Millions of Steam users may be potential victims. Security researchers have found that the Steam browser Protocol has the vulnerability that allows remote code execution (PDF. After a user installs Steam on a computer, it registers the steam: // URL protocol to allow players to connect to the game server and start the game. However, when a user clicks a special form of Steam URL, attackers can remotely exploit the buffer overflow vulnerability of Steam games and programs to run malicious code on the target computer.
For example, in a game based on the Source engine, an attacker uses a URL-encoded runtime command to prompt the game to create a log file containing arbitrary content. With this vulnerability, attackers can create batch files in the startup folder. For games based on the Unreal Engine, researchers found a way to inject and execute arbitrary code. To launch such an attack, you must first know what type of game players have installed on their computers.