Revuln, a software and hardware security company, has published a report and video proof-of-concept detailing security vulnerabilities of Steam. The vulnerabilities centre around Steam browser protocol commands. Like the normal http:// commands that tell your browser to load a website the steam:// protocols tell Steam to execute various functions. This allows users to, for example, download and install demos by clicking links on the Steam store page in their browsers. For instance copying the following command into your address bar and hitting enter should, assuming you have Steam installed, download and run Team Fortress 2: steam://run/440
The first part of this vulnerability comes from the fact that some browsers, such as Safari, will execute these commands automatically upon receiving them without informing the user any action has been taken. Chrome is the most secure browser with a detailed warning including the full URL and the program to be called. Internet Explorer will display a warning and the URL and Firefox will simply ask for confirmation without warnings or details. Lesser used browsers that also execute without warning are Webkit, MaxThon, Avant and Lunascape. The browser used in Steam's in-game overlay completely ignores steam:// commands and as such is not vulnerable to this method at all.
The second part of this vulnerability is the ability for a steam:// link to run a game with command line parameters, allowing the attacker to use vulnerabilities in Steam games themselves. One of the methods shown is to run Team Fortress 2 and have it create a .bat file in the user's Startup folder. This will cause the user's PC to execute any commands the attacker likes upon the next PC startup. Another possible vulnerability documented is related to the free-to-play game All Points Bulletin: Reloaded. The game features a customizable auto-update feature and it is possible to command it to connect to a server of the attacker's choosing where it will download whatever files it is given.
You can read the report in its entirety here and watch the video demonstration here. If you are worried about these vulnerabilities you can minimize any risk by making sure your browser does not execute Steam protocol commands automatically. If entering steam://run/440 into your address bar causes Steam to launch or run Team Fortress 2 then without a prompt then you are vulnerable.
If you are using Firefox or Chrome this means that you have previously told your browser to automatically run Steam commands. To remove this setting in Firefox press Alt, then go to Tools->Options->Applications, find Steam on the list of applications and change its action to always ask. To remove this setting from Chrome go to "C:\Users\<username>\AppData\Local\Google\Chrome\User Data" on your PC, open the "Local State" file in Notepad, search its contents for "steam" and change it's value to true.
In a Team Fortress 2 patch on October 17th, Valve updated the "con_logfile" for modern Source engine games including TF2, Day of Defeat: Source, Half-Life 2: Deathmatch and Garry's Mod.. Updating this file has removed the exploit outlined by ReVuln in their report. We imagine the rest of Valve's games will receive a similar update sometime soon, if they haven't already.