Security researchers from ReVuln have discovered a zero-day vulnerability in Valve’s Steam browser protocol. The exploit can allow an attacker to remotely exploit bugs in the Steam client or directly in games which can ultimately be used to run malicious code on the target PC.
Researchers point out that when Steam is installed on a computer, it is registered as a steam:// URL protocol handler. This allows the gaming client to automatically handle all steam:// URLs that a user clicks in a browser.
Valve developed the protocol to be used in places such as the Steam Web Store to perform various tasks like installing or uninstalling a game, updating titles or even launching a game with special parameters.
If an attacker can trick an unsuspecting gamer into clicking a maliciously crafted steam:// URL, they can then take advantage of vulnerabilities in the Seam client or in Steam games.
In one example, researchers were able to use a phony steam:// URL to initiate a reinstall command which loads a splash image supplied by the attacker. Steam is unable to handle this properly and thus an integer overflow error arises. This gives the attacker the opportunity to load malicious code directly into remote memory.
Fortunately there are a few common-sense ways to protect yourself from an attack. Researchers point out that Internet Explorer 9, Chrome and Opera all display a warning in addition to either the full steam:// URL or part of it before sending the commands to the game client. Firefox also requires permission although it doesn’t show the URL nor does it give a warning. Apple’s Safari automatically executes the URL without any confirmation or warning.
Until Valve can issue a fix for the exploit, it’s best to remain vigilant and only click on steam:// URLs that come from a trusted source.