Steam’s built-in browser runs in a no-sandbox mode. The latest version of the Steam gaming client is employing an outdated Web browser that puts users at risk due to unpatched vulnerabilities while also disabling a key security feature.
After Google Project Zero security researcher Tavis Ormandy disclosed that two antivirus companies were deploying customized Chromium versions that exposed users, other researchers around the Web started to comb any other project where the Chromium browser was also used.
One of those places is the Steam client, which uses a stripped-down Chromium version to power Steam’s in-game Web browser, shown via the Steam in-game overlay.
Steam is not using the latest Chromium version
According to GitHub user ekaris, Valve is currently using an outdated Chromium versionwithin its Steam client. The most recent Chromium version is v50, but Steam is using v47.
Ekaris reported the issue via Valve’s “Steam Client for Linux” GitHub page, but we’ve tested the Windows client and found out it deploys the same Chromium version (screenshot below), and no doubt, the Mac client suffers from the same issue.
Albeit Chromium 47 is not that far behind v50, always running the most recent browser version is important because users are protected from the latest security issues discovered in test environments or real-life attacks.
Steam disabled one of Chromium’s key security issues
But as if things weren’t bad enough, the same ekaris also discovered that Steam was starting its Chromium browser with the –no-sandbox flag.
By default, Chromium ships out with this flag activated as a must-have security measure, which is intended to protect users from various security exploits that might want to branch out from a Web page to the underlying operating system.
Valve has acknowledged the bug reports, but Steam users should refrain from using the in-game browser for the immediate future, just in case they run into malicious Web pages or rogue advertising (malvertising).
Why do people feel the need to mess with Chromium’s security features?
This issue is very similar to the one Mr. Ormandy discovered in the Chromodo Web browser that ships with Comodo products, which disabled SOP (Same Origin Policy), another key security feature that protected users against CSRF attacks.
A few days later, the same researcher discovered that the SafeZone (Avastium) Web browser that was forcibly installed on all PCs where a paid version of Avast was running also disabled another key security feature that allowed only WebSafe URLs to be executed via Chromium’s command-line.
This issue allowed attackers to gain access to a user’s filesystem if they had the SafeZone browser installed. The user didn’t necessarily had to have their SafeZone browser open, and the malicious link could be opened in any browser and have the exploit trickle down to the SafeZone browser via a local open RPC port.
While forgetting to update the Chromium distribution that ships with Steam seems more of an oversight, enabling the –no-sandbox flag borders on the same level of ineptitude showed by Comodo and Avast and is something that needs further explanation.
A possible answer can be provided by a few Google searches, which reveal that most users that use the –no-sandbox flag do it for performance-related issues, something to which Valve may be sensitive.
Steam built-in browser runs an outdated version (Chromium 47)