Update: Major Security Hole Found in Ubisoft's PC Titles

[McMullen]

And that's why, with every PC game I purchase, I also download a crack and install the cracked version instead of the DRM-ed, bug-ridden, slow, unstable, online-only, demanding, dangerous bloatware/spyware which is the original executable.

Well except two great Ubisoft games where I didn't have to do that. HAWX 1 and PoP 2008, which featured no DRM. I love those games. No hassle, just play.

What a strange world we live in, where people consider bootleg software to be safer and more secure than the legitimate item.

 

[008Zulu_v1legacy]

I remember when Sony pulled this crap, at least Ubi had the goodwill to fix their problem.

 

[Twilight_guy]

Oh Ubisoft. Y u do dumb shit like this?

I have no idea why they would need to install a web browser plug-in but hat some super shady stuff.

 

[insanelich]

The point where it crosses the line is they went and modified a piece of your software that they neither sold you, nor informed you about. Their DRM wasn't just a DRM scheme. It went and modified Internet Explorer. Which thanks to previous court decisions can actually be viewed as seperate from the OS itself, and as such way out of bounds for Ubi to have been screwing with without informed consent. And yeah doing that wasn't a simple glitch. That was intentional. It's how their DRM program worked, not an unintended side effect. Their DRM worked by hacking another one of your applications. The massive security holes were the unintended consequence.

Oopsie!

If someone found a halfway competent lawyer they could have a field day with this one.

There's no modifying Internet Explorer here. They merely installed a plugin - a perfectly supported means of adding "functionality" to browsers. They also added a Mozilla-compatible plugin. They also didn't "hack" anything there.

 

[theultimateend]

Origin should be considered awesome, simply because it seems that EA circling the drain much fast with it than without.

How edgy and cool. You want to see average workers lose their job. Screw the Man, right!

lul

OT: Why on Earth would you let it install the web plugin? Always, always say no to that shit. Take your toolbar/plugin/addon and shove it, I say!

Not to point out the obvious but depending on the speed that it happened they'd be able to move elsewhere.

I've been at a game company that closed down and that was what I ended up doing >_>.

Similarly I'm not very big on the Pentagon, doesn't mean I want every soldier to be jobless and homeless, I'd rather they end up with better jobs elsewhere.

Not really edgy. Also the "Screw the man." 'observation' is no less contrived and cliche than the commentary itself.

 

[Dangit2019]

Oh dear God, Jim Sterling is going to have a lot of fun with this.

 

[Alma Mare]

I remember when Sony pulled this crap, at least Ubi had the goodwill to fix their problem.

Fixing incompentence in such a scale that is borderline criminal has nothing to do with goodwill. It's the very least they should be doing.

 

[Starke]

It seems kind of odd that their game DRM has a browser component. Why would you need to use one when you've got the uplay program?

I'm calling Orwellian surveillance now, before someone else takes it.

(Also, don't buy Ubisoft, its a cheap and easy way to help make the world a better place.)

Because UPlay itself works as a shitty webpage. But rather than handling things locally, it executes the programs through the website itself. Obviously this is something it can't normally do (for good reason), so they added a plugin that lets them remotely start the game for you... only, turns out, the security on this plugin is non-existent, so anyone can execute just about anything they want to on your system remotely, including gaining command line access through cmd.exe.

Sometimes I program things, so this response hit me like a jackhammer. I liked it better when they were an evil conspiracy of devious executives who siphon credit card details and personal passwords. It was a much better image than this evil cabal of idiots that can't figure out how to make a client application so they just make an especially insecure trojan hook you up to a botnet.

On the flip side, if their DRM programming is so bad, I don't think I'm missing anything by abstaining.

Yeah, what was that old truism? "Never blame malice for something that can be adequately laid at the feet of incompetence"? Or was it "stupidity"? Either way, it certainly holds true here.

That said, I'm working off other people's assessment of it, so I could be mistaken, but the cabal of idiots who can't find their ass with both hands in a well lit room seems accurate.

 

[TallanKhan]

Not that i needed one with all the DRM but just one more reason to avoid Ubisoft products.

 

[darkszero]

But I guess at an extent all DRM is essentially a rootkit, and I only use windows for gaming so it?s not really a big deal for me .

Remote execution is serious problem. It could easily hook into your computer's boot (even if it's a grub) and insert some malicious code there.
From there, it could do whatever it wanted.

 

[Andy of Comix Inc]

First thing I thought when I heard there was a hackable "backdoor" entrance:

"Did you fix the firewall yet, Pritchard?"
"You don't 'fix' an entire firewall, Jensen. You find the loophole and you plug it."

I've played too much Human Revolution. It's stuck in my braaaaiin

 

[chadachada123]

There's no need to uninstall the games - all you need to do is disable the plugin.

And apparently Ubisoft has already replied. I wonder what they broke this time.

EDIT: And the situation in a nutshell: http://www.escapistmagazine.com/articles/view/comics/stolen-pixels/7265-Stolen-Pixels-175-Ubisoft

Uhhh...when I visit their test page to see if my computer is still at risk, it asks if I want to install missing plug-ins. I don't really like that, lol. Someone that wasn't paying attention might accidentally install it without thinking.

OT: That's a really serious hole. I got a ZeroAccess Root Kit a week or two ago, and had to spend hours upon hours cleaning my computer. I'm not dumb when it comes to browsing or allowing programs to have access to my PC, either, and I was quick to recognize that there was an issue. I pity anyone that isn't at least as capable as me in this respect, and hope that Ubisoft dies in a fire patches this quickly.

 

[nodlimax]

Origin should be considered awesome, simply because it seems that EA circling the drain much fast with it than without.

How edgy and cool. You want to see average workers lose their job. Screw the Man, right!

lul

OT: Why on Earth would you let it install the web plugin? Always, always say no to that shit. Take your toolbar/plugin/addon and shove it, I say!

It's always sad for the "little guys", but I can't change that. It's the company itself I want to see going down, because they make stupid decisions to hassle the customers.

It's the same with car manufacturers. If they build shitty cars, people wont buy them. That will cause the company to go bancrupt and the people will loose their jobs. It's how business works.

All hail to capitalism.......

 

[Starke]

First of all, installing rootkits is not any more illegal than installing any other piece of software - that is, not illegal at all. You could say it's immoral, but it isn't illegal.

Second of all, this isn't a rootkit - this is a badly programmed browser plugin.

Third of all, there's no evidence this was used to spy on anyone - the evidence says this was a launcher for uPlay that a developmentally disabled monkey wrote.

1. Sony might beg to differ. [http://www.zdnet.com/sony-settles-class-action-lawsuit-over-drm-3039244664/] They had to settle out of court their own rootkit/copy protection problems.

2. It is a rootkit. It's installed without user's consent and allows running arbitrary code from a remote place. Even if the intent is not "evil", it's still a rootkit. You could argue that it's not a "rootkit" because it doesn't try really hard to hide itself, but at the very least it's a trojan.

3. It doesn't mean there isn't any tool that exploits this (like in the Sony case) as most likely somebody else found the hole way before that Google engineer. The groups that crack games for fun must have found this years ago.

It's not a rootkit, it's a backdoor. A rootkit is something that installs itself at the lowest levels of the operating system, and is virtually impossible to remove, this is an unsecured browser plugin. Now, someone could use this plugin to install a rootkit of their own, but the plugin is not, by any stretch of the imagination, a rootkit.

 

[Starke]

There's no need to uninstall the games - all you need to do is disable the plugin.

And apparently Ubisoft has already replied. I wonder what they broke this time.

EDIT: And the situation in a nutshell: http://www.escapistmagazine.com/articles/view/comics/stolen-pixels/7265-Stolen-Pixels-175-Ubisoft

Uhhh...when I visit their test page to see if my computer is still at risk, it asks if I want to install missing plug-ins. I don't really like that, lol. Someone that wasn't paying attention might accidentally install it without thinking.

OT: That's a really serious hole. I got a ZeroAccess Root Kit a week or two ago, and had to spend hours upon hours cleaning my computer. I'm not dumb when it comes to browsing or allowing programs to have access to my PC, either, and I was quick to recognize that there was an issue. I pity anyone that isn't at least as capable as me in this respect, and hope that Ubisoft dies in a fire patches this quickly.

It actually won't install. If you do try to click the option to find and install the missing plugin, you get a message about how the plugin can't be found. I know this because I tried it... FOR SCIENCE! Anyway, that site isn't a huge threat on it's own.

 

[KefkaCultist]

And another reason why I refuse to buy an Ubisoft game for the PC.

 

[lapan]

I have long since made it my policy not to buy any pc versions of Ubisoft games, so i should be fine.