Update: Major Security Hole Found in Ubisoft's PC Titles

 Pages 1 2 3 NEXT
 

Update: Major Security Hole Found in Ubisoft's PC Titles

image

A browser extension installed with Ubisoft's DRM could leave your computer wide open to hackers.

A backdoor has been discovered in Ubisoft's Uplay DRM system, which could allow malicious attacks on users' systems. The problem, Rock Paper Shotgun reports, lies in a browser plugin that installs itself quietly with Uplay.

The exploit in its current form could allow a remote attacker to launch programs or installers, or even reformat a user's hard drive, through something as simple as a weblink or piece of code injected into a website. PCs that do not have the browser plugin installed should not be affected. The team at RPS ran a test of the exploit code immediately after installing Uplay, and were able to use it to automatically launch Windows Calculator. The same procedure could easily be used for more malicious intent as well, and the code required to do so fits on only a couple of lines.

An unnamed security expert told RPS that "you could click on a weblink, thinking you were visiting the BBC News Website from a friendly list of bookmarks. Except it'd also install a program via Ubisoft's DRM plugin which wiped your hard drive. It is a genuine threat. All it would take is an exploited wordpress, say." It's not entirely clear exactly how much damage an attacker could cause with this, but clearly anything that allows remote execution is a major concern. Ubisoft has yet to comment on the issue.

In light of this discovery, all users who think they might be affected should disable the browser plugin and consider temporarily uninstalling any Uplay-enabled games until Ubisoft manages to patch the problem. RPS forum member Revisor has posted removal instructions for the plugin on Firefox, Opera and Chrome. The list of games known to be affected by the issue follows, but it's not certain at the moment whether it's comprehensive - especially as there are Uplay-enabled games such as From Dust that are not listed here.

  • Assassin's Creed II
  • Assassin's Creed: Brotherhood
  • Assassin's Creed: Project Legacy
  • Assassin's Creed Revelations
  • Assassin's Creed III
  • Beowulf: The Game
  • Brothers in Arms: Furious 4
  • Call of Juarez: The Cartel
  • Driver: San Francisco
  • Heroes of Might and Magic VI
  • Just Dance 3
  • Prince of Persia: The Forgotten Sands
  • Pure Football
  • R.U.S.E.
  • Shaun White Skateboarding
  • Silent Hunter 5: Battle of the Atlantic
  • The Settlers 7: Paths to a Kingdom
  • Tom Clancy's H.A.W.X. 2
  • Tom Clancy's Ghost Recon: Future Soldier
  • Tom Clancy's Splinter Cell: Conviction
  • Your Shape: Fitness Evolved

Source: Rock Paper Shotgun

Update: Ubisoft Community Developer Korchaa has posted on the Ubisoft forum to officially announce a patch to version 2.0.4, which should fix the security issue. The client should update itself automatically on restart, and Korchaa recommends running the updater without any web browsers open so that the affected plugin can update properly.

Permalink

There's no need to uninstall the games - all you need to do is disable the plugin.

And apparently Ubisoft has already replied. I wonder what they broke this time.

EDIT: And the situation in a nutshell: http://www.escapistmagazine.com/articles/view/comics/stolen-pixels/7265-Stolen-Pixels-175-Ubisoft

good. i dont have it. havent touched it actually for over months.

Good thing I refused to buy ubisoft's games on the PC. I just buy them used on the console so ubisoft gets screwed as they have proven they deserve it.

Doesn't affect me much since I get their games on consoles.

--

Yes, well... at least the DRM stops pirates.

As if I needed another reason to not play thier games. I do have two on this list, so I guess I'll have to look into disabling the plug in.

Doesn't affect me, and i got IE. maybe IE has been proven useful.

It seems kind of odd that their game DRM has a browser component. Why would you need to use one when you've got the uplay program?

I'm calling Orwellian surveillance now, before someone else takes it.

(Also, don't buy Ubisoft, its a cheap and easy way to help make the world a better place.)

When it comes to PC games, it's Ubisoft themselves that are the major holes.

Sigilis:
It seems kind of odd that their game DRM has a browser component. Why would you need to use one when you've got the uplay program?

I'm calling Orwellian surveillance now, before someone else takes it.

(Also, don't buy Ubisoft, its a cheap and easy way to help make the world a better place.)

Because UPlay itself works as a shitty webpage. But rather than handling things locally, it executes the programs through the website itself. Obviously this is something it can't normally do (for good reason), so they added a plugin that lets them remotely start the game for you... only, turns out, the security on this plugin is non-existent, so anyone can execute just about anything they want to on your system remotely, including gaining command line access through cmd.exe.

It is important to note that this is a security hole only because Ubisoft decided it was fine to install a rootkit/backdoor on their customers' PCs. If they didn't write that piece of software, there would be no security hole.

Installing a rootkit without the user's consent is not only illegal, it's also a huge responsibility. What you're installing silently gives you access to all of a computer, possibly with administration rights (meaning your program can in turn install anything it likes).

But more to the point, "with great powers come great responsibilities." You need to make sure your program is rock-solid, and that nobody else will find a hole in it (good frakking luck with that). Any company with an ounce of morals would take a step back and think if it's worth it to not only (illegaly) spy on its customers, but also if they are high-tech enough to make sure nobody else than them can exploit that hole (hint: unless you're a security company, you don't know what you're doing - even RSA got hacked - look it up - and that says a lot).

Having your computer compromised can ruin your life. I'm not even going into the sexy times pictures you might have (believe it or not, hackers don't care about that), but your personal information can be extrapolated, if not directly compromised, your banking account stolen, and everything else.

Ok that's too long of a post, but IT security is part of my job and that kind of behavior just makes me mad.

Starke:

Sigilis:
It seems kind of odd that their game DRM has a browser component. Why would you need to use one when you've got the uplay program?

I'm calling Orwellian surveillance now, before someone else takes it.

(Also, don't buy Ubisoft, its a cheap and easy way to help make the world a better place.)

Because UPlay itself works as a shitty webpage. But rather than handling things locally, it executes the programs through the website itself. Obviously this is something it can't normally do (for good reason), so they added a plugin that lets them remotely start the game for you... only, turns out, the security on this plugin is non-existent, so anyone can execute just about anything they want to on your system remotely, including gaining command line access through cmd.exe.

Sometimes I program things, so this response hit me like a jackhammer. I liked it better when they were an evil conspiracy of devious executives who siphon credit card details and personal passwords. It was a much better image than this evil cabal of idiots that can't figure out how to make a client application so they just make an especially insecure trojan hook you up to a botnet.

On the flip side, if their DRM programming is so bad, I don't think I'm missing anything by abstaining.

checked it again to make sure i dint miss it. i dont have it at all, so im safe. i actually never allow other programs to interact with my browsers.

Legion:
Yes, well... at least the DRM stops pirates.

Hahahahahaha...

Ah.. man... that was a good one...

Really, though. Is this a surprise to anyone?

Furism:
It is important to note that this is a security hole only because Ubisoft decided it was fine to install a rootkit/backdoor on their customers' PCs. If they didn't write that piece of software, there would be no security hole.

Installing a rootkit without the user's consent is not only illegal, it's also a huge responsibility. What you're installing silently gives you access to all of a computer, possibly with administration rights (meaning your program can in turn install anything it likes).

But more to the point, "with great powers come great responsibilities." You need to make sure your program is rock-solid, and that nobody else will find a hole in it (good frakking luck with that). Any company with an ounce of morals would take a step back and think if it's worth it to not only (illegaly) spy on its customers, but also if they are high-tech enough to make sure nobody else than them can exploit that hole (hint: unless you're a security company, you don't know what you're doing - even RSA got hacked - look it up - and that says a lot).

Having your computer compromised can ruin your life. I'm not even going into the sexy times pictures you might have (believe it or not, hackers don't care about that), but your personal information can be extrapolated, if not directly compromised, your banking account stolen, and everything else.

Ok that's too long of a post, but IT security is part of my job and that kind of behavior just makes me mad.

First of all, installing rootkits is not any more illegal than installing any other piece of software - that is, not illegal at all. You could say it's immoral, but it isn't illegal.

Second of all, this isn't a rootkit - this is a badly programmed browser plugin.

Third of all, there's no evidence this was used to spy on anyone - the evidence says this was a launcher for uPlay that a developmentally disabled monkey wrote.

insanelich:

First of all, installing rootkits is not any more illegal than installing any other piece of software - that is, not illegal at all. You could say it's immoral, but it isn't illegal.

Second of all, this isn't a rootkit - this is a badly programmed browser plugin.

Third of all, there's no evidence this was used to spy on anyone - the evidence says this was a launcher for uPlay that a developmentally disabled monkey wrote.

1. Sony might beg to differ. They had to settle out of court their own rootkit/copy protection problems.

2. It is a rootkit. It's installed without user's consent and allows running arbitrary code from a remote place. Even if the intent is not "evil", it's still a rootkit. You could argue that it's not a "rootkit" because it doesn't try really hard to hide itself, but at the very least it's a trojan.

3. It doesn't mean there isn't any tool that exploits this (like in the Sony case) as most likely somebody else found the hole way before that Google engineer. The groups that crack games for fun must have found this years ago.

Furism:

1. Sony might beg to differ. They had to settle out of court their own rootkit/copy protection problems.

2. It is a rootkit. It's installed without user's consent and allows running arbitrary code from a remote place. Even if the intent is not "evil", it's still a rootkit. You could argue that it's not a "rootkit" because it doesn't try really hard to hide itself, but at the very least it's a trojan.

1. I'm fairly sure Ubisoft buried clauses about uPlay in the EULA - making installing this at least somewhat legal. Now, settling out of court most definitely doesn't determine the legal status of anything, so the jury's still out.

2. This is simply not true. A rootkit is defined by how it hides itself - and uPlay doesn't do any hiding, so it's not a rootkit.

It is also not a trojan. Trojans masquerade as or within something legitimate. uPlay is quite open about what it is - and this problem was merely a flaw in the execution. If uPlay was meant to be a remote platform for spying, then it would be a trojan. As it is, it is merely a phenomenally badly thought out piece of software.

If you thought Ubisoft were unimpressive before...

EULAs are not legally enforceable. You can not sign away your rights. Also, EULA are usually considered null and void by judges because they are presented only after a purchase is made.

The consumers,

they CLAMOR for DRM!

THEY CLAMOR

insanelich:

Furism:

1. Sony might beg to differ. They had to settle out of court their own rootkit/copy protection problems.

2. It is a rootkit. It's installed without user's consent and allows running arbitrary code from a remote place. Even if the intent is not "evil", it's still a rootkit. You could argue that it's not a "rootkit" because it doesn't try really hard to hide itself, but at the very least it's a trojan.

1. I'm fairly sure Ubisoft buried clauses about uPlay in the EULA - making installing this at least somewhat legal. Now, settling out of court most definitely doesn't determine the legal status of anything, so the jury's still out.

2. This is simply not true. A rootkit is defined by how it hides itself - and uPlay doesn't do any hiding, so it's not a rootkit.

It is also not a trojan. Trojans masquerade as or within something legitimate. uPlay is quite open about what it is - and this problem was merely a flaw in the execution. If uPlay was meant to be a remote platform for spying, then it would be a trojan. As it is, it is merely a phenomenally badly thought out piece of software.

I'm pretty sure you're being too generous with the benefit of the doubt here... and EULAs carry no legal weight at all. uPlay may not have been intended as spyware, but its potential effect is more devastating than the majority of malware out there. That little plugin had the power to do ANYTHING on your computer, and they couldn't be fucked to make it secure? That's all kinds of irresponsible at the very least, criminal at the worst.

Furism:
3. It doesn't mean there isn't any tool that exploits this (like in the Sony case) as most likely somebody else found the hole way before that Google engineer. The groups that crack games for fun must have found this years ago.

This "feature" apparently only got patched in like a month ago with the uPlay 2.0 Update, before that there was no "Browser Plugins", that's also the reason why for some people the exploit doesn't work e.g. they haven't played any UbiSoft games recently.

I have Assassin's Creed II installed, and therefore Uplay.

I do not (I just checked) have any of the browser plugins installed.

Additionally, when I started Uplay just now, it had to update itself, and the update told me that it fixed the bug, and now browsers can only open Uplay, not run arbitrary code.

Except, if I go to this test page, my calculator opens.

So Ubisoft has not only not fixed the problem, but they're lying to me and saying they have. Also, don't think you're safe just because you don't have the browser plugins.

Ubisoft DRM, preventing legitimate customers from accessing their games whilst simultaneously letting hackers in.

Luckily I don't have the plugin installed so I'm safe.

This is considered news? Ubisoft has such terrible employees that this doesn't surprise me in the least. Remember when ubisoft's store broke and you could get a nearly all of their games for free? Well it happened 2 years in a row. I honestly don't understand how they remain in business with all the flops they've had.

Well, let's check Ubisofts stocks:
http://www.marketwatch.com/investing/stock/UBSFF

It went really well for them the last 5 years. I'm sure that DRM crap helped a lot getting them on the road to failtown....

edit: And while we're at it - let's check EAs stocks as well:
http://www.marketwatch.com/investing/stock/EA

Origin should be considered awesome, simply because it seems that EA circling the drain much fast with it than without.

nodlimax:
Origin should be considered awesome, simply because it seems that EA circling the drain much fast with it than without.

How edgy and cool. You want to see average workers lose their job. Screw the Man, right!

lul

OT: Why on Earth would you let it install the web plugin? Always, always say no to that shit. Take your toolbar/plugin/addon and shove it, I say!

The client should update itself automatically on restart, and Korchaa recommends running the updater without any web browsers open so that the affected plugin can update properly.

I've got a better idea: how about the update provides instructions on how to remove the plug in for those who don't know how, and you remove it entirely from your shitty DRM Ubisoft? And the only reason I'm advocating that is because I know they won't ditch the DRM entirely.

What, you mean the DRM so secure it required a constant internet connection to their servers? No, that couldn't possibly have a glaring weakness in it.

Azuaron:

So Ubisoft has not only not fixed the problem, but they're lying to me and saying they have. Also, don't think you're safe just because you don't have the browser plugins.

Actually, you are entirely safe as long as you don't have the plugins.

Here I was all ready to purchase Assassins Creed II from Steam too. It looks like I will be saving twenty dollars.

First they attempt to lockout paying customers from their games, then they put a harmful and dangerous exploit in the worthless DRM. Every time I hear Ubishit news I am just more glad I don't give their shitty company my patronage.

Funny, while I was making sure I didn't have the plugin, I got an email saying someone was trying to change the password on one of my online accounts. The Internets are unfriendly today.

 Pages 1 2 3 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here