f13.net

tl;dr the steam:// protocol allows remote sites to install files on your computer that can then be executed the next time you reboot. Disable the steam:// protocol handler in your browsers, especially Safari and other Webkit browsers. Oh yeah that means the Steam client itself, which most of the time is acting as a Web browser with a fucked up UI, is likely vulnerable. Oh well...

Ars Technica article (http://arstechnica.com/security/2012/10/steam-vulnerability-can-lead-to-remote-insertion-of-malicious-code/)
ReVuln paper (PDF) (http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf)
ReVuln video (Vimeo) (http://vimeo.com/51438866)
(Using direct links cause ReVuln site fucking sucks)

How does one do that? Disable the steam:// thinger.

These days it's quite difficult actually. It used to be in the good old days all browsers had a section in preferences or other config section that showed you the mappings between protocols (like mailto and telnet) and MIME types to the apps that would handle them. These days some of the browser vendors think they "know best" and don't let you change those things with an in-browser UI. That includes Chrome and Safari. Firefox and IE, however, do let you view these settings in their preferences and you can check in there to see if you've ever opened a steam:// link in one of those browsers and had it explicitly mapped to the Steam app. If you have you should do one of three things:

1. Map the steam:// protocol to something like notepad.exe. This will effectively cause any malicious steam links to have no effect (other than possibly popping up the notepad app).

2. Delete the linkage. However this will cause the browser to pop up a dialog the next time it tries to open up a link with that protocol asking you which app should handle it so you have to be careful not to remap it to Steam.

3. Change the mapping to "always ask" (or equivalent), which is effectively the same as #2.

Edit: Chrome's handler UI is hidden here: chrome://chrome/settings/handlers

Thanks Trippy. :)


Using Firefox and the list doesn't seem to have steam on it. Guess I've never actually clicked steam:// link before, which is entirely possible.


So that puts me into category 2 then I guess.

That's right, if you search for "steam" and Firefox didn't find anything then you've either never clicked on a steam:// link in Firefox or you clicked on one but never checked the box for saving that mapping.

My chrome://chrome/settings/handlers is blank, and I know i've clicked on stuff on Steam (though who knows if it was an actual steam:// link).  I imagine since it's blank it's more bugged rather than me not having clicked on a link before.