UPDATED: Ubisoft DRM allegedly installs backdoor

Isn't it great when game publishers push overly invasive DRM? Not only does it penalize paying customers while doing little to thwart pirates, but it can also have fun side-effects. For example, as Geek.com reports, someone has discovered that Ubisoft's Uplay software installs a browser plug-in containing a backdoor. That backdoor purportedly allows arbitrary code to be executed on the unsuspecting victim's PC—and all it takes is a maliciously crafted web page.

Tavis Ormandy, one of Google's security engineers, reportedly uncovered the backdoor and wrote about it on the Seclists.org mailing list on Sunday. Ormandy posted a few lines of JavaScript code as a tentative (and untested) proof of concept. The story made it onto Hacker News this morning, as did a working implementation of the proof of concept. According to the Hacker News post, the code was confirmed to work on a PC with Assassin's Creed on a Windows 7 system with Firefox installed. The proof of concept apparently loads up the Windows Calculator.

HackerNews says the following games come with Uplay software and may make users' PCs vulnerable:

Assassin's Creed II
Assassin's Creed: Brotherhood
Assassin's Creed: Project Legacy
Assassin's Creed Revelations
Assassin's Creed III
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Pure Football
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy's H.A.W.X. 2
Tom Clancy's Ghost Recon: Future Soldier
Tom Clancy's Splinter Cell: Conviction
Your Shape: Fitness Evolved

The folks at Rock, Paper, Shotgun provide instructions for how to track down the plug-in and disable it. The process doesn't look too difficult or painful. Firefox users can do it through the through the plug-ins section of the Add-ons manager. Chrome users can simply enter "about:plugins" into their address bar, and Opera users have to go to the "Advanced" preference tab, into the "Downloads" section, and look for Uplay there.

Update 11:40 AM: Well, that was fast. Ubisoft has issued a statement saying a patch plugging the hole is now available. The statement was picked up by Rock, Paper, Shotgun and several other sites, and it reads:
We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.

Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.

Something tells me a better fix would involve less invasive software, but hey—baby steps.
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.