Update: Major Security Hole Found in Ubisoft's PC Titles

[Jeremy Wilkinson]

Update: Major Security Hole Found in Ubisoft's PC Titles

A browser extension installed with Ubisoft's DRM could leave your computer wide open to hackers.

A backdoor has been discovered in Ubisoft's Uplay DRM system, which could allow malicious attacks on users' systems. The problem, Rock Paper Shotgun reports, lies in a browser plugin that installs itself quietly with Uplay.

The exploit in its current form could allow a remote attacker to launch programs or installers, or even reformat a user's hard drive, through something as simple as a weblink or piece of code injected into a website. PCs that do not have the browser plugin installed should not be affected. The team at RPS ran a test of the exploit code immediately after installing Uplay, and were able to use it to automatically launch Windows Calculator. The same procedure could easily be used for more malicious intent as well, and the code required to do so fits on only a couple of lines.

An unnamed security expert told RPS that "you could click on a weblink, thinking you were visiting the BBC News Website from a friendly list of bookmarks. Except it'd also install a program via Ubisoft's DRM plugin which wiped your hard drive. It is a genuine threat. All it would take is an exploited wordpress, say." It's not entirely clear exactly how much damage an attacker could cause with this, but clearly anything that allows remote execution is a major concern. Ubisoft has yet to comment on the issue.

In light of this discovery, all users who think they might be affected should disable the browser plugin and consider temporarily uninstalling any Uplay-enabled games until Ubisoft manages to patch the problem. RPS forum member Revisor has posted removal instructions [http://www.rockpapershotgun.com/forums/showthread.php?5725-Ubisoft-DRM-is-a-security-risk&p=169118&viewfull=1#post169118] for the plugin on Firefox, Opera and Chrome. The list of games known to be affected by the issue follows, but it's not certain at the moment whether it's comprehensive - especially as there are Uplay-enabled games such as From Dust that are not listed here.


Assassin's Creed II
Assassin's Creed: Brotherhood
Assassin's Creed: Project Legacy
Assassin's Creed Revelations
Assassin's Creed III
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Pure Football
R.U.S.E.
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy's H.A.W.X. 2
Tom Clancy's Ghost Recon: Future Soldier
Tom Clancy's Splinter Cell: Conviction
Your Shape: Fitness Evolved

Source: Rock Paper Shotgun [http://www.rockpapershotgun.com/2012/07/30/psa-possible-security-risk-in-some-ubisoft-pc-games/]

Update: Ubisoft Community Developer Korchaa has posted on the Ubisoft forum [http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix] to officially announce a patch to version 2.0.4, which should fix the security issue. The client should update itself automatically on restart, and Korchaa recommends running the updater without any web browsers open so that the affected plugin can update properly.

Permalink

 

[insanelich]

There's no need to uninstall the games - all you need to do is disable the plugin.

And apparently Ubisoft has already replied. I wonder what they broke this time.

EDIT: And the situation in a nutshell: http://www.escapistmagazine.com/articles/view/comics/stolen-pixels/7265-Stolen-Pixels-175-Ubisoft

 

[Metalrocks]

good. i dont have it. havent touched it actually for over months.

 

[GAunderrated]

Good thing I refused to buy ubisoft's games on the PC. I just buy them used on the console so ubisoft gets screwed as they have proven they deserve it.

 

[Zoe Castillo]

--

 

[Legion]

Yes, well... at least the DRM stops pirates.

 

[Blade_125]

As if I needed another reason to not play thier games. I do have two on this list, so I guess I'll have to look into disabling the plug in.

 

[halobolola]

Doesn't affect me, and i got IE. maybe IE has been proven useful.

 

[Sigilis]

It seems kind of odd that their game DRM has a browser component. Why would you need to use one when you've got the uplay program?

I'm calling Orwellian surveillance now, before someone else takes it.

(Also, don't buy Ubisoft, its a cheap and easy way to help make the world a better place.)

 

[Starke]

It seems kind of odd that their game DRM has a browser component. Why would you need to use one when you've got the uplay program?

I'm calling Orwellian surveillance now, before someone else takes it.

(Also, don't buy Ubisoft, its a cheap and easy way to help make the world a better place.)

Because UPlay itself works as a shitty webpage. But rather than handling things locally, it executes the programs through the website itself. Obviously this is something it can't normally do (for good reason), so they added a plugin that lets them remotely start the game for you... only, turns out, the security on this plugin is non-existent, so anyone can execute just about anything they want to on your system remotely, including gaining command line access through cmd.exe.

 

[Furism]

It is important to note that this is a security hole only because Ubisoft decided it was fine to install a rootkit/backdoor on their customers' PCs. If they didn't write that piece of software, there would be no security hole.

Installing a rootkit without the user's consent is not only illegal, it's also a huge responsibility. What you're installing silently gives you access to all of a computer, possibly with administration rights (meaning your program can in turn install anything it likes).

But more to the point, "with great powers come great responsibilities." You need to make sure your program is rock-solid, and that nobody else will find a hole in it (good frakking luck with that). Any company with an ounce of morals would take a step back and think if it's worth it to not only (illegaly) spy on its customers, but also if they are high-tech enough to make sure nobody else than them can exploit that hole (hint: unless you're a security company, you don't know what you're doing - even RSA got hacked - look it up - and that says a lot).

Having your computer compromised can ruin your life. I'm not even going into the sexy times pictures you might have (believe it or not, hackers don't care about that), but your personal information can be extrapolated, if not directly compromised, your banking account stolen, and everything else.

Ok that's too long of a post, but IT security is part of my job and that kind of behavior just makes me mad.

 

[Sigilis]

It seems kind of odd that their game DRM has a browser component. Why would you need to use one when you've got the uplay program?

I'm calling Orwellian surveillance now, before someone else takes it.

(Also, don't buy Ubisoft, its a cheap and easy way to help make the world a better place.)

Because UPlay itself works as a shitty webpage. But rather than handling things locally, it executes the programs through the website itself. Obviously this is something it can't normally do (for good reason), so they added a plugin that lets them remotely start the game for you... only, turns out, the security on this plugin is non-existent, so anyone can execute just about anything they want to on your system remotely, including gaining command line access through cmd.exe.

Sometimes I program things, so this response hit me like a jackhammer. I liked it better when they were an evil conspiracy of devious executives who siphon credit card details and personal passwords. It was a much better image than this evil cabal of idiots that can't figure out how to make a client application so they just make an especially insecure trojan hook you up to a botnet.

On the flip side, if their DRM programming is so bad, I don't think I'm missing anything by abstaining.

 

[Metalrocks]

checked it again to make sure i dint miss it. i dont have it at all, so im safe. i actually never allow other programs to interact with my browsers.

 

[WanderingFool]

Yes, well... at least the DRM stops pirates.

Hahahahahaha...

Ah.. man... that was a good one...

Really, though. Is this a surprise to anyone?

 

[insanelich]

It is important to note that this is a security hole only because Ubisoft decided it was fine to install a rootkit/backdoor on their customers' PCs. If they didn't write that piece of software, there would be no security hole.

Installing a rootkit without the user's consent is not only illegal, it's also a huge responsibility. What you're installing silently gives you access to all of a computer, possibly with administration rights (meaning your program can in turn install anything it likes).

But more to the point, "with great powers come great responsibilities." You need to make sure your program is rock-solid, and that nobody else will find a hole in it (good frakking luck with that). Any company with an ounce of morals would take a step back and think if it's worth it to not only (illegaly) spy on its customers, but also if they are high-tech enough to make sure nobody else than them can exploit that hole (hint: unless you're a security company, you don't know what you're doing - even RSA got hacked - look it up - and that says a lot).

Having your computer compromised can ruin your life. I'm not even going into the sexy times pictures you might have (believe it or not, hackers don't care about that), but your personal information can be extrapolated, if not directly compromised, your banking account stolen, and everything else.

Ok that's too long of a post, but IT security is part of my job and that kind of behavior just makes me mad.

First of all, installing rootkits is not any more illegal than installing any other piece of software - that is, not illegal at all. You could say it's immoral, but it isn't illegal.

Second of all, this isn't a rootkit - this is a badly programmed browser plugin.

Third of all, there's no evidence this was used to spy on anyone - the evidence says this was a launcher for uPlay that a developmentally disabled monkey wrote.

 

[Furism]

First of all, installing rootkits is not any more illegal than installing any other piece of software - that is, not illegal at all. You could say it's immoral, but it isn't illegal.

Second of all, this isn't a rootkit - this is a badly programmed browser plugin.

Third of all, there's no evidence this was used to spy on anyone - the evidence says this was a launcher for uPlay that a developmentally disabled monkey wrote.

1. Sony might beg to differ. [http://www.zdnet.com/sony-settles-class-action-lawsuit-over-drm-3039244664/] They had to settle out of court their own rootkit/copy protection problems.

2. It is a rootkit. It's installed without user's consent and allows running arbitrary code from a remote place. Even if the intent is not "evil", it's still a rootkit. You could argue that it's not a "rootkit" because it doesn't try really hard to hide itself, but at the very least it's a trojan.

3. It doesn't mean there isn't any tool that exploits this (like in the Sony case) as most likely somebody else found the hole way before that Google engineer. The groups that crack games for fun must have found this years ago.

 

[insanelich]

1. Sony might beg to differ. [http://www.zdnet.com/sony-settles-class-action-lawsuit-over-drm-3039244664/] They had to settle out of court their own rootkit/copy protection problems.

2. It is a rootkit. It's installed without user's consent and allows running arbitrary code from a remote place. Even if the intent is not "evil", it's still a rootkit. You could argue that it's not a "rootkit" because it doesn't try really hard to hide itself, but at the very least it's a trojan.

1. I'm fairly sure Ubisoft buried clauses about uPlay in the EULA - making installing this at least somewhat legal. Now, settling out of court most definitely doesn't determine the legal status of anything, so the jury's still out.

2. This is simply not true. A rootkit is defined by how it hides itself - and uPlay doesn't do any hiding, so it's not a rootkit.

It is also not a trojan. Trojans masquerade as or within something legitimate. uPlay is quite open about what it is - and this problem was merely a flaw in the execution. If uPlay was meant to be a remote platform for spying, then it would be a trojan. As it is, it is merely a phenomenally badly thought out piece of software.

 

[SnakeoilSage]

If you thought Ubisoft were unimpressive before...