- Jan 24, 2011
- 9,378
The latest version of the Steam gaming client is employing an outdated Web browser that puts users at risk due to unpatched vulnerabilities while also disabling a key security feature.
After Google Project Zero security researcher Tavis Ormandy disclosed that two antivirus companies were deploying customized Chromium versions that exposed users, other researchers around the Web started to comb any other project where the Chromium browser was also used.
One of those places is the Steam client, which uses a stripped-down Chromium version to power Steam's in-game Web browser, shown via the Steam in-game overlay.
Steam is not using the latest Chromium version
According to GitHub user ekaris, Valve is currently using an outdated Chromium versionwithin its Steam client. The most recent Chromium version is v50, but Steam is using v47.
Ekaris reported the issue via Valve's "Steam Client for Linux" GitHub page, but we've tested the Windows client and found out it deploys the same Chromium version (screenshot below), and no doubt, the Mac client suffers from the same issue.
Albeit Chromium 47 is not that far behind v50, always running the most recent browser version is important because users are protected from the latest security issues discovered in test environments or real-life attacks.
Steam disabled one of Chromium's key security issues
But as if things weren't bad enough, the same ekaris also discovered that Steam was starting its Chromium browser with the --no-sandbox flag.
By default, Chromium ships out with this flag activated as a must-have security measure, which is intended to protect users from various security exploits that might want to branch out from a Web page to the underlying operating system.
Valve has acknowledged the bug reports, but Steam users should refrain from using the in-game browser for the immediate future, just in case they run into malicious Web pages or rogue advertising (malvertising).
Read more: Steam Uses Out-of-Date Chromium Browser with Security Feature Disabled
