7 years ago

      Just to clarify, if I’m correct, the “steam://” protocol is only used within the Steam program. Browsing through Steam Store pages or following any link from within the Steam program isn’t a problem, because it’s a closed system limited to Valve’s servers (unless you click a link to open a developers webpage). The problem is when you follow a 3rd party steam:// link from a random outside website. This basically opens Steam as a web browser, for which is isn’t very robust security-wise.

      So again —and I’m not at home to test this— can’t the “steam://” protocol file association simply be removed so Steam is not opened when a “steam://” URL is clicked in a browser?

    • Chrispy_
    • 7 years ago

    Is this specific to Source-engine games or is it anything?

    My gripe with Source-engine games is that they really are a mess within the Steam folder, unlike everything else which is neatly compartmentalised into the steamapps subfolders by game name.

      • lilbuddhaman
      • 7 years ago

      Anything, it is linked to the steam platform URLs. The proof of concept video shows several non-source games.

    • Arag0n
    • 7 years ago

    First ever!

    I know I know, but I had to!

      • Chrispy_
      • 7 years ago

      You didn’t spell fsrit or evar properly 🙁

      • sweatshopking
      • 7 years ago

      well done sir! keep it up, and soon you’ll get -‘s on all your posts!!! that’s the sign of success as the envious weak shall try to undo you! don’t let them ruin your victory! fight on, my brother!

        • khands
        • 7 years ago

        [i<]May your success be as crimson as the blood of the non-first posters that were trampled on the way to your glory.[/i<] (read in Christopher Lee's voice)

Pin It on Pinterest

Share This