Steam uses insecure, out-of-date Chromium browser
Valve has integrated a custom version of the Chromium web browser in its Steam client that displays web content to Steam users.
If the past couple of weeks have shown anything, it is that custom Chromium or Chrome versions are a security risk more often than not.
Google analyzed third-party implementations of its Chromium browser recently, and came to the conclusion that they made user systems less secure despite claiming the opposite.
The main reason for this was that companies disabled security features of the Chromium browser, or circumvented them.
Valve's Steam client uses a custom version of Chromium as well, and it turns out that this version is also insecure.
Chromium Embedded Framework (CEF) is an extension of the Chromium browser rendering engine, an open-source project which is a component of Google Chrome.
The Steam client on Windows and OS X uses a customized version of CEF to render web content.
A user reported his findings on the official Valve Software Github repository, stating that the built-in version of Chromium was outdated and running without sandbox.
The chromium browser on steam is based on version 47, a vulnerable and out of date version.
Chromium runs with --no-sandbox by default on steam.
The most recent version of Chromium is version 50 currently, which means that the chromium browser used by Steam is out of date.
Google fixed several security issues in these newer versions of Chromium leaving the Steam version of the browser vulnerable to them.
The sandbox, enabled by default in Chromium, allows for the creation of sandboxed processes which run in restrictive environments. The sandbox protects the underlying system and data on it among other things from malicious processes.
Chrome users can use the parameter --no-sandbox to disable the sandbox in Chrome, but doing so removes its protective features and leaves the system wide open for attacks.
Both bugs have been recognized by Valve, and a user has been assigned to each of them. A target milestone is not listed yet though and there is no indication when the security issues will be fixed by Valve.
Steam users should consider using an external up-to-date web browser for the time being instead of the built-in Steam web browser until the issues are fixed by Valve.
Rob Joyce, chief of the NSA's Tailored Access Operations (TAO) mentioned recently that Steam is a popular attack vector.
Martin, thanks for the link to enigma 2016 and Rob Joyce. It’s a very illuminating read.
Reference Steam vulnerabilities, does Valve ever test its software ??
Why should they..? They have monopoly power over PC gaming…
No, they don’t. They are the major player in this field, but not the ONLY player.
“does Valve ever test its software ??”
Does testing sell more virtual hats/costumes/crates/whatever? Yes/No
Does having proper customer-support sell more virtual hats/costumes/crates/whatever? Yes/No
Does having up-to-date software sell more virtual hats/costumes/crates/whatever? Yes/No
I think we know the answers with regard to Valve.
Every time Valve test their software, they gain +1 Experience .. true story
they do. theres a public beta available weeks ore sometimes months before release for every update.
to fix the hole, the one could try upgrading his or her Chromium client to the latest version of it manually. As for security, after all, Steam is e-distribution platform: you have to be careful when making a deal with other users on the site.
Why would anyone use the browser from Steam for something else than browsing Steam site? That reduces that attack surface a lot, IMO…
It’s useful for the odd in-game google search as well. FAQs, etc.
I never use it to access sites that are not part of Steam, but I know quite a few users who use it while in game to browse websites.
One can always rely on Steam to bring out the drama queens.
Hi, the latest STABLE Chromium is 48, not 50. I think you are looking at the trunk which is not intended for general widespread usage. The latest STABLE version of Chromium will always match the Stable Chrome version (which is 48).
[Edit: Looks like according to https://cefbuilds.com/#branch_2526 the latest stable CEF is 47, which is lagging behind Chromium. Not Valve’s fault.]
So it’s insecure because it doesnt use the latest version released 5 days ago? xD
Regardless of the version (I guess somewhere, someone made a mistake re v47 (probably the stable at the time) vs v50), it is running with the –no-sandbox argument. I have no idea why Valve would do that, maybe there’s a technical reason
Never expected the browser inside steam as safe.
Why should it be?
This is actually worse than described, when you connect to game servers (Valve source games at least, which are the most popular and some free) they display a web page, also called MOTD (message of the day). Server admin’s (which can be absolutely anyone) can send you to any web page of their choosing, such as their own home made exploit page. So if you start winning vs an admin, there’s nothing stopping them giving you a virus. Great. Cryptolocker, keylogger or VAC banned cheat anyone…?
It’s a popular attack vector, because Steam doesn’t give a crap about it’s users at all. It’s extremely evident in the lack of responses to users in their forums to address real issues like this.
I know right? I’ve been VAC banned in the past because of their insecure browser. I tried technical support and they said it was my fault. Is it my fault they’re using an outdated browser? Is it my fault that their technical support is crap? HELL NO! IT’S THEIR FAULT FOR NOT TAKING PRECAUTIONS SO THEIR USERS ARE PROTECTED!