Ubisoft DRM creates security exploit, since patched

Uplay PC application lets websites gain access to computers, company urges users to update launcher.

A security flaw in Ubisoft PC anti-piracy software was discovered this weekend which theoretically any website could exploit to gain access to a user's computer. The Uplay browser plugin which created the backdoor was exposed Sunday by a Google security engineer looking into the matter in his spare time, and corrected with a forced update from Ubisoft earlier today.

Never trust amorphous blobs with low-level system access.

Security engineer Tavis Ormandy discovered the issue while looking into his installation of Assassin's Creed: Revelations, where he found the Uplay launcher gave its accompanying browser plugin "unexpectedly (at least to me) wide access to websites." Other users went on to make a demonstration site which was able to successfully launch Windows' calculator application on affected computers.

Ubisoft responded to the issue with a patch and a statement given to Rock Paper Shotgun and other sites, instructing users to update their Uplay applications as soon as possible. "Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”

Written By

Want the latest news about Assassin's Creed: Revelations?

Assassin's Creed: Revelations

Assassin's Creed: Revelations

Discussion

0 comments
Zloth2
Zloth2

If Ubisoft took security issues very seriously then this wouldn't have happened.  This wasn't an "ooops, somebody found a real clever way to hack through our system" - this was a "screw it, just let it run anything".  Most of the time people complaining about DRM in games are just people looking for an excuse to pirate but this time?  I don't think so.  This was a MAJOR screw up indicating a MAJOR problem in the way Ubisoft supports PC software.

 

If I play an Ubisoft game again any time soon, it's going to be on a cloud platform.  Let somebody else deal with the security issues.

fullxtent
fullxtent

Irony; Ubisoft has plenty at the moment

llmp
llmp

I swore off Ubisoft after their Starforce DRM broke my CD optical drive on my laptop a while back, although recently I accidently purchased a game from them without checking the publisher. Once I saw teh Uplay junk, I quickly deleted the game from my hard drive. Now I just have this game sitting on Steam that I can't play...

blackothh
blackothh

i saw something pop up last weekend with uplay and my browser, so i stopped it because i hate ubisoft and uplay, even tho i need their terrible crap for heroes of might and magic 6. ill have to search for some mods to remove the online requirement, so i can enjoy single player without uplay.

 

yay for being more at risk as a paying customer, then as a "pirate"  never again Ubisoft, im adding you to EA and Blizzard for my never buy again list

Holoogamooga_
Holoogamooga_

Pirates, once again, are safer than people who pay. Surprise!

 

Seriously companies, stop it.

sortajan
sortajan

i'm afraid ubisoft games remain easier to play when you pirate them than they are when you buy them.

ZeroX91
ZeroX91

Am I the only one who finds this hysterical?

TheCyborgNinja
TheCyborgNinja

I want Ubisoft to accidentally invent Skynet as a form of DRM and it decides to solely wipe them out.

Savoritias
Savoritias

if now Valve come out and release Half Life 3 with DLC's and a DRM then this will mean the end of gaming.

msfan1289
msfan1289

no wonder today i got a firefox plug in to install Uplay, i said no to it because it just popped out of no where when i was on facebook, and i thought it was a program trying to affect my PC.

mogqwai
mogqwai

I really couldn't care, I wouldn't pay Ubisoft a red penny anyway.

 

In fact I truly hope all the uninformed that DO pay them get a nasty surprise from this

. Maybe it will deter others from supporting this awful company and they will finally go away.

Kolo32
Kolo32

DRM penalizing paying PC gamers since '08.

darkmakyua
darkmakyua

Being serious here but what about those that only play Ubisoft games/have uplay exclusively on 360/PS3. I only have Assassin's Cred II/Brotherhood, Prince of Persia and Scott Pilgrim on 360, if that helps... 

MW2ismygame
MW2ismygame

All i can say is IRONY. actually i can say F U ubi as well, maybe you should chill on the DRM a little now ? and not have fine print say that UP will be installed on browsers ?. and the people who were effected by this should be furious that this happened.

svaubel
svaubel

Lol... DRM causing the security holes.

That is both sad and funny.

TrueGB
TrueGB

On the bright side, we can now tell the casual folk hackers can use DRM schemes to access their computers.

koospetoors
koospetoors

Hey, Ubisoft, actually competing for that "worst damn company of the year" award EA has isn't really that much of a good thing, ya know.

 

Oh and here's a fantastic fix for this: Drop the shoddy DRM, idiots. Maybe even grow a shred of respect for your PC fans along the way too.

firedrakes
firedrakes

never used the add on for web browser for uplay

blackothh
blackothh

 @llmp steam and uplay? might as well add GFWL and compleat the trilogy

Manji14
Manji14

 @sortajan Want games free of drm and always-online policies? Pirate games today! Twice the service for zero times the money!

Narutogx2
Narutogx2

 @koospetoors

 Their Probably Focused More On The Main 2 Consoles At This Point, lol...

Stiler
Stiler

 @firedrakes I think you are missing the point, it is installed with uplay, without you knowing about it. You DID install it if you used uplay, you never had to "allow" it to be installed.

 

If you use firefox look in "Add ons>Plug ins" and you'll see two uplay related plug ins that you probably didn't even know were there.

 

The point of this is that it is installed with uplay and (if not patched) can be allowed to run programs on your computer from the browser.

mogqwai
mogqwai

 @Gelugon_baat I think the first time I was appalled by a sales model for a game becoming successful was Everquest.

 

I watched with horror as millions spent 40 bucks on what was literally, back then, a CLIENT for a pay to play game..

 

 The original release didn't even include a month or whatever of time to play the game without paying the subscription.

 

 Yet there they were, lining up forking over their hard earned cash like sheep to the slaughter..

 

I think Game developers realized just how misinformed the average customer could be..

 

 The industry has been on a downwards spiral since. Steam was definitely released as a DRM method. It did, however grow into somethi9ng better but what you say is true.. I can only see the industry continuing the terrible trends (DLC's "pay2win, or "freemium" as they are calling it now, always online, sequels from hell..etc)

 

it thrives because people will always forget, in their mad rush to play the latest hyped game, that they can vote this stuff away forever with their wallets.

mogqwai
mogqwai

 @Gelugon_baat With Guild Wars, you can play the entire original game with just paying for the game itself.

 

 It's no different than how games used to be sold, you buy a game and you can play it all you want, without any other fees.

 

If you mean the expansions as 'premium content' then yeah, there's expansions.

 

To be honest that sort of thing never bothered me, like DLC's do. You get something bigger than just some lame new weapon for your money, in fact Guild Wars Expansions were stand alone games in their own right, so it was done well IMO.

 

I bought the whole set and never regretted any of them, nor was I ever charged for anything else once I paid the entrance fee.

 

 It wasn't a rip off, and it was good fun, In fact the servers for the original are still running strong, even though Guild Wars II is right around the corner, how many other companies have done that?

 

NCSoft is a company I have no problems buying games from.

mogqwai
mogqwai

 @Gelugon_baat Oh hell no!

 

 I never bought Everquest or WoW (I did get Guild Wars because, to me that is an MMO model done right)

 

I never bought Diablo III etc.. ... I will stick with games that give me more fun than head aches.. and there are still a LOT of good games that way.