Steam uses insecure, out-of-date Chromium browser
Valve has integrated a custom version of the Chromium web browser in its Steam client that displays web content to Steam users.
If the past couple of weeks have shown anything, it is that custom Chromium or Chrome versions are a security risk more often than not.
Google analyzed third-party implementations of its Chromium browser recently, and came to the conclusion that they made user systems less secure despite claiming the opposite.
The main reason for this was that companies disabled security features of the Chromium browser, or circumvented them.
Valve's Steam client uses a custom version of Chromium as well, and it turns out that this version is also insecure.
Chromium Embedded Framework (CEF) is an extension of the Chromium browser rendering engine, an open-source project which is a component of Google Chrome.
The Steam client on Windows and OS X uses a customized version of CEF to render web content.
The chromium browser on steam is based on version 47, a vulnerable and out of date version.
Chromium runs with --no-sandbox by default on steam.
The most recent version of Chromium is version 50 currently, which means that the chromium browser used by Steam is out of date.
Google fixed several security issues in these newer versions of Chromium leaving the Steam version of the browser vulnerable to them.
The sandbox, enabled by default in Chromium, allows for the creation of sandboxed processes which run in restrictive environments. The sandbox protects the underlying system and data on it among other things from malicious processes.
Chrome users can use the parameter --no-sandbox to disable the sandbox in Chrome, but doing so removes its protective features and leaves the system wide open for attacks.
Both bugs have been recognized by Valve, and a user has been assigned to each of them. A target milestone is not listed yet though and there is no indication when the security issues will be fixed by Valve.
Steam users should consider using an external up-to-date web browser for the time being instead of the built-in Steam web browser until the issues are fixed by Valve.
Rob Joyce, chief of the NSA's Tailored Access Operations (TAO) mentioned recently that Steam is a popular attack vector.