Vortez - Computer Hardware News & Reviews » News » October 2012 » Security researchers discover vulnerability in Steam URL protocol
Security researchers discover vulnerability in Steam URL protocol
This has the potential to be bad; very bad. Not long ago a webkit was found as part of the Ubisoft DRM and now an exploit has been found with Steam that could see an attacker potentially take over your computer.
Researchers from ReVuln point out that when Steam is installed on a computer, it is registered as a steam:// URL protocol handler which allows the client to automatically handle steam:// URLs that a user clicks in a browser.
First of all who are ReVuln.
ReVuln Ltd. is a dynamic company aiming to provide state-of-the art security research and security solutions to world-wide customers. ReVuln Ltd. is specialized in software and hardware assessment including vulnerability research for offensive and defensive security.
In one example, researchers were able to use a phony steam:// URL to initiate a reinstall command which loads a splash image supplied by the attacker. Steam is unable to handle this properly and thus an integer overflow error arises. This gives the attacker the opportunity to load malicious code directly into remote memory.
See the proof of concept video below and also read the very comprehensive document they made describing the insecurity.
Fortunately there are a few common-sense ways to protect yourself from an attack. Researchers point out that Internet Explorer 9, Chrome and Opera all display a warning in addition to either the full steam:// URL or part of it before sending the commands to the game client. Firefox also requires permission although it doesn’t show the URL nor does it give a warning. Apple’s Safari automatically executes the URL without any confirmation or warning.
It is advices that Steam users should be very careful and only click on steam:// URLs that come from a trusted source. Stay posted for more details.
Source: www.techspot.com
Tagged as: ReVuln, Steam, Security, exploit
Related Stories
31.07.2012 00:08:29: Ubisoft Uplay plugin has nasty security hole by Craig Farren
28.06.2010 16:18:55: Corsair Flash Padlock 2 Security Announcement by Connell Parr
06.11.2009 09:34:15: Ad-Aware Caters to Gamers and Entertainment Fans with New Security Solution by David Mitchelson
14.10.2009 15:50:59: New Ad-Aware Internet Security from Lavasoft Puts Power in Hands of People by David Mitchelson
02.09.2008 16:38:54: BullGuard Teams with SteelSeries to Introduce Advanced Security for Gamers by David Mitchelson
28.06.2010 16:18:55: Corsair Flash Padlock 2 Security Announcement by Connell Parr
06.11.2009 09:34:15: Ad-Aware Caters to Gamers and Entertainment Fans with New Security Solution by David Mitchelson
14.10.2009 15:50:59: New Ad-Aware Internet Security from Lavasoft Puts Power in Hands of People by David Mitchelson
02.09.2008 16:38:54: BullGuard Teams with SteelSeries to Introduce Advanced Security for Gamers by David Mitchelson
Post New Comment
Click here to post a comment for this news story on the message forum
« Google 3rd Quarter Profits Slump 20%; Shares Suspended · Security researchers discover vulnerability in Steam URL protocol
· ASUS GeForce GTX 650 Range, Now With Pandaren Monk »
