Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Firm Says Steam URLs Exploitable

Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

View
69 Replies. 4 pages. Viewing page 3.
< Newer [ 1 2 3 4 ] Older >

29. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 18:45 Closed Betas
 
Quick delete your steam client.. Great excuse to change the world for the better..
 
Reply Quote Edit Delete Report
 
28. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 18:30 Prez
 
Some more non-techie explanation needed if you don't mind. What's the worst case scenario here? Am I looking at someone deleting my saved games or someone hacking the Depart of Defense and making it look like I did it?  
Avatar 17185
 
“The greatness of a nation and its moral progress can be judged by the way its animals are treated.”
- Mahatma Gandhi
Reply Quote Edit Delete Report
 
27. Re: This goes way beyond being a browser exploit. Oct 17, 2012, 18:27 Mashiki Amiketo
 
No, you don't because Windows environment variables will tell you that. Plus most users use default installation locations for Windows and Steam.

Well as stated in the article the Source engine will do that for the attacker if a Source engine game is installed. But, hardly anyone plays Source engine games, right?

In order to make this exploit work, you need to be able to cause something to create the file, in order to be able to execute it. The environment variable table will not give you a list of games installed to exploit. The link itself is only an arbitrary step in this process. If you don't know what's installed, you have no attack vector. No attack vector, no exploit. It's even in the paper itself. A link isn't enough, but it is the attack point. Now I suppose you could write something to hit the top 100 games.

Even their unreal engine exploit requires a upk file to exist already, in order to cause it to crash(integer overflow). But unless it's there already you can't do squat, and unless you've already written it, or planted it again you can't do squat.

If you run a formed steam URL without something to execute it, nothing happens. If you run something with the steam engine with specific commands, with a force dump you can make it dance. But in the latter case, you need to know "what" you're running into to make it do something.
 
--
"For every human problem,
there is a neat, simple solution;
and it is always wrong."
--H.L. Mencken
Reply Quote Edit Delete Report
 
26. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 18:24 Verno
 
Kosumo wrote on Oct 17, 2012, 16:10:
Except that it's Verno who is calling them 'notoriously difficult to contact at times', that does not automaticly make that statement true - I have contacted them twice over about 8 years and been contacted back both times within a couple of days.

Many people have had difficulty even getting timely responses to support tickets, let alone official responses about a security flaw in the client. The trouble with Valve is consistency, sometimes you can get an answer in an hour, sometimes it takes days. Indie developers have complained about lack of responsivness and flexibility from their submissions program pre-Greenlight and so on. No idea what you're on about with L4D2, it was a totally different situation that didn't involve security or getting information from Valve. Valve is an awesome company and Steam is a great service but they're not perfect.
 
Avatar 51617
 
Playing: Divinity Original Sin, Destiny, Fire Emblem
Watching: Continuum, Star Trek TNG, Haunt
Reply Quote Edit Delete Report
 
25. Re: This goes way beyond being a browser exploit. Oct 17, 2012, 17:58 hb3d
 
hb3d wrote on Oct 17, 2012, 17:07:
That Uplay exploit effected everyone too, and everyone that had the game plugin installed, not just IE.
I went back and read the Uplay researcher's original post again and I see that the plug-in didn't use ActiveX. The title of the post was "Re: AxMan ActiveX fuzzing" but that was a misleading title since it was actually a thread about a different exploit and the researcher just mentioned his new find in that same thread.

You still need to be able to have knowledge of what's where, to be able to execute this exploit.
No, you don't because Windows environment variables will tell you that. Plus most users use default installation locations for Windows and Steam.

And before that you need to be able to have access to something to be able to create the batch file,
Well as stated in the article the Source engine will do that for the attacker if a Source engine game is installed. But, hardly anyone plays Source engine games, right?

This comment was edited on Oct 17, 2012, 18:10.
 
Reply Quote Edit Delete Report
 
24. Re: This goes way beyond being a browser exploit. Oct 17, 2012, 17:55 Mashiki Amiketo
 
hb3d wrote on Oct 17, 2012, 17:07:
That is really, really bad. As bad or worse than that Uplay exploit everyone bashed Ubisoft over (but not the researcher who found the exploit, hypocrites), but was fixed in a day or less. At least that exploit only affected IE users. This attack affects all browsers and Steam client users and since it can be scripted with Javascript, it is relatively easy to implement and get past the user especially on some browsers and settings.
I ah...read the "research paper" and I use that term loosely. That Uplay exploit effected everyone too, and everyone that had the game plugin installed, not just IE.

You still need to be able to have knowledge of what's where, to be able to execute this exploit. And before that you need to be able to have access to something to be able to create the batch file, in order to create the exploit in order to be able to create the vulnerability.

The computerworld article is rather meh as it stands anyway. I liked the TF2 exploit, that was rather funny. Because what they did was tell the game to create a specific file with a specific filename, thus creating the batch file from the console. But you see the problem here?
 
--
"For every human problem,
there is a neat, simple solution;
and it is always wrong."
--H.L. Mencken
Reply Quote Edit Delete Report
 
23. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 17:52 hb3d
 
Prez wrote on Oct 17, 2012, 17:47:
Is it simply a matter of avoiding clicking on external Steam links?
No because the exploit can be scripted with Javascript so that you don't have to click on a thing.

The most secure way to avoid being exploited is to uninstall the Steam client. If you try to remove Steam's URL handler functionality manually, Steam's forced updates will simply put it right back on the next launch. Barring that only use Chrome or IE9 as your web browser and set them to prompt for user confirmation on all URL handlers. Then if such a notice pops up, always choose "block" or "no" in the popup.
 
Reply Quote Edit Delete Report
 
22. It is hard to get a reply from Valve. Oct 17, 2012, 17:49 hb3d
 
Kosumo wrote on Oct 17, 2012, 16:10:
Anyone else to back up that Valve are any more difficult to contact than any other large game/software studio?
This from the Computerworld article says it all on that: "Valve did not immediately return a request for comment." Even Computerworld didn't get some type of reply from Valve to a very serious security issue. Not even a "We're now aware of the issues and looking into them." Ubisoft both responded and fixed its exploit the same day. See this.


 
Reply Quote Edit Delete Report
 
21. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 17:47 Prez
 
Except that it's Verno who is calling them 'notoriously difficult to contact at times', that does not automaticly make that statement true - I have contacted them twice over about 8 years and been contacted back both times within a couple of days.

Hey, I like Valve and Steam and all, but I have to ask - you really consider getting a response "within a couple of days" to be a reasonable turnaround? I got locked out of my Steam account once due to an error on their end and I had to wait 72 hours for them to contact me, and then another 24 for them to fix the problem. Shining examples of great customer service they are certainly not. I really don't expect them to resolve every issue within minutes but 4 days for such a major issue is ridiculous. I would expect at least a token response from someone with a pulse within the same business day. Other companies that can manage it; I think Valve should be able to as well.

As far as the exploit goes, would someone put it in non-techie terms exactly what I should avoid doing? Is it simply a matter of avoiding clicking on external Steam links?
 
Avatar 17185
 
“The greatness of a nation and its moral progress can be judged by the way its animals are treated.”
- Mahatma Gandhi
Reply Quote Edit Delete Report
 
20. Re: This goes way beyond being a browser exploit. Oct 17, 2012, 17:35 BobBob
 
http://tinyurl.com/thesafestbrowser  
Reply Quote Edit Delete Report
 
19. This goes way beyond being a browser exploit. Oct 17, 2012, 17:07 hb3d
 
Mashiki Amiketo wrote on Oct 17, 2012, 13:24:
Looking at this a bit more, it appears that unless you've been able to compromise the machine before hand and lay a batch file(and know what games are installed). This is pretty much useless, so if someone has already compromised the machine that far. You've got other things to worry about than steam urls.

Though I might have missed something.
You missed a lot. Read the whole article (slowly for you) on Computerworld. This goes way beyond being a browser exploit. The browser is just used an attack vector into the Steam client itself and Source engine games. See "The researchers released a video in which they demonstrate how steam:// URLs can be used to remotely exploit some vulnerabilities they found in the Steam client and popular games." Valve's wonderful security triumphs again. I wonder if we will see Half-Life 3 source code soon.

In a different example, a steam:// URL can be used to execute legitimate commands found in Valve's Source game engine in order to write a .bat file with attacker-controlled content inside of Windows Startup folder. Files located in the Windows Startup directory are automatically executed when users log in.
That is really, really bad. As bad or worse than that Uplay exploit everyone bashed Ubisoft over (but not the researcher who found the exploit, hypocrites), but was fixed in a day or less. At least that exploit only affected users with the installed plug-in. This attack affects all browsers and Steam client users and since it can be scripted with Javascript, it is relatively easy to implement and get past the user especially on some browsers and settings.

This comment was edited on Oct 17, 2012, 18:08.
 
Reply Quote Edit Delete Report
 
18. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 16:10 Kosumo
 
deqer wrote on Oct 17, 2012, 12:29:
Verno wrote on Oct 17, 2012, 12:19:
They probably notified Valve but didn't get a response back, they are notoriously difficult to contact at times.
I kinda hate companies that end up like this.

I mean, seriously, why is it our problem that you do not have the resources to handle all the communication you get from millions of people, to a point where you have to filter/ignore everyone or have a long queue or whatever. That's not my problem, that's your problem.

If you can't handle all the communication that comes in from millions of people, then maybe you shouldn't be in business trying to service millions of people...

Except that it's Verno who is calling them 'notoriously difficult to contact at times', that does not automaticly make that statement true - I have contacted them twice over about 8 years and been contacted back both times within a couple of days.

When was a that they became 'notoriously difficult to contact'? Was it when you where moaning your ass off over Valve telling 'lies' (breaking their promise)re Left4Dead support?

Anyone else to back up that Valve are any more difficult to contact than any other large game/software studio?
 
Reply Quote Edit Delete Report
 
17. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 15:13 jamiedj99
 
only a dumbass uses the browser outside of steam or if your american  
Reply Quote Edit Delete Report
 
16. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 14:17 LC
 
The H has some more on this.
H-Online article
Which ends with some doom and gloom.
ReVuln is a company that sells information about unpatched security issues to businesses and governments; therefore, one of its paying customers may well already be in possession of functioning exploits for the Steam platform.
 
Reply Quote Edit Delete Report
 
15. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 13:24 Mashiki Amiketo
 
Looking at this a bit more, it appears that unless you've been able to compromise the machine before hand and lay a batch file(and know what games are installed). This is pretty much useless, so if someone has already compromised the machine that far. You've got other things to worry about than steam urls.

Though I might have missed something.
 
--
"For every human problem,
there is a neat, simple solution;
and it is always wrong."
--H.L. Mencken
Reply Quote Edit Delete Report
 
14. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 12:47 bozu
 
Creston wrote on Oct 17, 2012, 11:53:
while Safari automatically executes steam:// URLs without user confirmation, the researchers said.
APPLE MAKES TEH SAFEST STUFF IN TEH WORLD!!1!!!1!1
This is actually a very interesting hack from a blame perspective. On the surface, Safari is making the decision that, "users don't want to review URLs before executing them. the program that executes them should be responsible for its security." And Steam is making the decision that, "users don't want to review URLs before executing them. the game that executes them should be responsible for its security." And the game is making the decision that, "I'm just a game that supports steam. Isn't security their job?" There's no easy person to point fingers at here -- none of those statements are really wrong.

Ultimately, a solution needs to come from Valve, but it's going to be hard to find a way to reduce exploitability without negatively impacting the user experience.
 
Reply Quote Edit Delete Report
 
13. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 12:44 Verno
 
Err right, as I noted in the second part of that post which wasn't quoted

We don't have all the facts either way, all we know is that this needs to be patched.
 
Avatar 51617
 
Playing: Divinity Original Sin, Destiny, Fire Emblem
Watching: Continuum, Star Trek TNG, Haunt
Reply Quote Edit Delete Report
 
12. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 12:41 theyarecomingforyou
 
Verno wrote on Oct 17, 2012, 12:19:
They probably notified Valve but didn't get a response back, they are notoriously difficult to contact at times.
If that was the case then they almost certainly would have mentioned that. This strikes me as a very bad way to address legitimate security concerns. It sounds like a company trying to make a name for itself by whatever means possible.

That said, Valve needs to address this promptly.
 
Avatar 22891
 
SteamID: theyarecomingforyou
Star Citizen: Blue's News
Reply Quote Edit Delete Report
 
11. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 12:29 deqer
 
Verno wrote on Oct 17, 2012, 12:19:
They probably notified Valve but didn't get a response back, they are notoriously difficult to contact at times.
I kinda hate companies that end up like this.

I mean, seriously, why is it our problem that you do not have the resources to handle all the communication you get from millions of people, to a point where you have to filter/ignore everyone or have a long queue or whatever. That's not my problem, that's your problem.

If you can't handle all the communication that comes in from millions of people, then maybe you shouldn't be in business trying to service millions of people...
 
Reply Quote Edit Delete Report
 
10. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 12:19 Verno
 
They probably notified Valve but didn't get a response back, they are notoriously difficult to contact at times. To be fair though, many of these security firms just contact the companies which need to investigate and make determinations, in the meantime they just release the vulnerability either for publicity or etc. Not saying that's what happened here but its a common complaint from large corporations.  
Avatar 51617
 
Playing: Divinity Original Sin, Destiny, Fire Emblem
Watching: Continuum, Star Trek TNG, Haunt
Reply Quote Edit Delete Report
 
69 Replies. 4 pages. Viewing page 3.
< Newer [ 1 2 3 4 ] Older >


footer

.. .. ..

Blue's News logo