As has been reported by Gaming on Linux, and chatted about on Reddit, the Steam Deck has got a bit of a security problem concerning its pretty badly outdated version of Firefox. Valve has reportedly promised a fix, but it won’t come until the next SteamOS update. That’s less than ideal.
The current version of the popular non-chromium browser is 102.0.1, while SteamOS sports the six-month-old version 96.0.3. You don’t need to be a Def Con hacking conference regular to know that you shouldn’t run around with an out-of-date web browser, particularly one you use to store passwords for, oh, I don’t know, social media websites, banking websites, or even Steam itself. (By the way: Don’t store passwords in your browser. That’s what password managers are for.)
Valve’s last major SteamOS update arrived on May 26, with frequent client updates in the weeks that followed. None updated the January build of Firefox, however. There is also a beta available for the next OS update, but you’ll have to opt into that and it isn’t a finalised build. That beta also does not update Firefox, nor is switching to a beta build of an operating system typically a good way to improve one’s security posture.
Kotaku has reached out to Valve for comment.
While drawing this specific issue out too much might be making a mountain out of a molehill (to be fair, I’m far from a security expert), it does bring up a challenge with SteamOS and Linux gaming in general.
As of the most recent Steam hardware and software survey results, Linux users account for only 1.18% of Steam’s population. A tiny amount for sure, but one that is growing with the rising popularity of the Linux-native Steam Deck. The folks who typically run Linux operating systems are more than capable of keeping them secure, but what happens when the SteamOS population grows to a point that it becomes an attractive target for exploiting vulnerabilities and distributing malware? And with the Steam Deck being advertised to the general public and not just hackers, the “dos and don’ts” of keeping a Linux machine safe are only going to become more important.
If you have a Windows background, the way Linux handles app installs may seem odd, with terms like “Flatpak,” “Snap,” and “repository” flying around. Linux has its own way of doing things, and it’s a little more complex than double-clicking a setup.exe. There’s also no “Linux Defender” at the ready to always ask you “are you sure you want to install this?” Steam Deck’s “Desktop Mode” might look similar to Windows or macOS, and I trust Valve has prioritised security, but adding in the wrong repository by grabbing random commands from the internet to do things as simple as getting Epic Games Store or GOG games to show up in Steam can easily land you in trouble if you aren’t 100% sure of how to keep your machine safe.
For many, the Steam Deck might not just be their first Linux gaming device, but their first experience with Linux period (Android doesn’t count). As Steam Deck and SteamOS continue to gain users, many will be more interested in just getting their games to run properly with the least possible hassle than learning how to safely manage a Linux OS from the ground up. Right now, most “noob Linux gaming questions” are answered by generous, helpful enthusiasts, not bad actors. But it’s not hard to imagine someone with malicious intentions and the knowledge of how to exploit situations like outdated software stepping in to take advantage of users who don’t know, say, the dangers of running random scripts.
Consoles are locked-down gaming environments for many reasons, but security certainly is chief among them. And while Windows security can definitely be compromised, most of us just assume Windows Defender will keep us from complete disaster. And it usually does. Valve may be right by going all in on Linux for the future of gaming, but security challenges are only going to grow as the Steam Deck gains in popularity. Moving forward, Valve would be wise to do its best to keep security considerations at the forefront, and that’s going to demand more timely updates with an eye toward patching potentially critical vulnerabilities as its userbase grows large enough to attract nefarious interests.