"In this document [PDF file], the company analyses what happens when a URL using the protocol steam:// is redirected," writes The Register's Richard Chirgwin. "Of the major browsers, Internet Explorer and Chrome present warnings (Chrome being the most detailed, describing the program the redirect is trying to call); Opera presents a warning but only shows the first 40 characters of the URL being called; Firefox requests a confirmation but doesn't show the URL; and Safari will directly execute the program without warnings."
"In one proof of concept involving the Steam browser, attackers used malicious YouTube links within Steam user profiles to bait users," writes SC Magazine's Darren Pauli. "Users who viewed the videos and wished to leave comments would be phished with malicious steam:// URLs that pointed to external sites. From there, attackers could exploit vulnerabilities within gaming engines to remotely compromise user machines."
"The researchers released a video in which they demonstrate how steam:// URLs can be used to remotely exploit some vulnerabilities they found in the Steam client and popular games. ... In order to protect themselves users can disable the steam:// URL protocol handler manually or with a specialized application, or can use a browser that doesn’t automatically execute steam:// URLs, Auriemma said," writes PCWorld's Lucian Constantin.
"Considering that a new 0-day exploit seems to be found whenever someone examines the popular gaming platforms for security issues, gamers should seriously consider their options in terms of separating their entertainment from their sensitive data," The H Security reports. "Running a dedicated gaming PC on a separate network offers the best protection, but it also requires considerable effort and expense. A second instance of Windows on the same PC is not quite as safe, but it does considerably reduce the attack surface. At the very least, gamers could set up a dedicated gaming account with restricted privileges."