Forgot password
Enter the email address you used when you joined and we'll send you instructions to reset your password.
If you used Apple or Google to create your account, this process will create a password for your existing account.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Reset password instructions sent. If you have an account with us, you will receive an email within a few minutes.
Something went wrong. Try again or contact support if the problem persists.
Escapist logo header image

Update: Major Security Hole Found in Ubisoft’s PC Titles

This article is over 12 years old and may contain outdated information
image

A browser extension installed with Ubisoft’s DRM could leave your computer wide open to hackers.

A backdoor has been discovered in Ubisoft’s Uplay DRM system, which could allow malicious attacks on users’ systems. The problem, Rock Paper Shotgun reports, lies in a browser plugin that installs itself quietly with Uplay.

The exploit in its current form could allow a remote attacker to launch programs or installers, or even reformat a user’s hard drive, through something as simple as a weblink or piece of code injected into a website. PCs that do not have the browser plugin installed should not be affected. The team at RPS ran a test of the exploit code immediately after installing Uplay, and were able to use it to automatically launch Windows Calculator. The same procedure could easily be used for more malicious intent as well, and the code required to do so fits on only a couple of lines.

An unnamed security expert told RPS that “you could click on a weblink, thinking you were visiting the BBC News Website from a friendly list of bookmarks. Except it’d also install a program via Ubisoft’s DRM plugin which wiped your hard drive. It is a genuine threat. All it would take is an exploited wordpress, say.” It’s not entirely clear exactly how much damage an attacker could cause with this, but clearly anything that allows remote execution is a major concern. Ubisoft has yet to comment on the issue.

In light of this discovery, all users who think they might be affected should disable the browser plugin and consider temporarily uninstalling any Uplay-enabled games until Ubisoft manages to patch the problem. RPS forum member Revisor has posted removal instructions for the plugin on Firefox, Opera and Chrome. The list of games known to be affected by the issue follows, but it’s not certain at the moment whether it’s comprehensive – especially as there are Uplay-enabled games such as From Dust that are not listed here.

  • Assassin’s Creed II
  • Assassin’s Creed: Brotherhood
  • Assassin’s Creed: Project Legacy
  • Assassin’s Creed Revelations
  • Assassin’s Creed III
  • Beowulf: The Game
  • Brothers in Arms: Furious 4
  • Call of Juarez: The Cartel
  • Driver: San Francisco
  • Heroes of Might and Magic VI
  • Just Dance 3
  • Prince of Persia: The Forgotten Sands
  • Pure Football
  • R.U.S.E.
  • Shaun White Skateboarding
  • Silent Hunter 5: Battle of the Atlantic
  • The Settlers 7: Paths to a Kingdom
  • Tom Clancy’s H.A.W.X. 2
  • Tom Clancy’s Ghost Recon: Future Soldier
  • Tom Clancy’s Splinter Cell: Conviction
  • Your Shape: Fitness Evolved

Source: Rock Paper Shotgun

Update: Ubisoft Community Developer Korchaa has posted on the Ubisoft forum to officially announce a patch to version 2.0.4, which should fix the security issue. The client should update itself automatically on restart, and Korchaa recommends running the updater without any web browsers open so that the affected plugin can update properly.

Recommended Videos

The Escapist is supported by our audience. When you purchase through links on our site, we may earn a small affiliate commission. Learn more about our Affiliate Policy