Feeds

back to article Steam spawns vulnerabilities, say researchers

A new security research outfit called ReVuln has presented its letter of introduction to the world in the form of a paper that analyses how the Steam protocol can expose gamers to attacks. In this document (PDF), the company analyses what happens when a URL using the protocol steam:// is redirected. Of the major browsers, …

COMMENTS

This topic is closed for new posts.
Silver badge
Megaphone

fan boi post warning

CS GO rules and Steam still is the only DRM I would ever let near any of my computers. They will resolve the issues I am sure. That is all.

4
4
Anonymous Coward

And they want to bring it to Linux ?!

WTF?

0
1
Thumb Up

Re: And they want to bring it to Linux ?!

Why not! The linux power users will find loads of these vulnerabilities and valve will be swamped with bug reports. The platform will have its security and stability improved across all platforms as a result.

The Unreal Engine bugs arent valves problem anyway, its upto the engine devs to fix those vulnerabilities

4
0
Anonymous Coward

Re: And they want to bring it to Linux ?!

True, if Linux had an accepted gaming and drm platform it may actually become popular and unhinge Microsoft's dominance!

4
0
Anonymous Coward

@Robert Heffernan - Re: And they want to bring it to Linux ?!

Wrong answer! DRM + DMCA will prevent anyone from looking at those vulnerabilities. And why should the Linux community work to improve that "platform" which will severely limit their freedoms ? Any particular incentive ? You don't seem to know much about Linux power users do you ?

0
0
Anonymous Coward

@AC 02:43GMT - Re: And they want to bring it to Linux ?!

If DRM is the price to pay for becoming popular then no, thank you very much. Crippling Linux to make it popular is a no go for me. As for Microsoft dominance, I'm not losing any sleep on that.

3
1
Anonymous Coward

Re: @AC 02:43GMT - And they want to bring it to Linux ?!

In what way does providing a DRM platform to allow wide spread deployment of commercial applications "crippling linux" ... I think you need to learn more about the system you're using and the difference between application/desktop manager/kernel/generic application suite.

Saddly you strike me as the kind of person who'd like any band as long as it was "underground" and then rage when they "sell out" and become "commercial." Even if the band was rubbish to start with.

2
0
Silver badge

Half-life And Counter-Strike run on GoldSrc not Source.

The Steam web browser can only be forced to redirect to a malicious page if the command comes from a page hosted at one of Valve's domains because it's hard coded. I'm no security expert but I'd guess that means you'd either need to break into their servers, hijack their domain or (possibly, I'm not sure,) use XSS.

The reinstall feature will only work with local backups so you'd need to get your files onto the computer some other way before you could use the integer overflow vuln. If you can already remotely drop files onto a computer why would you need this Steam exploit? Privilege escalation? Surely Steam doesn't run as Admin?

The Unreal Engine is not maintained by Valve.

2
0
Anonymous Coward

doesn't steam use webkit nowdays anyway?

on an interesting note, wouldn't you be able to get files onto the local machine using a game like counter strike as those auto download mods (which is far preferable to any of the alternatives...) but games are bound to be full of exploits - but you know what bugger it. Computers are full of exploits and there's not much we can do about it. Except not using computers I suppose.

2
0

Indeed...

I uninstalled Java a few weeks ago because of the security issues, then re-installed it because I really, really wanted to play Minecraft (sigh)

2
1
Silver badge

I'm with Fibbles on this. Most of these vulnerabilities seem like pretty weak sauce.

2
0
Bronze badge
Thumb Up

Half-life And Counter-Strike run on GoldSrc not Source.

Yes, considering they only posted a half life story today shocking mistake to make.

"Half-life And Counter-Strike run on GoldSrc not Source."

0
0
Mushroom

Scary range of vulnerabilities

What is scary here is the range of vulnerabilities that the researchers have found in the Steam software. What started off as abuse of the URI handler then went on to code execution through an integer overflow vulnerability in the parsing of images. There are a range of vulnerabilities and Steam have alot of work to address this and give us re-assurances that they are taking steps to develop secure code. They haven't been keen on using compiler defensive technologies (ASLR, DEP, stack cookies) because of performance reasons but they are making a trade off when it comes to security.

1
0
FAIL

Not the only problem

I have a Steam account, bought a game through them because it was the cheapest option. Doing it that way annoyed me so I bought the stand alone desktop version of the game and forgot about Steam. Then about 2 months ago I start to get alert emails from them with a link to click to reset my password, someone is trying to access my account. Annoying but since I no longer want it I ask Steam if they will kindly delete my account and why. They are apparently utterly unable to delete an account so I have a Steam account until the day I die.

Fuckwits.

1
2
FAIL

Re: Not the only problem

What annoyed you about it? Was it the simplicity of the purchase, the automatic updates and patches, or the ability to contact friends for easy multiplayer gaming?

Yes, getting emails about your account being locked is annoyed, but that's why we have email filters and rules.

3
2
Trollface

Re: Not the only problem

1: Download TF2

2: Add a selection of cheats such as aimbots for TF2.

3: Go on a VAC secured server and blatantly cheat.

4: Get naughty stepped.

5: Repeat steps 3 through 4 until Valve suspend your account permanently.

6...

7. PROFIT

0
0

Re: Not the only problem

Hurray for automatic updates. Like the one for Civ V a few months ago that irreversibly corrupted all saved games? That's progress!

Hurray for being able to contact friends. It's amazing that the internet existed for so long without Steam - how on Earth did people communicate?

1
1
Anonymous Coward

Re: Not the only problem

With nuclear weapons?

Anyway it isn't steams fault Firaxis released a crap patch, and if you're the kind of person that doesn't auto install updates and instead waits to see what the forum says (these people don't really exist there are two kinds of patchers those who auto patch and those who patch when they find something horribly broken) just turn off the auto update management. It's not rocket science.

1
0
Silver badge
Thumb Up

Re: Not the only problem

What I like about steam other than obviously my addiction to CS is the fact that you can buy games on steam and 5 years from now install the client on another machine and boom you have all the games you purchased right there no finding long lost DVDs etc. This was a pleasant surprise for me when I installed the steam client on my Mac and was able to download the majority of the games I had purchased years ago for my old PC (obviously some games never ported to Mac).

1
0
Bronze badge

Re: VAC

Getting VAC banned is not going to delete the Steam account. It simply flags it as a VAC banned user.

Contacting Valve support and requesting they delete the data is more likely to succeed. Especially if you mention your local privacy laws (or theirs).

0
0

Re: Not the only problem

Yes, you can disable automatic updates. In fact, you need to for the reason mentioned above. Which completely negates the original point.

0
0

Re: Not the only problem

The game I was playing on Steam is also movable from machine to machine. Even if you lose everything an email will give you a registration code and you are away again, though your save games will not be. DVD? with a game on? what be that? Does not compute.

0
0
This topic is closed for new posts.