A Closer Look At Steam For Linux’s Vulnerabilities And How They Affect Windows

A Closer Look At Steam For Linux’s Vulnerabilities And How They Affect Windows

Steam has a large user base — to put it lightly — so if there’s something wrong with the Steam client, users should know about it and even better, such problems should be fixed as soon as possible. Recently, a few supposed vulnerabilities were discovered in the Linux Steam client… but are they really a problem?

This post was originally published on Kotaku Australia.

Over on the Steam for Linux GitHub repository, there are currently two live code issues with security implications — one relates to the Chromium Embedded Framework (CEF) version used by the Steam client for its in-built web browser and the other has to do with the CEF running with sandboxing disabled.

In simple terms, a sandboxed application or process is one that is isolated from the rest of the system, with the idea being if said process fails or is breached, the damage is limited, or mitigated entirely.

Now, the aforementioned issues were recently covered by Martin Brinkmann over at gHacks.

I think Brinkmann’s article is somewhat alarmist, as it fails to mention in the headline or the story itself that this relates to Steam’s Linux client and not Windows.

It’s also easy enough to find out what version of CEF the Steam client is using by firing up a game, opening the built-in web browser and typing chrome://version into the address bar.

You’ll see something like the below (this is from the most up-to-date Windows client as of 14 February, 2016):

The CEF version is 47.0.2526 and going by the command line, doesn’t have the --no-sandbox flag running. This means sandboxing is active.

Now, it’s important to note that the Chrome browser — the stable release being 48.0.2556 — and the Chromium Embedded Framework are not the same thing, so comparing their version numbers doesn’t really tell us anything. You’re better off visiting the CEF builds page, which shows that 47.0.2526 is the most recent stable version for both Windows and Linux.

The dev channel, which is reserved for potentially unstable and in-development builds, is at 48.0.2556.0, but it would be silly for Valve to deploy a development build of CEF in a live product with millions of users.

So, while Steam for Linux may have a security issue or two to address, as far as I can tell, the Windows client is unaffected. Valve certainly isn’t a saint when it comes to handling security issues, sure, but we shouldn’t lose our hats unnecessarily.