A browser extension installed with Ubisoft’s DRM could leave your computer wide open to hackers.
A backdoor has been discovered in Ubisoft’s Uplay DRM system, which could allow malicious attacks on users’ systems. The problem, Rock Paper Shotgun reports, lies in a browser plugin that installs itself quietly with Uplay.
The exploit in its current form could allow a remote attacker to launch programs or installers, or even reformat a user’s hard drive, through something as simple as a weblink or piece of code injected into a website. PCs that do not have the browser plugin installed should not be affected. The team at RPS ran a test of the exploit code immediately after installing Uplay, and were able to use it to automatically launch Windows Calculator. The same procedure could easily be used for more malicious intent as well, and the code required to do so fits on only a couple of lines.
An unnamed security expert told RPS that “you could click on a weblink, thinking you were visiting the BBC News Website from a friendly list of bookmarks. Except it’d also install a program via Ubisoft’s DRM plugin which wiped your hard drive. It is a genuine threat. All it would take is an exploited wordpress, say.” It’s not entirely clear exactly how much damage an attacker could cause with this, but clearly anything that allows remote execution is a major concern. Ubisoft has yet to comment on the issue.
In light of this discovery, all users who think they might be affected should disable the browser plugin and consider temporarily uninstalling any Uplay-enabled games until Ubisoft manages to patch the problem. RPS forum member Revisor has posted removal instructions for the plugin on Firefox, Opera and Chrome. The list of games known to be affected by the issue follows, but it’s not certain at the moment whether it’s comprehensive – especially as there are Uplay-enabled games such as From Dust that are not listed here.
- Assassin’s Creed II
- Assassin’s Creed: Brotherhood
- Assassin’s Creed: Project Legacy
- Assassin’s Creed Revelations
- Assassin’s Creed III
- Beowulf: The Game
- Brothers in Arms: Furious 4
- Call of Juarez: The Cartel
- Driver: San Francisco
- Heroes of Might and Magic VI
- Just Dance 3
- Prince of Persia: The Forgotten Sands
- Pure Football
- Shaun White Skateboarding
- Silent Hunter 5: Battle of the Atlantic
- The Settlers 7: Paths to a Kingdom
- Tom Clancy’s H.A.W.X. 2
- Tom Clancy’s Ghost Recon: Future Soldier
- Tom Clancy’s Splinter Cell: Conviction
- Your Shape: Fitness Evolved
Source: Rock Paper Shotgun
Update: Ubisoft Community Developer Korchaa has posted on the Ubisoft forum to officially announce a patch to version 2.0.4, which should fix the security issue. The client should update itself automatically on restart, and Korchaa recommends running the updater without any web browsers open so that the affected plugin can update properly.