October 16, 2012, 11:14 AM — Attackers can abuse the way browsers and other applications handle steam:// protocol URLs in order to exploit serious vulnerabilities in the Steam client or games installed through the platform, according to researchers from startup vulnerability research and consultancy firm ReVuln.
Steam is a popular digital distribution and digital rights management platform for games and, since earlier this month, other software products. According to Valve Corporation, the company that developed and operates the platform, Steam offers over 2,000 titles and has over 40 million active accounts.
The Steam client can run on Windows, Mac OS X and Linux, although as a beta version only in the latter OS.
When the Steam client is installed on a system, it registers itself as a steam:// URL protocol handler. This means that every time a user clicks on a steam:// URL in a browser or a different application, the URL is passed to the Steam client for execution.
Steam:// URLs can contain Steam protocol commands to install or uninstall games, update games, start games with certain parameters, backup files or perform other supported actions.
Attackers can abuse these commands to remotely exploit vulnerabilities in the Steam client or the Steam games installed on a system by tricking users into opening maliciously crafted steam:// URLs, ReVuln security researchers and founders Luigi Auriemma and Donato Ferrante said in research paper published on Monday.
The problem is that some browsers and applications automatically pass steam:// URLs to the Steam client without asking for confirmation from users, the researchers said. Other browsers do request user confirmation, but don't display the full URLs or warn about the dangers of allowing such URLs to be executed.
According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.
"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."