Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Firm Says Steam URLs Exploitable

Startup vulnerability research and consultancy firm ReVuln says the way Steam handles steam:// protocol URLs leaves users open to having vulnerabilities in Steam and their game exploited, reports Computerworld, who say their request for comment on this was not immediately fulfilled by Valve (thanks Ant). A proof-of-concept trailer shows what they are talking about, and here's a bit:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.

"All the browsers that execute external URL handlers directly without warnings and those based on the Mozilla engine (like Firefox and SeaMonkey) are a perfect vector to perform silent Steam Browser Protocol calls," the researchers said. "Additionally for browsers like Internet Explorer and Opera it's still possible to hide the dodgy part of the URL from being shown in the warning message by adding several spaces into the steam:// URL itself."

Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email.

View
69 Replies. 4 pages. Viewing page 1.
< Newer [ 1 2 3 4 ] Older >

69. Re: Firm Says Steam URLs Exploitable Oct 19, 2012, 10:32 Mr. Tact
 
Prez wrote on Oct 18, 2012, 16:40:
For me, convenience easily trumps most other considerations.
100% agree -- for gaming and most anything else. There are only rare exceptions.
 
Truth is brutal. Prepare for pain.
Reply Quote Edit Delete Report
 
68. Re: Firm Says Steam URLs Exploitable Oct 19, 2012, 00:13 Prez
 
How dare you, you lazy shill whatever!

Wow, you are Mr. Literal aren't you?
 
Avatar 17185
 
Goodbye my Monte boy. May you rest in the peace you never knew in life.
Reply Quote Edit Delete Report
 
67. Re: Firm Says Steam URLs Exploitable Oct 18, 2012, 17:58 Dev
 
Prez wrote on Oct 18, 2012, 16:40:
Call me lazy, call me a shill - whatever. For me, convenience easily trumps most other considerations.
How dare you, you lazy shill whatever! I resemble that remark!

Steam IS convenient! I don't care what you say! Me and my 500+ game library says so!

Wait, what?


[just in case, yes this was a joke]
 
Reply Quote Edit Delete Report
 
66. Re: Firm Says Steam URLs Exploitable Oct 18, 2012, 16:40 Prez
 
Well said descender. Call me lazy, call me a shill - whatever. For me, convenience easily trumps most other considerations.  
Avatar 17185
 
Goodbye my Monte boy. May you rest in the peace you never knew in life.
Reply Quote Edit Delete Report
 
65. Re: Firm Says Steam URLs Exploitable Oct 18, 2012, 15:36 descender
 
What I do not get is how anyone here at Blue's can see Steam as anything other than an annoying, but regretfully necessary network client on our computers.

Convenience is a bitch? Tried and true expression, yet people are always surprised when they come face to face with it and have to "accept" it again.

Steam has to be one of the most convenient pieces of software, especially related to gaming... ever.

You know what's annoying? Keeping track of hundreds of install CD's and DVD's. Keeping them unscratched. Keeping games patched and up to date manually. Being at a friends house and wanting to show them a game, but not carrying said CD/DVDs on you at all times... Those things are all annoying.

Instead I have one online backup, and one offline backup of all of my save games, ever... on one DVD... and I can access my games anywhere the internet works.

Man, the future is great. What an annoyance the future is!
 
Avatar 56185
 
Reply Quote Edit Delete Report
 
64. Re: Firm Says Steam URLs Exploitable Oct 18, 2012, 15:30 descender
 
So from what I understand here... if you have a properly secured browser in the first place, this won't be an issue because there is no reason for a rogue javascript to be getting anyone at this point.

... and unless Bluenews.com or espn.com start trying to hack the planet, anyone who runs into this vulnerability (again, with an unsecured browser) are completely at fault here?

Good. Looks like more "security problems" I won't have to worry about.

The exploitable vulnerability with computers sit's in front of the keyboard.

It's almost as if there is no reason for any of the larger spyware offenders to spend any time on this... because they would have been better off exploiting the browser in use to launch the steam URL in the first place. Browsers that are on many more computers than steam clients.


The "quick uninstall steam" crowd here is hilarious. How about "quick, don't click on stupid shit anyway, regardless of if its steam or some other program on your computer being exploited".
 
Avatar 56185
 
Reply Quote Edit Delete Report
 
63. Re: Firm Says Steam URLs Exploitable Oct 18, 2012, 13:19 LaxerFL
 
jamiedj99 wrote on Oct 17, 2012, 15:13:
only a dumbass uses the browser outside of steam or if **your** american

You ARE, you're

You were saying something about dumbasses?
 
Avatar 56876
 
Reply Quote Edit Delete Report
 
62. Re: Firm Says Steam URLs Exploitable Oct 18, 2012, 11:20 Verno
 
avianflu wrote on Oct 18, 2012, 10:55:
What I do not get is how anyone here at Blue's can see Steam as anything other than an annoying, but regretfully necessary network client on our computers.

I don't know man. I'm older now, I don't want to patch my own games anymore. I like just making a fast purchase and being able to play shortly after instead of trucking out to the store or waiting on UPS. I actually use the Friends/Community features and consider them a benefit. Back when I used to play WoW I made a ton of gamer friends and we all keep in touch and play various games through our Steam accounts. The recent improvements to the library features have made it a very competent game library manager too.

It's not perfect, there's a lot I'd like to improve. I want Steam to handle backing up my game saves and shit, not just Steam Cloud enabled games but everything. I'd like better workshop integration and so on. I don't look at it as a regretful annoyance though, I wouldn't use it if that was the case. When Steam was initially released it was largely a piece of shit and guess what, I barely ever used it as a result.
 
Avatar 51617
 
Playing: Everquest Next Alpha, Diablo 3, Bravely Default
Watching: Evidence, Longmire, Chained
Reply Quote Edit Delete Report
 
61. Re: Firm Says Steam URLs Exploitable Oct 18, 2012, 11:01 Dev
 
Also, when I RTFA:

According to tests performed by the ReVuln researchers, Internet Explorer 9, Google Chrome and Opera display warnings and the full or partial steam:// URLs before passing them to the Steam client for execution. Firefox also requests user confirmation, but doesn't display the URL and provides no warning, while Safari automatically executes steam:// URLs without user confirmation, the researchers said.
...
In order to protect themselves users can disable the steam:// URL protocol handler manually or with a specialized application, or can use a browser that doesn't automatically execute steam:// URLs


I think that regardless of if the link comes from a javascript or not, at some point the browser gets to the part where its going to pass the URL on, and if its set to prompt it should prompt at that stage.

If you really want info on the steam:// then check out valve's documentation on it:
https://developer.valvesoftware.com/wiki/Steam_browser_protocol
(note that steam://openurl part only works if specific URLs are given to it, it doesn't just open any random internet url)
 
Reply Quote Edit Delete Report
 
60. Re: Firm Says Steam URLs Exploitable Oct 18, 2012, 10:55 avianflu
 
Yes, there may be tricks to work around this exploit in your browser, blah blah blah.

But c'mon, it doesnt change the underlying chronic security risks associated with running *any* network game client on your PC.

So yea we all have Steam here at Blue's because we like PC games.

What I do not get is how anyone here at Blue's can see Steam as anything other than an annoying, but regretfully necessary network client on our computers.

 
Reply Quote Edit Delete Report
 
59. Re: Firm Says Steam URLs Exploitable Oct 18, 2012, 10:44 Dev
 
ZOMG NOES! Links are unsafe!?!


Also, last time I checked, valve had disabled then "run any URL from steam" functionality. It has to be an actual steam url, and you can't just give the whole url, but have to go through its system. So for instance, you can give it an appid and it will open any store page, but it won't open steam://www.whackyVirusHere.com
I was trying to find a way to make a steam url for a greenlight vote page, and I couldn't since steam hasn't integrated that into the URL stuff yet.
hb3d wrote on Oct 17, 2012, 19:53:
Valve needs to autoupdate Steam to get rid of the URL handler as an immediate step to blunt this attack, but the Steam website is full of the URL's so it's going to break all that functionality.
This is highly likely to be their move IF they do anything. Regardless of what it breaks. They have a history of just disabling entire features/functionality rather than fixing bugs/exploits within them.

This comment was edited on Oct 18, 2012, 11:00.
 
Reply Quote Edit Delete Report
 
58. Re: It's good advice but not foolproof. Oct 18, 2012, 08:53 Verno
 
Sepharo wrote on Oct 17, 2012, 21:29:
Oops I'm doing this wrong...

UNINSTALL STEAM IT'S THE ONLY WAY TO BE SAFE
INSTALL ORIGIN AND UPLAY THEY ARE LIEK STEAM BUT BETTER

Yeah I'm not sure what exactly the point was supposed to be in his rants about hypocrisy in the community. I don't see him posting about the Origin patchnotes every time they finally fix a bug or security flaw or advising people to uninstall it.
 
Avatar 51617
 
Playing: Everquest Next Alpha, Diablo 3, Bravely Default
Watching: Evidence, Longmire, Chained
Reply Quote Edit Delete Report
 
57. Re: It's good advice but not foolproof. Oct 18, 2012, 07:58 TheVocalMinority
 
nin wrote on Oct 17, 2012, 22:15:
Assley Putz!

Assley Putz!

Assley Putz!


You called? Good to see the valve fanbois resorting yet again to Ad hominem attacks when some heretic dares disparage their idol. Keep up the good work chaps.
 
Assley Putz
"Was vocalminority assley putzs most recent handle?"
-nin May 16, 2012, 10:52
Reply Quote Edit Delete Report
 
56. Re: I hate hypocrisy and blind bias. Oct 17, 2012, 22:44 Dades
 
hb3d wrote on Oct 17, 2012, 22:13:
I'm not a fan of EA at all, but I hate the hypocrisy and blind bias I see around here and on other PC game forums. That is why I defended EA over its recent give away of free games. It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous. EA even posted a notice on the previous survey link that new coupon codes would be sent out to those that didn't get one for the previous survey because it had to be closed. Now, that's good customer service for any company including EA.

EA has done a lot of bad shit over the years to earn their reputation and we don't need our life validation from you. Your constant snobbery and accusations about how people aren't acting how you think they should is just annoying and a waste of time.

- DADES - This is a signature of my name, enjoy!
 
Avatar 54452
 
Reply Quote Edit Delete Report
 
55. Re: I hate hypocrisy and blind bias. Oct 17, 2012, 22:29 Prez
 
It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous.

I freely admit I'm an EA hater (but given their long sordid history of being a shitty company, certainly not without cause) but if I saw there was credit to be given I would give credit where it was due. All I saw in the latest EA debacle was a ham-fisted and poorly managed attempt to gain some small measure of market penetration by giving people free games (a move so counter to their normal philosophy it serves to prove how desperate they are in my mind) which ended up being exploited like crazy. It couldn't have happened to a nicer company.

At what point does a company with a history of security problems and abyssmal customer service stop being "awesome"?

So that's what this is about? It pisses you off that people think Valve is awesome? Seems pretty petty to me. I think their customer service sucks, as I already detailed earlier, but that's not enough to make me start hating on Valve like you wish I would. It seems every service has had it's share of security issues lately, and while others might have raised hell I have always taken it as a matter of course considering the way things are today regardless of who it happens to. Valve isn't perfect, and not a person that I've heard said they are, but they have a long, LOOONG way to go to even come close to being as anti-consumer as EA is. The companies are almost polar opposites.

This comment was edited on Oct 17, 2012, 22:41.
 
Avatar 17185
 
Goodbye my Monte boy. May you rest in the peace you never knew in life.
Reply Quote Edit Delete Report
 
54. Re: It's good advice but not foolproof. Oct 17, 2012, 22:15 nin
 

Assley Putz!

Assley Putz!

Assley Putz!

 
http://www.nin.com/pub/tension/
Reply Quote Edit Delete Report
 
53. I hate hypocrisy and blind bias. Oct 17, 2012, 22:13 hb3d
 
Prez wrote on Oct 17, 2012, 21:40:
Well it's no secret he's not a fan of Steam (but a big fan of Amazon and EA)
I'm not a fan of EA at all, but I hate the hypocrisy and blind bias I see around here and on other PC game forums. That is why I defended EA over its recent give away of free games. It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous. EA even posted a notice on the previous survey link that new coupon codes would be sent out to those that didn't get one for the previous survey because it had to be closed. Now, that's good customer service for any company including EA.

that doesn't necessarily make him wrong.
He has to attack the messenger because he doesn't like the message and can't handle the truth.

Regarding this latest Valve security problem the silence on this both from Valve and its fans speaks volumes. When Ubisoft had a similar exploit months ago in a browser plug-in for its game client, most of you and others exploded with vitriol at Ubisoft over it even when you weren't even affect by it because you hadn't installed the plug-in. And, Ubisoft responded and fixed the problem in the same day it was reported in the news. Here, Valve didn't even reply to the researchers who disocvered the problem or to Computerworld that initally reported the story. And, this latest Valve security problem affects far more people since more people use Steam and more products since the vulnerabilities are in the Steam software and several game engines itself. The few Valve fanboys who bothered to respond in this thread either stuck their heads in the sand and denied the scope of the problem and/or blamed the researchers who found the exploits rather than place the blame on Valve where it belongs.

At what point does a company with a history of security problems and abyssmal customer service stop being "awesome"? Valve is now a multiple billion dollar company. It has a virtual monopoly on PC game distribution. It needs to stop acting like a bunch of free-wheeling hippies and stop treating customer service and security like some distant afterthought and inconvenience which interrupts its playtime. But, Valve will never improve and devote the personnel and resources necessary to those functions unless customers demand it. And, so long as the company has millions of minions who think it is "awesome" anyway and keep gladly giving it their money regardless of its repeated failings, that will never happen. That is why it is important to complain even when it is your favorite company in the wrong.

This comment was edited on Oct 17, 2012, 22:31.
 
Reply Quote Edit Delete Report
 
52. Re: It's good advice but not foolproof. Oct 17, 2012, 21:40 Prez
 
nin wrote on Oct 17, 2012, 21:31:
Sepharo wrote on Oct 17, 2012, 21:29:
Oops I'm doing this wrong...

UNINSTALL STEAM IT'S THE ONLY WAY TO BE SAFE
INSTALL ORIGIN AND UPLAY THEY ARE LIEK STEAM BUT BETTER


Now you're speaking his language.


Well it's no secret he's not a fan of Steam (but a big fan of Amazon and EA); however, that doesn't necessarily make him wrong. Personally, I just redirected the steam url handler to open notepad instead as someone advised in the Steam forums. Steam will of course redirect this back when it is restarted, but I leave mine running all the time so no restart = no problem.
 
Avatar 17185
 
Goodbye my Monte boy. May you rest in the peace you never knew in life.
Reply Quote Edit Delete Report
 
51. Re: It's good advice but not foolproof. Oct 17, 2012, 21:31 nin
 
Sepharo wrote on Oct 17, 2012, 21:29:
Oops I'm doing this wrong...

UNINSTALL STEAM IT'S THE ONLY WAY TO BE SAFE
INSTALL ORIGIN AND UPLAY THEY ARE LIEK STEAM BUT BETTER


Now you're speaking his language.

 
http://www.nin.com/pub/tension/
Reply Quote Edit Delete Report
 
50. Re: It's good advice but not foolproof. Oct 17, 2012, 21:29 Sepharo
 
Oops I'm doing this wrong...

UNINSTALL STEAM IT'S THE ONLY WAY TO BE SAFE
INSTALL ORIGIN AND UPLAY THEY ARE LIEK STEAM BUT BETTER
 
Avatar 17249
 
Reply Quote Edit Delete Report
 
69 Replies. 4 pages. Viewing page 1.
< Newer [ 1 2 3 4 ] Older >


footer

.. .. ..

Blue's News logo