Warning: Big Security Risk In Some Ubisoft PC Games

By Alec Meer on July 30th, 2012 at 11:30 am.

really wish I hadn't searched Google Images for 'backdoor'

Update – Ubisoft may have plugged the hole, but it’s difficult to know for sure as they don’t appear to be discussing the issue. There are reports on the Ubi forums (thanks, Imperial Dane) that Uplay has been updated to version 2.04, which if the commenter is accurate bears the note “‘Fix addressing browser plugin. Plugin now only able to open uPlay application.” If your Uplay hasn’t/won’t update to version 2.04, I’d get rid of it and its plugin for now. To be honest I’d get rid of the plugin regardless, until we’re sure the problem’s been resolved.

We’re currently investigating the full extent of this, but moralising and recrimination can come later. For now, the important thing is to warn folks who have certain Ubisoft games installed on their PCs that an apparent backdoor has been discovered in the Uplay infrastructure/DRM which may in theory allow any anyone so minded to install God knows what horrors on your PC. It isn’t confirmed as definite, but certainly proof of concept code is calling up Uplay windows and then loading other programs from websites that have nothing to do with Ubisoft. If Uplay is on your PC, I urge you to uninstall it and any games that use it immediately, until we know more. Update: the flaw lies specifically in a browser plugin Uplay quietly installs, and the general consensus is now that’s all you need to remove to protect yourself. See below for details on how to rid your PC of it.

Essentially, as described here, with the right piece of code any website can call up a Uplay window and from that might be able to slip a program install or launch of their choice onto your PC. Were someone with malevolent intent to inject the code onto a commonly-visited website, they might be able to gain control over any number of PCs – or install keyloggers, viruses and the like, or just plain old wipe your hard drive. The web security expert we chatted to says this could even occur via an email link, making this exploit a phisher’s dream if it’s as a bad as it sounds.

Says the expert we spoke to, “you could click on a weblink, thinking you were visiting the BBC News Website from a friendly list of bookmarks. Except it’d also install a program via UBISoft’s DRM plugin which wiped your hard drive. It is a genuine threat. All it would take is an exploited wordpress, say.”

But I come here not to sensationalise, but to warn. With news of this backdoor spreading like wildfire and proof of concept code already out there, there’s a very real chance that someone will try to achieve something unpleasant with it before Ubisoft can shut it down. That’s presuming it is what it appears to be, of course – this may turn out to be an exaggeration, especially as the internet does so love to mock Ubi’s notorious DRM, but so far the evidence very much points to this being as dangerous as it sounds. I’ve contacted Ubisoft for comment and will update as and when we know more. There’s been no response as yet, and other sites are reporting similar silence.

The fault does appear to specifically lie with a browser plugin Uplay installs rather than Uplay itself, so remove that from your Firefox/Chrome/IE/etc extensions as a priority, but I’m erring on the side of extreme caution and advocating the removal of anything associated with Uplay until this apparent threat is dealt with. Here’s how to locate and disable the errant plugin:


Firefox:
Tools – Add-ons – Plugins – Disable the Uplay and Uplay PC Hub plugins

Chrome:
Visit about:plugins and disable

Opera:
Settings – Preferences – Advanced – Downloads – Search “Uplay”, delete

(Via Revisor on our forums).

Contrary to what some parts of the web are currently screaming, this is not a rookit – it’s an exploit in a browser extension. Alas, the vast majority of folk with said browser extension will have been hitherto unaware that Uplay had installed it.

You can find the games which apparently include the exploit listed below. If you have any of them on PC, I would urge you to uninstall them and any Uplay applications as soon possible as a precautionary measure. If you have any of these games on your PC, you can also see the apparent exploit harmlessly in action with the link here.

We’ve tested with a PC that has never had Uplay installed on it. The exploit didn’t work at all. After installing Uplay alone, immediately the test link did indeed work, calling up the Uplay window, and then with that, booting the Windows Calculator. After uninstalling Uplay, the exploit once again didn’t work.

Calculator’s hardly scary of course, but if someone could use the exploit to slip another program onto your PC or run command lines, anything could happen. Frightening – even if there is still something of a question mark over exactly what level of access a nasty soul could go on to achieve. Additionally, this software would appear to allow Ubisoft to monitor PCs running Uplay, but again let’s wait for more details before any hammers of judgement are wielded.

It appears versions of some of these games are Uplay-free and thus in theory safe, but again it may be better to be paranoid than sorry. You can always reinstall later, right? I’d also urge you to check your list of installed programs in Windows, just in case an old install of the Uplay launcher/plugin is hanging around despite your having previously uninstalled any games that used it.

Here’s the list of titles known to be affected:

Assassin’s Creed II
Assassin’s Creed: Brotherhood
Assassin’s Creed: Project Legacy
Assassin’s Creed Revelations
Assassin’s Creed III
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Pure Football
R.U.S.E.
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy’s H.A.W.X. 2
Tom Clancy’s Ghost Recon: Future Soldier
Tom Clancy’s Splinter Cell: Conviction
Your Shape: Fitness Evolved

I’m not at all certain that list is complete, given other games are known to use Uplay – From Dust, for instance. Check your program installs and browser extensions/plugins for any trace of it regardless – it might be there from an older install even though the game that carried it is no longer on your PC.

Again, more news as we have it.

__________________

« | »

, , , .

217 Comments »

  1. Meat Circus says:

    What a shame.

    • Revisor says:

      Disable the Uplay plugin in your browser immediately.
      If you’re not sure how, I posted the steps in the RPS forums:
      http://www.rockpapershotgun.com/forums/showthread.php?5725-Ubisoft-DRM-is-a-security-risk#4

    • Bettymartin says:

      Uplay just updated for me with the revision notes telling me that a fix has been applied so that the browser plugin can now only start Uplay.

      Does this mean we’re safe again?

    • SuperNashwanPower says:

      Replying at top so folks can see it: I have got the Steam versions of AssCreed II and AssBro, and I do not seem to have the plugin at all. I checked by loading that link (doesn’t bring up calculator) and looking at my plugins. So hopefully Valve made Ubi take their Naughty-ware out and that means folks who have the Steam versions will be ok **breathes sigh of relief**

      EDIT: I did this before starting Steam, so it would not have had the chance to patch. This hopefully means it was never affected.

      • jarunasax says:

        If there is a time period for when this happened, then it could mean that the vulnerability came from uplay to begin with *shrug* highly unlikely though. right?

  2. Enzo says:

    You gotta be fucking kidding

    • BobbyDylan says:

      Maybe some good will come of this. Like UPlay finally being dropped!

      • woodsey says:

        They’ll just patch it, claim it was no biggie and carry on regardless. We all know it.

    • MiKHEILL says:

      There’s a certain poetic beauty to all of this.
      Another notch on the belt of the anti-DRM movement.

  3. pakoito says:

    It’s not Uplay which is insecure, but the browser plugin it silently installs. Go to about:plugins (or firefox equivalent) and disable it, rather than uninstalling your game.

    • RvLeshrac says:

      Because it isn’t going to wind up reinstalling that with updates or anything.

      • BubuIIC says:

        But at least that is the place to check if you’ve gotten rid of it.
        Tools – AddOns – Plugins for Firefox

        • Vorphalack says:

          Whatever you do, don’t do this:

          1) Find Uplay plugins
          2) Disable Uplay plugins
          3) Just to be safe, uninstall Firefox
          4) Open Internet Explorer to re-install Firefox
          5) Remember you uninstalled IE 6 months ago
          6) FUUUUUUUUUUUUUUUUUUUUUU-
          7) Re-install Windows to get IE back to get Firefox back -.-

          • Rob Maguire says:

            For those reading this, it’s best to remove IE by using the ‘Turn Windows Features on or off’ program, as you can then later re-install it if you need to from that dialog. Search “windows features” in the Start Menu, or find it at C:/Windows/System32/OptionalFeatures.exe.

          • iniudan says:

            Alternative:
            6) FUUUUUUUUUUUUUUUUU then think about that rescue Linux Distribution (I suggest Parted Magic, due to high number of disk management utility while been lightweight) live USB or live CD you should had created while you still had a web browser.
            7.1) Don’t have it ? Proceed to alternative_2 8
            7.2) Have it ? Continue to 8
            8) Put into the computer the computer the support containing the live distribution and reboot to it
            9) Set up network connection (wired residential connection should be automatic)
            10) Use the web browser included in the distribution (most likely Firefox) to go download Firefox windows version (any recent Linux shouldn’t have trouble writing it to NTSF if you have no external support room left (like on the storage left on your live USB =p))
            11) Reboot to windows and proceed to install firefox and enjoy not having to reinstall all your windows software. =p

            Alternative_2
            8) Go into the program manager in the control panel
            9) Use it to reinstall internet explorer (might require you your windows installation disk has to do a re-installation from it)
            10) Use IE to download a superior web browser
            11) Install superior web browser
            12) Make sure superior browser in working state: if not, go back to 10; if yes, uninstall internet explorer
            13) Use superior web browser to get what required to make a Live Linux rescue medium (Parted Magic is still the suggestion like always)

        • AngryBadger says:

          Start > Run > cmd
          ftp http://ftp.mozilla.org
          Type ‘anonymous’ for user name
          Press enter for blank password
          cd /pub/mozilla.org/firefox/releases/latest/win32/en-GB
          get “Firefox Setup 14.0.1.exe”

          edit: for some reason wordpress adds http to the address, you dont need that

    • HermitUK says:

      Oddly, I couldn’t see the plugin in Chrome’s list of extentions, but the exploit test worked anyway. Uninstalled Uplay (Listed as Ubisoft Game Launcher in Remove Programs) to be sure.

      • BubuIIC says:

        An extension is different from a plugin, plugins mostly doing more low level stuff: in chrome your list of plugins should be here: chrome://plugins/

        Can anyone confirm the name of the browser plugin to disable?

        • Lilliput King says:

          Uplay PC

        • Jason Moyer says:

          UPlay PC

        • TheApologist says:

          For those looking for the plug-ins section rather than extensions in Chrome, I went to settings and used the handy search at the top right for ‘plug-ins’, which in turn gave me a handy yellow arrow pointing to the right category, and then highlighted plug-ins in yellow on the list. Uplay PC was in there.

          CONTRARY TO ARTICLE THE SEARCH SHOULD BE FOR ‘plug-ins’ not ‘plugins’

        • grundus says:

          Uplay PC

        • Phasma Felis says:

          Hey, has anyone mentioned yet that the name of the browser plugin to disable is Uplay PC? I mean, I could take five fucking seconds to check before posting, but that’s hard.

  4. Anarki says:

    “You can always reinstall later, right?” Is this a joke about activation limits? Because for some people, they literally can’t.

    Anyway, we’ve all accidentally put a rootkit into our DRM software at least once, right?

    • Meat Circus says:

      I’ve seen several people bandy this term around, but there’s no evidence that this thing is a root kit. It doesn’t attempt to hide itself.

      Not a rootkit, just a shitty, shitty browser plugin.

      • Milky1985 says:

        Yes techncally not a rootkit because it doesn’t install itself at a low enough level (think a true rootkit has been installed at the lowest of the os level, so basically impossible to remove without breaking the os), but rootkit like capabilities if it can run stuff from the windows directory and backdoor because of the stuff it opens. If it can run cmd.exe (in the same folder as calc) you can do basically anything you want, maybe even escalate permissions, or at the very least delete all your save games or something equally dickish.

        Plan to test this when i get home to see what happens, all currently depends on what can be done,with command line access you can do a surprising ammount.

        • Quxxy says:

          That’s not “rootkit like”. A rootkit is a program which actively hides its existence and/or other programs’ and files’ existence from the rest of the system and the user. This is just a stupidly dangerous backdoor. Still bad, but not as bad as a real rootkit.

          • Milky1985 says:

            Did you actually read all of what i wrote or just blank out after “rootkit like” a decide to quote that? As i clearly said (as part of the rest of the sentence) that it has rootkit like capabilties if its a backdoor and can run stuff without asking.

            I never said it was “like a rootkit”, i said it can do things that a rootkit can do, two different things :P

          • Quxxy says:

            Sorry, I’m not aware of any way to distinguish between “quoted speech” and “air quotes” on a keyboard. Poor choice on my part.

            Without bogging down in minutiae (just deleted a wall of text), the things you described are properties of a backdoor, not a rootkit. I’m just trying to correct the misinformation being spread by that stupid, stupid Hacker News headline.

            It’s not so bad, though. One website was claiming that the (air quotes) “Uplay network has been hacked into”. *sigh*

          • Milky1985 says:

            Sorry I didn’t think i would have to put stuff in speech marks to make it so that people read the entire sentence, I will remember that next time.

            Also the two ascept of a rootkit are

            “A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer”

            Yes it doesn’t do the first (as far as we know, i doubt it however as it would need a lot more stuff installed to do that), however it does do elements of the second as any tiem the browser is loaded , you have access.

            Thus rootkit like behaviour.

            We can argue over semantics a lot but its not going to matter to most people :P

          • FriendlyFire says:

            So a horse carriage is car-like because it can transport people?

            Please, we have words for these things. A backdoor is not a rootkit and trying to say otherwise only ends up confusing people and spreading FUD.

            If you want a rootkit, you need to check out Sony’s music CDs fiasco.

    • noclip says:

      With most software unrestricted arbitrary remote code execution is a total security failure. At Ubisoft it’s apparently just a side effect incidental to their DRM implementation.

  5. Everyone says:

    Oh, sweet, sweet schadenfreude, how I love thee!

  6. Meat Circus says:

    “a clear reduction in piracy of our titles which required a persistent online connection, and from that point of view the requirement is a success”.

  7. Chris Evans says:

    I think Chrome doesn’t let this happen, or at least my configuration of Chrome doesn’t. I don’t get that Uplay window or the calculator, I just get a plugin error image when I go to the test page. Yes, before anyone asks, I do have Uplay installed thanks to Driver.

    Still, shocking lapse of security for this to have been allowed through.

    • pakoito says:

      That just means the unsafe plugin was not installed with your game, or Chrome removed it on purpose (?)

    • dmoe says:

      No, it can do it to Chrome too. One of the posts suggests: “Google chrome users: You can go to “about:plugins” and disable this and all other things that might expose you to extra security risks such as “Microsoft Office” (even “Native Client”) or any other plugins that exposed in there by 3rd party without any confirmation.”

    • Lilliput King says:

      Maybe the plugin doesn’t install by default? I’ve got SC:Conviction and I don’t see the plugin listed in Chrome.

      • HermitUK says:

        I didn’t see the plugin listed in Chrome either, but the test exploit still worked on my end.

        Edit: My fail, it’s listed on chrome://plugins/ as UPlay PC. The plugin remains installed even if you uninstall Uplay, so it’s best to disable that as well.

    • John Walker says:

      Chrome definitely does. That’s what I tested it on.

  8. FCA says:

    Hmmm….. possible workaround: disable the uplay plugin for all your browsers (why this was ever installed is beyond me, but it’s probably a case of braindead DRM being braindead…)

  9. ReV_VAdAUL says:

    I uninstalled the one game I have from the list and heartily recommend everyone does but damn if this isn’t annoying for people on a slow internet or with bandwidth caps. Much much less annoying than having your computer of course but still, an additional gripe.

    Edit: Even if this is just a bad plugin fuck it, I’m glad I uninstalled. Better safe than sorry.

  10. houldendub says:

    Thank god for never touching Uplay!

  11. NightShift says:

    Hooray for an epic fail. The second I started playing Splinter cell conviction after pirating it, I gave up on the horrible 1 button does everything controls(I hate those in general, but this game had the worst configuration in my opinion), the bad mouse sensetivity and how it’s mostly a third person manshoot with some resemblence of stealth. I uninstalled it and dropped all Ubisoft games from my mind.

    U-Play? U-Suck.

    • cliffski says:

      As you are boasting about pirating the game, I’m not sure you are really in the moral high ground to complain at the game maker here…

      • Donkeyfumbler says:

        Exactly. At this point, I feel much more self-satisfied knowing that I simply don’t touch Ubisoft games at all rather than the whole ‘pirate as a protest’ thing, which is such a feeble excuse for piracy.

      • RvLeshrac says:

        Because there are so many other ways to determine whether or not a game is shit by playing it without plunking down the full, non-refundable retail price.

        • Melliflue says:

          You don’t have an inherent right to try a game before spending money on it. If the game has a demo then you can try that, otherwise you have to decide whether to buy it hoping you’ll enjoy it or avoid it entirely. You can read reviews about the game. You can wait to see what other people think.

          But nothing gives you the right to pirate the game. Pirating games encourages companies to use such strict DRM measures, like UPlay.

          • mrmalodor says:

            WRONG. Every consumer has an inherent right to try or at least see the product they are about to buy. There is nothing at all wrong with pirating a game to see if it’s worth buying.

          • bill says:

            ^ clearly the words of a bachelor

          • Melliflue says:

            If you put nothing into the making of the game and have not paid for the finished game then why should you have any say in what may or may not be done with the finished game? They set the terms on whether there is a demo or not, and they set the price. If you don’t think it is worth it then you don’t have to give them anything.

            Also, as already mentioned, there are alternative ways to learn about a game. In fact by pirating it you are probably less likely to read reviews of the game, which takes business away from magazines/websites. You could even decide to wait until it is very cheap in a sale, which you might not have done if you had pirated it. I think you would need to justify why piracy isn’t harmful.

            (I realise that retail stores can set there own price but they have to pay for the stock in the first place, and that price is negotiated between the store and the game’s publishers.)

          • MadTinkerer says:

            WRONG.

            If you download a cracked copy with the intent of trying before buying (because you actually do have a habit of doing so, instead of just using it as an excuse), because no demo is available and you end up buying the game which I, for example, have done several times, it’s an example of piracy actually encouraging sales.

            See: the problem here isn’t people downloading cracked copies of games. That’s actually 100% a non-issue. Just as downloading a movie from a non-legit torrent is actually a non-issue. If I bought a legit Blu-Ray copy of a movie and then download a second version from a torrent because my laptop doesn’t have a Blu-Ray player and/or the DVD drive is broken, that’s not hurting the publisher. In this example I’ve bought their product. Which is the real issue: people not buying the products.

            Sometimes people download cracked copies of games in order to see if they’re worth buying, and not just as an excuse. I’ve had to cut back on doing so because I can’t afford to buy every cracked game I try. “Pirating” games =/= lost sales.

            EDIT: Beaten by several others. Well said mrmalador.

            @Melliflue:
            “They set the terms on whether there is a demo or not, and they set the price. If you don’t think it is worth it then you don’t have to give them anything.”

            And how am I supposed to decide whether it is worth it if there is no demo?

            “In fact by pirating it you are probably less likely to read reviews of the game, which takes business away from magazines/websites.”

            Nonsense. For one thing, I usually resort to piracy on titles that are overlooked by review sites in the first place. (though I admit I am an edge case here) But saying that piracy takes business away from magazines and websites? Ridiculous. How would I know what to look for on the torrent sites in the first place if I’m not reading magazines and websites?

            “You could even decide to wait until it is very cheap in a sale,”

            Oh please don’t talk about sales. Please. My wallet is still aching from the Steam Summer Sale and all the Kickstarters I’ve backed. Oh and look: Wanderlust is 25% off on Steam. And GoG’s Adventure Sale is still on for about 13 more hours. And that Indie bundle RPS just mentioned. Please, please don’t remind me. The utility bills need to come first!

            EDIT 2: Oh yeah, and if I get a legit copy of AC2, for example, and never install the legit version because I’d rather play the cracked version and not put up with the DRM bullshit, again: that’s a sale Ubisoft gained because of piracy not in spite of it.

          • Sheng-ji says:

            @Mad Tinkerer

            So you pirate your game on day 1 and buy it in the steam summer sale.

            Slow clap.

            You Dick.

            And please, please name one game which hasn’t had enough footage released so that you can make an informed decision. I’ll be waiting to link you to the footage, reviews, let’s plays, commentary and tell you to get off your lardy fat ass and move from your bedroom, get down to your local independent game store and play their store copy if you really must play it for yourself.

            In the meantime stop shirking your individual responsibility and remember “Not every pirated copy is a lost sale” is as unproven as the statement “Piracy harms the games industry”.

            Link to some proof before making sweeping statements.

            By the way “If” you get round to paying for AC2? How long a demo have you awarded yourself? The full game? If you progressed beyond 1 or 2 levels, you damn well should be paying for it BY YOUR OWN RULES. You really have just shown your quality, by which I mean lack of quality.

            Oh and would you be so kind as to post an honest screen capture of your P2P history? I would very much like to see if you’ve pirated a game which had a demo. I’m guessing yes.

            Look, everyone pirates. 99.9999% of people who tell you they haven’t and never would are lying. I’ve pirated in the past plenty of times.

            What I don’t do is try to distort the truth and perception that I am somehow doing a good thing or that I have any justification as to what I was doing. I was doing a bad thing and I was completely unjustified to do so. It’s this pretence that what you are doing isn’t wrong or that you somehow have the moral high ground that makes me think you are a complete dick and all the other things I wrote.

          • Nic Clapper says:

            @mrmalodor
            “Every consumer has an inherent right to try or at least see the product they are about to buy”

            Yep — haven’t tried that brand of groundbeef at the market? Well open that sucker up and toss it on that grille for sale (2 birds cause I haven’t tried that grille either!). Maybe give that TP a test drive afterwards — its my inherent right!!!

        • Sheng-ji says:

          Well, there’s reviews for one, youtube videos showing gameplay often accompanied by a review for two, your local game store will often let you have a go for three – should I go on destroying your feeble excuse for piracy?

          Why don’t you try the one where piracy somehow helps the game do better.

        • Llewyn says:

          It’s very simple. If a game is worth playing there will be a demo for it. If the publisher is so ashamed of it that they’re not willing to risk people being put off by a demo then it’s safe to assume that the game is crap in at least one important way.

          • Dark Nexus says:

            There are far, far too many games that don’t have a demo, and they exist across the entire quality spectrum.

            And a lot of games that do have a demo don’t have one that does a good job of actually demoing the full game – you get a bunch of tutorials without a taste of the full gameplay.

      • Kadayi says:

        Indeed. If you’re prepared to play it you should be prepared to pay for it. Regardless of whom the publisher is and whatever ‘crimes’ they are alleged to have committed. People worked hard on making the games and the money made from sales helps towards funding new projects and keeping them in jobs. This ‘You fucked up Ubi, I’m pirating all your games from now on!!!’ mentality is morally bankrupt.

      • Milky1985 says:

        Problem is i have seen people who say “I’m not getting the game cause of the drm / publisher actions” ALSO get berated on places like this, becuase then “you are not supporting the PC gaming crowd and so publsihers won’t make games on the PC”

        Do you also get damned if you simply do not play the game :P

        • Sheng-ji says:

          Often the people berating those who make a stand are overwhelmed by the people saying “I respect your position”.

          In fact a much worse problem is the people who are boycotting a game berating the people who buy the game because whatever the reason for the boycott is not an issue for many. They accuse those people of destroying the games industry too.

        • Hmm-Hmm. says:

          That could be a problem, but so far I’ve not noticed a lot of that. Well, around here at any rate. Similar has happened regarding Steam, as Valve is a weak spot for many hiveminders. But overall I’d expect better from the folk here. In fact one of the few things gamers can do is demonstratively not buy a game. At the very least such a gamer can save more money for other things (like other games) and sometimes devs/publishers even change things up after enough cause for them to review their product. And diminished revenue is a big party of that.

          Overall, I’d say most RPS folk would stand behind better gaming rather than more gaming regardless.

          -edit- That, and supporting choice for gamers is better than to support the industry without question. More games doesn’t equal more choice.

    • fish99 says:

      No, you suck. Every time you pirate something you’re just making the case for DRM stronger, and you’re depriving that publisher/developer of the money to invest in future titles.

      • PitfireX says:

        Adding DRM because of pirates is just like making stricter gun laws… the pirates will always find a away and your just getting in the way of good honest people. That being said today’s game companies are always trying to nickel and dime us, working for every cent. If most people who don’t enjoy supporting “Call of duty:Copy Paste 6″ didn’t pirate, they most likely wouldn’t have any games to play.

        I personally feel like were at a point where the big guys (EA, Activ, UBI) are making garbage, but the independents cant yet make a A+ title. Feels like the medium guys are getting pushed out.

        • Sheng-ji says:

          Er… bad analogy, gun crime is incredibly rare in countries with strict gun control, unlike countries in which it is easy to get one.

  12. Ministry says:

    I love it! Any time bullshit policies run into issues it makes me happy. I hope Ubisoft is at least a bit embarrassed and\or ashamed, but that is naive of me to think they care about problems that face their customers due to their shit policies.

  13. MrCraigL says:

    For potential “what this could do” – if it has command line access to launch the calculator then it could, in theory, use cmd to download any executable it likes through FTP, and then run it.

    Anti-virus *might* detect it, but it’s unlikely.

    • Optimaximal says:

      It depends on the user account. If they try to execute cmd.exe with administrator rights (needed to actually harm system files or write to protected areas), Vista/7 should throw a UAC prompt.

      If you’re still on XP or are running with UAC turned off, this is your own fault.

      • BubuIIC says:

        You can do enough harm with a non-privileged account. Think about deleting user files fore a start.

        • RaveTurned says:

          Most modern malicious attacks aren’t about deleting data or causing harm, but about getting access to your computer or the data on it without the users realising. The kind of attack you describe is the kind that people would definitely notice, which would draw unwanted attention to the exploit.

          A more likely danger is the kind of scenario where someone has their credit card details, on-line banking credentials or other personal information saved somewhere in their user data (for instance a password file in My Documents), that the attacker could make off with. Also if the attacker had knowledge of a separate exploit to raise their access privileges and do more nasty things, this security hole could allow them to make use of that knowledge.

      • MrCraigL says:

        I’d blame Ubi before anyone running Xp or without UAC to be honest – plus the last Steam survey had 15% of people running XP. There are standards to stick by, and enabling an argument that makes your plugin run any exe path should be a red flag to any developer.

        With cmd, I don’t think it needs admin to write to your documents, so it could ftp there and then run a file. Stuff might block it, but for some it will get through.

        Also, hello!

      • Optimaximal says:

        Yes, deleting user files is an issue, particularly if they target %USERPROFILE% etc.

        What people are probably thinking when they hear these things is either their Windows folder being maliciously deleted or their system being controlled as part of a botnet, both of which require alteration of key files and the registry, which *should* be protected.

        Again, providing you’re on a newer OS.

      • Kdansky says:

        There’s another problem. If any other software on your PC has a known escalation exploit, then that can be easily targeted. For example, if Adobe Reader has an ugly bug (that can be abused by a specific PDF) then this pdf can be downloaded and opened through this exploit. That’s a ton easier than getting you to open a PDF on a webpage.

        In essence, any problematic bug in any piece of software you have on your PC can be abused through a web-page.

        And of course, everything that runs in user-space can be done. For example, crash your graphics card driver, delete your documents or read any file on your disk and send it to anyone. Anything that does not explicitly require a “Are you sure you want to grant Admin-privileges” dialog.

      • fish99 says:

        Logic fail. Lots of people still use XP and it’s still supported by MS. Using it doesn’t mean you deserve to get malware through some security hole in a 3rd party plug-in you didn’t even know a game had installed into your browser. That’s like saying every time you leave the house without a kevlar vest you deserve to be stabbed.

  14. Derppy says:

    Basically if you have the browser extension installed, any website you visit can execute anything on your computer.

    I wouldn’t even call that a “security risk”, it’s a security disaster. A trojan on every customer’s computer, which can be abused right now by pretty much anyone. Hopefully Google and Mozilla are fast to blacklist it, even if it isn’t their mistake.

    I really hope Ubisoft won’t easily get away with this, demand trashing their intrusive piece-of-crap DRM system. Sony had trash their rootkit, this should face the same fate.

  15. Sheps says:

    Couldn’t have happened to a shittier company with a shittier stance on pirating. Isn’t it quite comical that Ubisoft, in an attempt to curve piracy, have turned far more would be customers to piracy with their shitty DRM.

    You can either pay Ubisoft a stupid amount for AC and play under severe limitations or you can go download it from thepiratebay and play without all the BS. Great work Ubisoft.

    • SanguineAngel says:

      Presumably pirates also benefit from a lack of security breaching “features” too!

      • RaveTurned says:

        It really depends how much you trust downloading and installing software that you *know* has been tampered with by an anonymous third-party with criminal intent. :/

        Although given the story, it seems you’re almost as likely to have some dodgy code slipped into the official product as you are a pirate copy.

        • Kaira- says:

          The joys of proprietary software.

        • ArcaneSaint says:

          Actually, the whole “pirates slipping malicious code into their releases” risk is quite minimal. Why? Because if they did, and were caught out on it, they would be immediately and completely abandoned by the community. And they, more than others, rely on the community to remain afloat, if they are no longer trusted they will be replaced (remember, the bigger groups don’t do this out of “criminal intent”, but more for “the fame”). Also, you may have noticed that thepiratebay has so-called “VIP” and “trusted” users (marked with a purple/green skull), these are users with a very excellent track record, usually the “official spokesperson” of release groups, and the skulls mark that they are trusted/confirmed by the community (example: VIP user ‘extremezone’).

          Of course, if you download files from unknown/unconfirmed sources and get malware on your system, then that’s your own damn fault.

          • Faxmachinen says:

            Cracked software is mostly harmless, but I’d not log into any valuable accounts through it.

  16. Stephen1212 says:

    If you uninstall Uplay from your machine it can’t launch. The games can stay, they just will not work until you reinstall Uplay from the website.

  17. Gap Gen says:

    Wait, is this the software that installed itself last night after I booted up From Dust for the first time, and which has no discernable purpose except to annoy me? Good to know it’s potentially malign as well as a waste of my time.

    • Zephro says:

      That’s the one. I got it installed by Anno 2070.

      I think my whole reaction can be summed up in 2 words “Fucking typical.”

      • wu wei says:

        I got From Dust through Steam and Anno 2070 through another online vendor.

        The Uplay for Steam games doesn’t display non-Steam games (and vice versa), despite using the same damn account. An account which has a password truncated to 16 chars without telling you, with a client that will accept more than 16 chars, which then doesn’t match the short version. “This has been an issue for some,” is how one of the forum reps put it, as if the blame was ours for not intuiting their secret password size limit.

        It’s just a piece of garbage.

  18. destroy.all.monsters says:

    Proving once again that you’re better off pirating Ubi’s games than buying them.

  19. benjymous says:

    Yes, that’s nasty – I haven’t got uPlay installed to test that it works, but the proof of concept apparently launches calc.exe without the user prompting.

    This basically means that a website could launch any exe on your PC. For example it could reformat your hard drive, or at the very least delete all your files in “My Documents”

  20. Gwilym says:

    Well, piss. I only just installed Driver: SF yesterday, and was already angry at myself for giving them my money after A) sitting through an irritating series of patching processes completely separate to Steam, B) having to use Uplay at all and C) seeing what an awful port it is (of a rather brilliant game). I guess now we have a D. And it turns out, just as the legends told, Ds are fucking huge.

    THAT’S THE WORST JOKE I’VE EVER TOLD THANKS A LOT UBISOFT

  21. faillord_adam says:

    My computers unplugged because the CPU’s overheating. What do I do?

    • Toberoth says:

      Boot it up with your router/wireless card turned off (or network cable unplugged).

    • FriendlyFire says:

      Um, you realize that this won’t automagically execute something nasty right?

      You need to browse to an infected page. Just start a new empty browser session and immediately deactivate the thing. No need for voodoo magic or unplugging of network adapters or hard drives.

  22. vandinz says:

    Weird, I bought some Ubisift games in the Steam sale and even though I get the Uplay crap on startup of the games, there’s no plugin for it in Chrome. Does it still count if the game is through Steam then or just stand-alones?

    • vandinz says:

      Scrub that, was looking in the wrong place :P

    • dE says:

      Dunno about your local case. In my case, I bought Heroes 6 in the summer sale on Steam and I’ve had Uplay sitting in my browser plugin space (Firefox though). Might be a browser thing.

  23. Unaco says:

    UPlay… You pay.

  24. Milky1985 says:

    So UPlay installs a (possibly) dodgy web plugin, but refuses to give me the uPlay points for completing Driver : San franisco, good going there!

    All stick and no carrot!

  25. Paul says:

    Yeah I am not uninstalling Driver and AssCreedRev, two games I am currently in the middle of playing. I disabled those firefox plugins though. This is ridiculous and Ubi should get on it ASAP.

  26. Optimaximal says:

    Well, there’s the point that Browser and OS security & sandboxing *should* prevent anyone directly placing trojans on your PC. What the PoC seems to show is a) files can be run that are already on your machine & b) a malicious party can base 64 encode a complete string that could be used to silently FTP files onto your machine to execute in case a).

    It’s a shocking lapse in security, but equally something that should be a) easily fixable, given how Ubisoft recently updated UPlay without my intervention (it just installed a new version when I went to play AC2) and b) would require some thought to execute a coordinated attack on a number of UPlay users.

    I guess XP users are at risk because they’re more than likely running a superuser account, but Windows Vista/7 & Mac OS should throw a UAC/Credentials confirmation if the script tries to do anything more than execute an already accessible program like Calc or (at worse) do something to the current users User folder.

    • jalf says:

      No, not really. Sandboxing doesn’t help against plugins installed into the browser with the express purpose of bypassing the sandbox.

      Well, there’s the point that Browser and OS security & sandboxing *should* prevent anyone directly placing trojans on your PC. What the PoC seems to show is a) files can be run that are already on your machine & b) a malicious party can base 64 encode a complete string that could be used to silently FTP files onto your machine to execute in case a).

      It’s a shocking lapse in security, but equally something that should be a) easily fixable, given how Ubisoft recently updated UPlay without my intervention (it just installed a new version when I went to play AC2)

      So.. it’s fixable *when you try to launch your game. Until then, you’re vulnerable. So if someone, hypothetically, has a game installed that they no longer play….. no automatic fix for them any time soon.

      and b) would require some thought to execute a coordinated attack on a number of UPlay users.

      Not really. You can run any process on the PC which you have permissions to access. You can do quite a lot of fun stuff in that way. Deleting user files is an obvious one, but if you can find anything like a command-line FTP client or scp, or just a mail client or, well, a number of other applications with network access, then you can probably get them to fetch a new file from some remote server. And execute it.

      I don’t know what kind of privileges the process is executed with. I’d assume that it’s run with the user’s own privilege level (which, for nearly everyone means they’re administrators, possibly with UAC enabled — but again, there are quite simple ways to bypass UAC prompts, so even then, you’re essentially fucked)

      I guess XP users are at risk because they’re more than likely running a superuser account, but Windows Vista/7 & Mac OS should throw a UAC/Credentials confirmation if the script tries to do anything more than execute an already accessible program like Calc or (at worse) do something to the current users User folder.

      - *Many* people, not least gamers, disable UAC
      - UAC prompts can be avoided, and that’s been known since Win7 was in beta. Microsoft’s response: “UAC is not a security boundary”, so that’s ok.
      - you don’t need to gain administrator privileges to fuck the user over. Deleting or corrupting a few files in the current user’s home dir is more than bad enough.

  27. DanPryce says:

    Ah man, I was hoping to play Beowulf: The Game this evening.

    Seriously though, I’ve only got Assassin’s Creed 2 installed from that list. I did pick up Splinter Cell: Conviction in the Steam sale; glad I didn’t install that.

  28. Strabo says:

    The list of games isn’t complete. Anno 2070 uses UPlay and From Dust too (although that game never worked for me at all).

    • FriendlyFire says:

      I believe the list is only for those games which are actually problematic, perhaps because UPlay doesn’t exhibit that behavior in other games?

  29. Visualante says:

    Given Ubisoft’s mailing list leak from the Watch_Dogs website earlier this year, you could imagine that someone might have a perfect list of users to e.mail executable code to…

  30. overburning says:

    I’ll just be playing Splinter Cell Chaos Theory then :)

    Edit: I’ve never see the plug-in in my browser, but the link worked for me. After I uninstalled the Ubi game launcher however the link stopped working.

  31. JD Ogre says:

    Raise your hand if you are actually surprised.

    Anyone…? No? Thought so.

  32. Mbaya says:

    Appreciate the heads up Alec, thank you.

    Possible offenders uninstalled. As if people didn’t like their aggressive DRM enough, it now rears its head as being more abusive to its customers, terrible.

  33. Gramarye says:

    And I just finished the six-hour download of AssCreed Rev this weekend. :(

  34. bill says:

    Furious 4 was released already?

  35. misterT0AST says:

    There is a good way and a bad way to do DRM,
    in the same way that there is a good way and a bad way to get your head chopped off in your execution.
    The result is still bad for you, and yet sometimes it’s way, way worse than what it should be.
    Ubisoft missed the neck and had to strike seven times to decapitate us.
    I hope they’ll do this painful thing more competently in the future.

  36. DPB says:

    I’ve got Assassin’s Creed II, Brotherhood and Revelations installed but there’s no sign of the extension in Firefox, and the test link just tells me it needs to install a missing plugin. I think NoScript must’ve stopped it in its tracks.

  37. Rinox says:

    And so the boycott proves me right.

  38. Shantara says:

    If chrome://chrome/settings/search#plugins didn’t work for you, try opening chrome://plugins/ in Chrome.

  39. sonofsanta says:

    Oh dear.

    Oh dear oh dear oh dear.

    I nearly bought one of the PoP games in the Steam sale as well, and thought, nah, it has that stupid DRM, I’ll not bother. Lucky me…

  40. DodgyG33za says:

    I made a mistake and bought a Ubisoft game in my mid-summer madness last week. Quit once I realised I needed an account with uplay to play.

    Started up GTA4 instead. Different company, same bollocks. Wanted me to set up some crappy microsoft account to save my offline game.

    No, no and no. Steam is set to lose longer term because if in doubt, I won’t bloody well be buying in future, I will be pirating, because chances are I won’t have this bollocks.

    And on the plus side, even if the pirate copy is riven with malware, it is probably still more secure than buying a legit copy because my virus checker will pick it up.

    • Fierce says:

      While I understand your frustration, frankly you’re buying your games wrong.

      1) While not on 100% of Store Pages, the vast majority of Steam store pages will show if the purchase requires and uses 3rd-Party DRM. This information is located on the right side of the page, above the ESRB rating and/or the game features written in green text such as “Co-op” or “Controller supported”. This information is located on the GTA4 page and all Ubisoft games that were on sale recently.

      2) Even in the case of vague information (GTA4 says “SecuROM and unlimited activations, while saying nothing about Rockstar Social Club), the Internet is of course full of first-hand information about the impact of the DRM that is just a search string away. This is just one of the resources available, with the Steam Forums being a common second resource.

      So before you deny content creators cash they sometimes deserve and possibly become a blip on some litigation trolls radar, consider changing your critical consumer habits so you can better enjoy the games you want. Looking before leaping will take you surprisingly far in life.

    • fish99 says:

      Click ‘start offline’ and you don’t need to logged into anything to play and save in GTA4.

  41. Chris Evans says:

    Don’t know if this has been mentioned, but this seems to have only snuck in since Uplay 2.0 was launched. I just launched Driver San Fran and it updated my Uplay client from the old 1.x version to 2.x. I ran the test again and this time Uplay launched. I have now disabled the plugin.

    • DPB says:

      Yeah, the plugin appears to be a new addtion. As I said above, I didn’t have it installed either, but running one of the games updated it and installed the plugin.

  42. drewski says:

    I feel a lot less guilty about renting Ubisoft games for my console rather than buying them for my PC now.

  43. Post-Internet Syndrome says:

    I didn’t know uplay installed a browser plugin. I’m not hating on the backdoor, such things happen, but installing stuff on my computer without asking is rude.

  44. dejawolf says:

    can we sue ubisoft for this shit?

    • Sheng-ji says:

      If something actually happened on your computer that somehow causes you damage (deleting important files is a good example of this) and you can prove to an expert that it was caused directly through this exploit (or hire yourself an expert who can prove it) then yes you can – £25 fee and the small claims court beckons!

    • Milky1985 says:

      It doesn’t even need to cause damage, unless the EULA was updated to give permission to install the plugin they have broken the computer misuse act in theory.

      “A person is guilty of an offence if—

      (a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [F1, or to enable any such access to be secured] ;

      (b)the access he intends to secure [F2, or to enable to be secured,] is unauthorised; and

      (c)he knows at the time when he causes the computer to perform the function that that is the case. ”

      The app is to secure access to uplay, it is unauthorised since there was no permission and that was what the plugin was designed for.

      Of course ubisoft have bigger lawyers than us so i’m sure theres a few loopholes they can abuse.

      Not a lawyer anyway :P

      • Sheng-ji says:

        Yes, but how is a judge supposed to award you damages if you haven’t been damaged?

  45. Quxxy says:

    Alec, I just want to thank you for not just blindly copy+pasting that sensationalist Hacker News headline. Far too many outlets parroted that this is a rootkit when it really isn’t.

    People need to know this is dangerous, but it’s hard to get the message across clearly when the original headline is factually wrong.

    Again, thanks for being the first journalists I’ve seen covering this story thus far to actually act like journalists. hugs

    • mrmalodor says:

      But it IS a rootkit.

      • Kaira- says:

        Except it is not. Rootkit hides its existence. UPlay? Not so much.

        • mrmalodor says:

          Except it clearly is a rootkit. Uplay doesn’t tell you before installation that you are about to install something that gives people full control over your computer.

          • Milky1985 says:

            Its not full control, its only while the browser is loaded, for it to be a full on proper rootkit it has to be at all times. This is just rootkit like with the way it acts, and still just as bad.

      • Milky1985 says:

        Not a rootkit, does rootkit like things but not a rootkit because of the level its installed at.

        They are in theory in breach of the computer misact ac thowever, as they modified the comptuers settings without permission, unless the latest EULA that no-one reads said they can install a web plugin :P

  46. nasenbluten says:

    I wonder where is that guy that argued every single time that Uplay wasn’t DRM and that it was just “as bad” as Steam.

    Where is your god now?

  47. GlasWolf says:

    Ubi press release blaming third-party developer in 3… 2…

  48. D3xter says:

    Here’s a complete list of games (out now) that utilize the uPlay DRM btw.: http://steamdrm.flibitijibibo.com/index.php?page=DRM_Lists/Account-based#07_account_based_ubisoft_drm.txt

    I generally find that Website/List very helpful before buying any game: http://steamdrm.flibitijibibo.com/index.php?page=DRM_Lists/The_Big_DRM_List

  49. Kadayi says:

    “I urge you to uninstall it and any games that use it immediately, until we know more.”

    Alternatively maybe just disable the plugin in your browser settings and hold off playing any games until it’s patched.

  50. Chris Evans says:

    As Uplay is also used on the consoles, does anyone know if this would have an impact on those in any way?