33

Speaking to one of our security administrators at work, he insists that Steam is a well understood security risk and it shouldn't be installed on work machines.

Saying it's not work related I understand, but is there a genuine security threat from having it installed (and if so broadly what is it), or is this someone providing a fictional reason for not allowing something they just don't want to allow?

(As I say, I'm not disputing their right to say what should and shouldn't be installed, just trying to understand the reasons).

Jon Hopkins
  • 812
  • 1
  • 8
  • 7
  • 14
    If your company has to worry about NIST compliance, look at SP 800-53 for CM-07 "Least Functionality". – Iszi Jul 26 '12 at 14:38
  • I'll assume that your company doesn't manufacture, develop or support video games... – makerofthings7 Dec 29 '12 at 14:08
  • 3
    I'd like to point out that [Steam also provides "non-game" software](http://store.steampowered.com/software/), so this isn't just about people who'd like to faff about at work. – mikołak Feb 27 '14 at 21:03

7 Answers7

39

From what I can tell, there have only been two serious public vulnerabilities in Steam.

Neither are current. I can't see any real risk. However, since Steam is completely unnecessary at work, it's a minor potential risk that could be avoided.

Most likely, he's nit-picking because he doesn't think having Steam installed is appropriate at work, but he doesn't want to be the bad guy.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
28

Steam should be treated just like any other application installed on a business computer. Ask yourself if it is needed to perform your job correctly.

When your computer has more software installed, it may have more areas where it can be attacked.

  • Steam may not have a vulnerability now, but they may accidentally release an update that has a vulnerability in it.

  • There may be 0-day vulnerabilities in steam that have not yet released to the public.

  • A hacker may be able to get into the Steam code and make modifications that allow a backdoor to all updated Steam clients.

With this in mind, not having Steam installed can prevent those vulnerabilities.

Furthermore, good system administrators will remove any unnecessary programs or services from servers or workstations.

Go through a thought process:

  • Does my computer need this application?
  • Is it enabled or disabled by default?
  • If my system is compromised, will my data still be safe?

Of course, if you develop the software or develop software that uses Steam, you probably should have it.

Jedi
  • 3,906
  • 2
  • 24
  • 42
ponsfonze
  • 1,332
  • 11
  • 13
7

Stream itself may or may not be a risk, but let's not forget that it installs other programs (games), and those will very likely have security vulnerabilities.

longneck
  • 273
  • 1
  • 8
7

Steam records game usage, time and other game characteristics. In addition, Steam reports configuration details and all installed applications. So, Steam can be considered as a spyware itself when the configuration or the installed applications are an important strategy key of the company.

Max
  • 71
  • 1
  • 1
5

Anytime you install an application, you increase the attack surface for that box. This is true even in the case of antivirus. Obviously there are times when this is absolutely necessary and proper risk analysis should be completed to determine whether or not an application should become a standard for the environment.

On the other hand, we security professionals have a nasty habit of spreading FUD (Fear, Uncertainty and doubt). That is to say we make policy, rules or decisions without applying any validation to the root cause.

Awhitehatter
  • 361
  • 1
  • 4
4

Of course it is.

I have no doubt that there are vulnerabilities in Steam. Why would you think game developers are magically capable of writing secure C/C++ code, when no mainstream OS developers have been able to do so, despite that they are largely security focused?

I used to make cheats for Crysis, and accidentally stumbled across a format string vulnerability. This was a highly acclaimed game, and yet I found a vulnerability in it without even trying. Around the same time, Luigi Auriemma was finding vulnerabilities in top titles like Call of Duty 4, Halo, Quake 3, and various game tools like Ventrilio. He found tons of vulnerabilities in all these products like it was nothing. There must be tons more.

So it's safe to say that there are tons of vulnerabilities in games and related products such as Steam, and people most likely do have 0days for them, not to mention Steam devs or anyone selling a product over steam could choose to distribute malware to you.

It's still rare that you see 0days published for Steam and video games in general, so unless you are a worthwhile target, you probably aren't going to get exploited this way.

Longpoke
  • 188
  • 6
0

Is steam a security problem at work. Well like any other program it will have vulnerabilities. And it allows installing other programs that will also have vulnerabilities. SO yes just like Windows, IE and Office it has security issues. And in the settings you can have it send information back to the steam servers about your computer (this may be on by default) Just like Windows does and many others. (Firefox can do this as can Chrome and many others.)

So your company has said we don't want to take the risk.

As for playing games at work there are companies with video game consoles in the office, pool tables, tennis courts and they let their users play video games. Why? because their office workers are more productive when they are happy and content and morale is high so they give them these things called perks. Some of them are things like free food, health care, free parking, a fun atmosphere and gaming.

mike
  • 1
  • 1