Steam has a large user base — to put it lightly — so if there’s something wrong with the Steam client, users should know about it and even better, such problems should be fixed as soon as possible. Recently, a few supposed vulnerabilities were discovered in the Linux Steam client… but are they really a problem?
Over on the Steam for Linux GitHub repository, there are currently two live code issues with security implications — one relates to the Chromium Embedded Framework (CEF) version used by the Steam client for its in-built web browser and the other has to do with the CEF running with sandboxing disabled.
In simple terms, a sandboxed application or process is one that is isolated from the rest of the system, with the idea being if said process fails or is breached, the damage is limited, or mitigated entirely.
Now, the aforementioned issues were recently covered by Martin Brinkmann over at gHacks.
I think Brinkmann’s article is somewhat alarmist, as it fails to mention in the headline or the story itself that this relates to Steam’s Linux client and not Windows.
It’s also easy enough to find out what version of CEF the Steam client is using by firing up a game, opening the built-in web browser and typing chrome://version
into the address bar.
You’ll see something like the below (this is from the most up-to-date Windows client as of 14 February, 2016):
The CEF version is 47.0.2526 and going by the command line, doesn’t have the --no-sandbox
flag running. This means sandboxing is active.
Now, it’s important to note that the Chrome browser — the stable release being 48.0.2556 — and the Chromium Embedded Framework are not the same thing, so comparing their version numbers doesn’t really tell us anything. You’re better off visiting the CEF builds page, which shows that 47.0.2526 is the most recent stable version for both Windows and Linux.
The dev channel, which is reserved for potentially unstable and in-development builds, is at 48.0.2556.0, but it would be silly for Valve to deploy a development build of CEF in a live product with millions of users.
So, while Steam for Linux may have a security issue or two to address, as far as I can tell, the Windows client is unaffected. Valve certainly isn’t a saint when it comes to handling security issues, sure, but we shouldn’t lose our hats unnecessarily.
Comments
One response to “A Closer Look At Steam For Linux’s Vulnerabilities And How They Affect Windows”
So from the sound of it, the vulnerability is only exploitable if you browse the web through the steam overlay, and visit an untrusted site. If you only visit the Steam web pages in this context, for instance, it probably isn’t exploitable.
It’s also worth noting that the process sandboxing is just one line of defence in Chrome (if the website gets to a point where it can execute arbitrary machine code in the browser context, that’s a bug), so while it isn’t great that they broke that feature it isn’t the end of the world.
In contrast, some Windows security software has done much worse. For instance Comodo Internet Security installs its own version of Chrome, and set it as default. In some versions, they disabled the “same origin policy”:
https://code.google.com/p/google-security-research/issues/detail?id=704
This effectively lets any web site view any information belonging to any other web site. If you logged into your bank website, any other web site could view pages and post forms with your credentials while you were still logged in.