Lotus Prince Let’s Play – Amnesia: the Dark Descent (Parts 7-9)
Xbox One Reveal Show and Trailer
BT Podcast 55: Suck My XBone
XBOX ONE in 5 seconds
Spring 2013 Show and Trailer!
Posted By Shaun K. about 9 months, 3 weeks ago
If this has been installed on your machine, be wary.
Today it was discovered that a massive hole existed in the Uplay DRM software that publisher Ubisoft has made use of since 2009′s Assassin’s Creed II. The software was basically automatically installing an unsecure browser plugin that essentially created an accidental backdoor that would allow any website to effectively take control of the user’s computer at any time. Which would be a problem to say the very least. A full list of games currently using the Uplay software follows:
Anno 2070
Assassin’s Creed II
Assassin’s Creed: Brotherhood
Assassin’s Creed Revelations
Assassin’s Creed III
Beowulf: The Game
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Prince of Persia: The Forgotten Sands
R.U.S.E.
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy’s H.A.W.X. 2
Tom Clancy’s Ghost Recon: Future Soldier
Tom Clancy’s Splinter Cell: Conviction
Your Shape: Fitness Evolved
In response to this discovery, Ubisoft has now released an update to Uplay that they purport corrects the problem. Their full statement on the matter follows:
The Situation:
The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they’re being made. This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.
Corrective Measures:
The issue was brought to our attention early Monday morning and we had a fix into our QC department an hour and a half later. An automatic patch was launched that fixes the browser plugin so that it will only open the Uplay application. Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.
Patching:
To update your Uplay client and apply the patch:
-Close any open web browsers (Internet Explorer, Firefox, Chrome, Opera, etc.) If the web browser is open during the patch it will require restarting the browser.
-Launch the Uplay PC client. The Uplay PC client update will start automatically.
An updated version of the Uplay PC installer is also available to download from Uplay.com.
Q&A:
Q: Is the issue a rootkit as was reported by various media outlets?
The issue is not a rootkit. The Uplay application has never included a rootkit. The issue was from a browser plug-in that Uplay PC utilizes which suffered from a coding error that allowed systems usually used by Ubisoft PC game developers to make their games.
Q: Is this issue related to DRM?
No. The browser plugin issue is just for launching the Uplay application.
Q: Can the browser plugin still launch other executables (programs)?
The browser plugin can now only launch the Uplay application.
While by all accounts this was more a case of sloopy programming than actual malicious intent on the part of anyone working at Ubisoft, it still remains another example of paying customers having had a potentially disastrous occurrence inflicted on them for the simple act of legitimately buying game software. As it is, the effectiveness of DRM in combating piracy is highly dubious at best and this only points to the kind of worse case scenarios that can occur from the practice. Ubisoft has yet to address if this incident will have any effect on their continued (and long controversial) support of DRM. It also would probably be a good idea for anyone currently regularly using software that employs Uplay and plans to continue doing so to keep a close eye on their computer for at least the foreseeable future. Blistered Thumbs will stay on top of this story and continue to provide updates as they become available.
Source(s): Ubisoft.
Is it reasonable to believe that deleting the software would eliminate the security issue? (I own Driver San Francisco on steam. It’s the only listed game on my computer right now.)
Hard to say. Since I’m not familiar with Uplay I’d imagine it depends on how much you can delete and whether you can find the installation.
Just goes to show how the legit customers get screwed over, while the people who illegally got it don’t have to worry about any of this.
I never buy any games from Ubisoft because of their horrid always online DRM, and this is just another reason to keep it up.
Considering how easy it was for them to close the overlooked backdoor, I doubt this would change any stance they have on DRM.
Backdoors have always been a security issue for developers that add unsecure things for their own convenience, especially in the early days of security awareness. But unless the programmers were terrible and made the program actually depend on the backdoor, it’s generally easy to “lock the door”.
At least it sounds like the Uplay client checks for updates on startup, so the vulnerability should be quickly patched for everybody who uses it.
Oh I agree this is unlikely to have any serious impact on the policy. That being said, if it did I suspect it would be more as a way of soothing customer outrage or calming fears than because of difficulty of fixing the problem. Also, we only have their assurance that the problem has been closed off for good. They could be wrong; a mistake on their part was what created this whole mess in the first place after all. Also unlikely, but still possible.