By Alec Meer on July 30th, 2012 at 11:30 am.
Update – Ubisoft may have plugged the hole, but it’s difficult to know for sure as they don’t appear to be discussing the issue. There are reports on the Ubi forums (thanks, Imperial Dane) that Uplay has been updated to version 2.04, which if the commenter is accurate bears the note “‘Fix addressing browser plugin. Plugin now only able to open uPlay application.” If your Uplay hasn’t/won’t update to version 2.04, I’d get rid of it and its plugin for now. To be honest I’d get rid of the plugin regardless, until we’re sure the problem’s been resolved.
We’re currently investigating the full extent of this, but moralising and recrimination can come later. For now, the important thing is to warn folks who have certain Ubisoft games installed on their PCs that an apparent backdoor has been discovered in the Uplay infrastructure/DRM which may in theory allow any anyone so minded to install God knows what horrors on your PC. It isn’t confirmed as definite, but certainly proof of concept code is calling up Uplay windows and then loading other programs from websites that have nothing to do with Ubisoft. If Uplay is on your PC, I urge you to uninstall it and any games that use it immediately, until we know more. Update: the flaw lies specifically in a browser plugin Uplay quietly installs, and the general consensus is now that’s all you need to remove to protect yourself. See below for details on how to rid your PC of it.
Essentially, as described here, with the right piece of code any website can call up a Uplay window and from that might be able to slip a program install or launch of their choice onto your PC. Were someone with malevolent intent to inject the code onto a commonly-visited website, they might be able to gain control over any number of PCs – or install keyloggers, viruses and the like, or just plain old wipe your hard drive. The web security expert we chatted to says this could even occur via an email link, making this exploit a phisher’s dream if it’s as a bad as it sounds.
Says the expert we spoke to, “you could click on a weblink, thinking you were visiting the BBC News Website from a friendly list of bookmarks. Except it’d also install a program via UBISoft’s DRM plugin which wiped your hard drive. It is a genuine threat. All it would take is an exploited wordpress, say.”
But I come here not to sensationalise, but to warn. With news of this backdoor spreading like wildfire and proof of concept code already out there, there’s a very real chance that someone will try to achieve something unpleasant with it before Ubisoft can shut it down. That’s presuming it is what it appears to be, of course – this may turn out to be an exaggeration, especially as the internet does so love to mock Ubi’s notorious DRM, but so far the evidence very much points to this being as dangerous as it sounds. I’ve contacted Ubisoft for comment and will update as and when we know more. There’s been no response as yet, and other sites are reporting similar silence.
The fault does appear to specifically lie with a browser plugin Uplay installs rather than Uplay itself, so remove that from your Firefox/Chrome/IE/etc extensions as a priority, but I’m erring on the side of extreme caution and advocating the removal of anything associated with Uplay until this apparent threat is dealt with. Here’s how to locate and disable the errant plugin:
Firefox:
Tools – Add-ons – Plugins – Disable the Uplay and Uplay PC Hub pluginsChrome:
Visit about:plugins and disableOpera:
Settings – Preferences – Advanced – Downloads – Search “Uplay”, delete
(Via Revisor on our forums).
Contrary to what some parts of the web are currently screaming, this is not a rookit – it’s an exploit in a browser extension. Alas, the vast majority of folk with said browser extension will have been hitherto unaware that Uplay had installed it.
You can find the games which apparently include the exploit listed below. If you have any of them on PC, I would urge you to uninstall them and any Uplay applications as soon possible as a precautionary measure. If you have any of these games on your PC, you can also see the apparent exploit harmlessly in action with the link here.
We’ve tested with a PC that has never had Uplay installed on it. The exploit didn’t work at all. After installing Uplay alone, immediately the test link did indeed work, calling up the Uplay window, and then with that, booting the Windows Calculator. After uninstalling Uplay, the exploit once again didn’t work.
Calculator’s hardly scary of course, but if someone could use the exploit to slip another program onto your PC or run command lines, anything could happen. Frightening – even if there is still something of a question mark over exactly what level of access a nasty soul could go on to achieve. Additionally, this software would appear to allow Ubisoft to monitor PCs running Uplay, but again let’s wait for more details before any hammers of judgement are wielded.
It appears versions of some of these games are Uplay-free and thus in theory safe, but again it may be better to be paranoid than sorry. You can always reinstall later, right? I’d also urge you to check your list of installed programs in Windows, just in case an old install of the Uplay launcher/plugin is hanging around despite your having previously uninstalled any games that used it.
Here’s the list of titles known to be affected:
Assassin’s Creed II
Assassin’s Creed: Brotherhood
Assassin’s Creed: Project Legacy
Assassin’s Creed Revelations
Assassin’s Creed III
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Pure Football
R.U.S.E.
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy’s H.A.W.X. 2
Tom Clancy’s Ghost Recon: Future Soldier
Tom Clancy’s Splinter Cell: Conviction
Your Shape: Fitness Evolved
I’m not at all certain that list is complete, given other games are known to use Uplay – From Dust, for instance. Check your program installs and browser extensions/plugins for any trace of it regardless – it might be there from an older install even though the game that carried it is no longer on your PC.
Again, more news as we have it.
30/07/2012 at 11:34 Meat Circus says:
What a shame.
30/07/2012 at 11:44 Revisor says:
Disable the Uplay plugin in your browser immediately.
If you’re not sure how, I posted the steps in the RPS forums:
http://www.rockpapershotgun.com/forums/showthread.php?5725-Ubisoft-DRM-is-a-security-risk#4
30/07/2012 at 11:53 TheApologist says:
@revisor A) Thanks. B) There’s a uplay plug-in in my browser??!
30/07/2012 at 14:37 Cooper says:
So Uplay installs something that changes another piece of software on my computer without my consent?
Is there not a word for that kind of software?
In anycase, it is extremely bad practice to install browser add ons (like those god awful toolbars so much comes with) without explicitly asking consent. Bad form Ubisoft…
30/07/2012 at 14:54 Smashbox says:
I know! WTF.
31/07/2012 at 06:59 ombasfw says:
Maybe the plugin doesn’t install by default? I’ve got SC:Conviction and I don’t see the plugin listed in Chrome.
http://www.highseverity.com/2012/03/valve-fixes-https-vulnerability-in.html
30/07/2012 at 15:56 Bettymartin says:
Uplay just updated for me with the revision notes telling me that a fix has been applied so that the browser plugin can now only start Uplay.
Does this mean we’re safe again?
30/07/2012 at 20:01 SuperNashwanPower says:
Replying at top so folks can see it: I have got the Steam versions of AssCreed II and AssBro, and I do not seem to have the plugin at all. I checked by loading that link (doesn’t bring up calculator) and looking at my plugins. So hopefully Valve made Ubi take their Naughty-ware out and that means folks who have the Steam versions will be ok **breathes sigh of relief**
EDIT: I did this before starting Steam, so it would not have had the chance to patch. This hopefully means it was never affected.
31/07/2012 at 07:13 jarunasax says:
If there is a time period for when this happened, then it could mean that the vulnerability came from uplay to begin with *shrug* highly unlikely though. right?
30/07/2012 at 11:34 Enzo says:
You gotta be fucking kidding
30/07/2012 at 12:07 BobbyDylan says:
Maybe some good will come of this. Like UPlay finally being dropped!
30/07/2012 at 13:42 woodsey says:
They’ll just patch it, claim it was no biggie and carry on regardless. We all know it.
30/07/2012 at 13:31 MiKHEILL says:
There’s a certain poetic beauty to all of this.
Another notch on the belt of the anti-DRM movement.
30/07/2012 at 11:36 pakoito says:
It’s not Uplay which is insecure, but the browser plugin it silently installs. Go to about:plugins (or firefox equivalent) and disable it, rather than uninstalling your game.
30/07/2012 at 11:41 RvLeshrac says:
Because it isn’t going to wind up reinstalling that with updates or anything.
30/07/2012 at 11:46 BubuIIC says:
But at least that is the place to check if you’ve gotten rid of it.
Tools – AddOns – Plugins for Firefox
30/07/2012 at 13:58 Vorphalack says:
Whatever you do, don’t do this:
1) Find Uplay plugins
2) Disable Uplay plugins
3) Just to be safe, uninstall Firefox
4) Open Internet Explorer to re-install Firefox
5) Remember you uninstalled IE 6 months ago
6) FUUUUUUUUUUUUUUUUUUUUUU-
7) Re-install Windows to get IE back to get Firefox back -.-
30/07/2012 at 14:40 Rob Maguire says:
For those reading this, it’s best to remove IE by using the ‘Turn Windows Features on or off’ program, as you can then later re-install it if you need to from that dialog. Search “windows features” in the Start Menu, or find it at C:/Windows/System32/OptionalFeatures.exe.
30/07/2012 at 15:00 iniudan says:
Alternative:
6) FUUUUUUUUUUUUUUUUU then think about that rescue Linux Distribution (I suggest Parted Magic, due to high number of disk management utility while been lightweight) live USB or live CD you should had created while you still had a web browser.
7.1) Don’t have it ? Proceed to alternative_2 8
7.2) Have it ? Continue to 8
8) Put into the computer the computer the support containing the live distribution and reboot to it
9) Set up network connection (wired residential connection should be automatic)
10) Use the web browser included in the distribution (most likely Firefox) to go download Firefox windows version (any recent Linux shouldn’t have trouble writing it to NTSF if you have no external support room left (like on the storage left on your live USB =p))
11) Reboot to windows and proceed to install firefox and enjoy not having to reinstall all your windows software. =p
Alternative_2
8) Go into the program manager in the control panel
9) Use it to reinstall internet explorer (might require you your windows installation disk has to do a re-installation from it)
10) Use IE to download a superior web browser
11) Install superior web browser
12) Make sure superior browser in working state: if not, go back to 10; if yes, uninstall internet explorer
13) Use superior web browser to get what required to make a Live Linux rescue medium (Parted Magic is still the suggestion like always)
30/07/2012 at 16:52 AngryBadger says:
Start > Run > cmd
ftp http://ftp.mozilla.org
Type ‘anonymous’ for user name
Press enter for blank password
cd /pub/mozilla.org/firefox/releases/latest/win32/en-GB
get “Firefox Setup 14.0.1.exe”
edit: for some reason wordpress adds http to the address, you dont need that
30/07/2012 at 11:52 HermitUK says:
Oddly, I couldn’t see the plugin in Chrome’s list of extentions, but the exploit test worked anyway. Uninstalled Uplay (Listed as Ubisoft Game Launcher in Remove Programs) to be sure.
30/07/2012 at 11:57 BubuIIC says:
An extension is different from a plugin, plugins mostly doing more low level stuff: in chrome your list of plugins should be here: chrome://plugins/
Can anyone confirm the name of the browser plugin to disable?
30/07/2012 at 11:59 Lilliput King says:
Uplay PC
30/07/2012 at 12:02 Jason Moyer says:
UPlay PC
30/07/2012 at 12:05 TheApologist says:
For those looking for the plug-ins section rather than extensions in Chrome, I went to settings and used the handy search at the top right for ‘plug-ins’, which in turn gave me a handy yellow arrow pointing to the right category, and then highlighted plug-ins in yellow on the list. Uplay PC was in there.
CONTRARY TO ARTICLE THE SEARCH SHOULD BE FOR ‘plug-ins’ not ‘plugins’
30/07/2012 at 13:04 grundus says:
Uplay PC
30/07/2012 at 16:15 Phasma Felis says:
Hey, has anyone mentioned yet that the name of the browser plugin to disable is Uplay PC? I mean, I could take five fucking seconds to check before posting, but that’s hard.
30/07/2012 at 11:36 Anarki says:
“You can always reinstall later, right?” Is this a joke about activation limits? Because for some people, they literally can’t.
Anyway, we’ve all accidentally put a rootkit into our DRM software at least once, right?
30/07/2012 at 11:39 Meat Circus says:
I’ve seen several people bandy this term around, but there’s no evidence that this thing is a root kit. It doesn’t attempt to hide itself.
Not a rootkit, just a shitty, shitty browser plugin.
30/07/2012 at 11:50 Milky1985 says:
Yes techncally not a rootkit because it doesn’t install itself at a low enough level (think a true rootkit has been installed at the lowest of the os level, so basically impossible to remove without breaking the os), but rootkit like capabilities if it can run stuff from the windows directory and backdoor because of the stuff it opens. If it can run cmd.exe (in the same folder as calc) you can do basically anything you want, maybe even escalate permissions, or at the very least delete all your save games or something equally dickish.
Plan to test this when i get home to see what happens, all currently depends on what can be done,with command line access you can do a surprising ammount.
30/07/2012 at 12:20 Quxxy says:
That’s not “rootkit like”. A rootkit is a program which actively hides its existence and/or other programs’ and files’ existence from the rest of the system and the user. This is just a stupidly dangerous backdoor. Still bad, but not as bad as a real rootkit.
30/07/2012 at 12:38 Milky1985 says:
Did you actually read all of what i wrote or just blank out after “rootkit like” a decide to quote that? As i clearly said (as part of the rest of the sentence) that it has rootkit like capabilties if its a backdoor and can run stuff without asking.
I never said it was “like a rootkit”, i said it can do things that a rootkit can do, two different things :P
30/07/2012 at 13:06 Quxxy says:
Sorry, I’m not aware of any way to distinguish between “quoted speech” and “air quotes” on a keyboard. Poor choice on my part.
Without bogging down in minutiae (just deleted a wall of text), the things you described are properties of a backdoor, not a rootkit. I’m just trying to correct the misinformation being spread by that stupid, stupid Hacker News headline.
It’s not so bad, though. One website was claiming that the (air quotes) “Uplay network has been hacked into”. *sigh*
30/07/2012 at 13:40 Milky1985 says:
Sorry I didn’t think i would have to put stuff in speech marks to make it so that people read the entire sentence, I will remember that next time.
Also the two ascept of a rootkit are
“A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer”
Yes it doesn’t do the first (as far as we know, i doubt it however as it would need a lot more stuff installed to do that), however it does do elements of the second as any tiem the browser is loaded , you have access.
Thus rootkit like behaviour.
We can argue over semantics a lot but its not going to matter to most people :P
30/07/2012 at 15:12 FriendlyFire says:
So a horse carriage is car-like because it can transport people?
Please, we have words for these things. A backdoor is not a rootkit and trying to say otherwise only ends up confusing people and spreading FUD.
If you want a rootkit, you need to check out Sony’s music CDs fiasco.
30/07/2012 at 21:22 noclip says:
With most software unrestricted arbitrary remote code execution is a total security failure. At Ubisoft it’s apparently just a side effect incidental to their DRM implementation.
30/07/2012 at 11:37 Everyone says:
Oh, sweet, sweet schadenfreude, how I love thee!
30/07/2012 at 11:55 Schadenfreude says:
Love you too man.
Love you too.
30/07/2012 at 11:58 Everyone says:
Nicely done sir!!
http://i.imgur.com/bZFIH.gif
30/07/2012 at 13:33 Shadowcat says:
http://ibiblio.org/Dave/Dr-Fun/df200310/df20031022.jpg
30/07/2012 at 11:37 Meat Circus says:
“a clear reduction in piracy of our titles which required a persistent online connection, and from that point of view the requirement is a success”.
30/07/2012 at 11:54 westyfield says:
Ah…
30/07/2012 at 11:37 Chris Evans says:
I think Chrome doesn’t let this happen, or at least my configuration of Chrome doesn’t. I don’t get that Uplay window or the calculator, I just get a plugin error image when I go to the test page. Yes, before anyone asks, I do have Uplay installed thanks to Driver.
Still, shocking lapse of security for this to have been allowed through.
30/07/2012 at 11:38 pakoito says:
That just means the unsafe plugin was not installed with your game, or Chrome removed it on purpose (?)
30/07/2012 at 11:40 dmoe says:
No, it can do it to Chrome too. One of the posts suggests: “Google chrome users: You can go to “about:plugins” and disable this and all other things that might expose you to extra security risks such as “Microsoft Office” (even “Native Client”) or any other plugins that exposed in there by 3rd party without any confirmation.”
30/07/2012 at 11:53 Jason Moyer says:
And where would one find “about plugins” in google chrome?
Edit: n/m found it
30/07/2012 at 12:02 Meat Circus says:
It’s a URL. Pop about:plugins in your omnibox.
30/07/2012 at 11:50 Lilliput King says:
Maybe the plugin doesn’t install by default? I’ve got SC:Conviction and I don’t see the plugin listed in Chrome.
30/07/2012 at 11:58 HermitUK says:
I didn’t see the plugin listed in Chrome either, but the test exploit still worked on my end.
Edit: My fail, it’s listed on chrome://plugins/ as UPlay PC. The plugin remains installed even if you uninstall Uplay, so it’s best to disable that as well.
30/07/2012 at 12:07 TheApologist says:
This was exactly my experience with Chrome too
30/07/2012 at 12:03 John Walker says:
Chrome definitely does. That’s what I tested it on.
30/07/2012 at 11:38 FCA says:
Hmmm….. possible workaround: disable the uplay plugin for all your browsers (why this was ever installed is beyond me, but it’s probably a case of braindead DRM being braindead…)
30/07/2012 at 11:39 ReV_VAdAUL says:
I uninstalled the one game I have from the list and heartily recommend everyone does but damn if this isn’t annoying for people on a slow internet or with bandwidth caps. Much much less annoying than having your computer of course but still, an additional gripe.
Edit: Even if this is just a bad plugin fuck it, I’m glad I uninstalled. Better safe than sorry.
30/07/2012 at 11:40 houldendub says:
Thank god for never touching Uplay!
30/07/2012 at 11:41 NightShift says:
Hooray for an epic fail. The second I started playing Splinter cell conviction after pirating it, I gave up on the horrible 1 button does everything controls(I hate those in general, but this game had the worst configuration in my opinion), the bad mouse sensetivity and how it’s mostly a third person manshoot with some resemblence of stealth. I uninstalled it and dropped all Ubisoft games from my mind.
U-Play? U-Suck.
30/07/2012 at 12:11 cliffski says:
As you are boasting about pirating the game, I’m not sure you are really in the moral high ground to complain at the game maker here…
30/07/2012 at 12:20 Donkeyfumbler says:
Exactly. At this point, I feel much more self-satisfied knowing that I simply don’t touch Ubisoft games at all rather than the whole ‘pirate as a protest’ thing, which is such a feeble excuse for piracy.
30/07/2012 at 12:23 RvLeshrac says:
Because there are so many other ways to determine whether or not a game is shit by playing it without plunking down the full, non-refundable retail price.
30/07/2012 at 12:43 Melliflue says:
You don’t have an inherent right to try a game before spending money on it. If the game has a demo then you can try that, otherwise you have to decide whether to buy it hoping you’ll enjoy it or avoid it entirely. You can read reviews about the game. You can wait to see what other people think.
But nothing gives you the right to pirate the game. Pirating games encourages companies to use such strict DRM measures, like UPlay.
30/07/2012 at 13:41 mrmalodor says:
WRONG. Every consumer has an inherent right to try or at least see the product they are about to buy. There is nothing at all wrong with pirating a game to see if it’s worth buying.
30/07/2012 at 14:08 bill says:
^ clearly the words of a bachelor
30/07/2012 at 14:23 Melliflue says:
If you put nothing into the making of the game and have not paid for the finished game then why should you have any say in what may or may not be done with the finished game? They set the terms on whether there is a demo or not, and they set the price. If you don’t think it is worth it then you don’t have to give them anything.
Also, as already mentioned, there are alternative ways to learn about a game. In fact by pirating it you are probably less likely to read reviews of the game, which takes business away from magazines/websites. You could even decide to wait until it is very cheap in a sale, which you might not have done if you had pirated it. I think you would need to justify why piracy isn’t harmful.
(I realise that retail stores can set there own price but they have to pay for the stock in the first place, and that price is negotiated between the store and the game’s publishers.)
30/07/2012 at 16:00 MadTinkerer says:
WRONG.
If you download a cracked copy with the intent of trying before buying (because you actually do have a habit of doing so, instead of just using it as an excuse), because no demo is available and you end up buying the game which I, for example, have done several times, it’s an example of piracy actually encouraging sales.
See: the problem here isn’t people downloading cracked copies of games. That’s actually 100% a non-issue. Just as downloading a movie from a non-legit torrent is actually a non-issue. If I bought a legit Blu-Ray copy of a movie and then download a second version from a torrent because my laptop doesn’t have a Blu-Ray player and/or the DVD drive is broken, that’s not hurting the publisher. In this example I’ve bought their product. Which is the real issue: people not buying the products.
Sometimes people download cracked copies of games in order to see if they’re worth buying, and not just as an excuse. I’ve had to cut back on doing so because I can’t afford to buy every cracked game I try. “Pirating” games =/= lost sales.
EDIT: Beaten by several others. Well said mrmalador.
@Melliflue:
“They set the terms on whether there is a demo or not, and they set the price. If you don’t think it is worth it then you don’t have to give them anything.”
And how am I supposed to decide whether it is worth it if there is no demo?
“In fact by pirating it you are probably less likely to read reviews of the game, which takes business away from magazines/websites.”
Nonsense. For one thing, I usually resort to piracy on titles that are overlooked by review sites in the first place. (though I admit I am an edge case here) But saying that piracy takes business away from magazines and websites? Ridiculous. How would I know what to look for on the torrent sites in the first place if I’m not reading magazines and websites?
“You could even decide to wait until it is very cheap in a sale,”
Oh please don’t talk about sales. Please. My wallet is still aching from the Steam Summer Sale and all the Kickstarters I’ve backed. Oh and look: Wanderlust is 25% off on Steam. And GoG’s Adventure Sale is still on for about 13 more hours. And that Indie bundle RPS just mentioned. Please, please don’t remind me. The utility bills need to come first!
EDIT 2: Oh yeah, and if I get a legit copy of AC2, for example, and never install the legit version because I’d rather play the cracked version and not put up with the DRM bullshit, again: that’s a sale Ubisoft gained because of piracy not in spite of it.
30/07/2012 at 16:52 Sheng-ji says:
@Mad Tinkerer
So you pirate your game on day 1 and buy it in the steam summer sale.
Slow clap.
You Dick.
And please, please name one game which hasn’t had enough footage released so that you can make an informed decision. I’ll be waiting to link you to the footage, reviews, let’s plays, commentary and tell you to get off your lardy fat ass and move from your bedroom, get down to your local independent game store and play their store copy if you really must play it for yourself.
In the meantime stop shirking your individual responsibility and remember “Not every pirated copy is a lost sale” is as unproven as the statement “Piracy harms the games industry”.
Link to some proof before making sweeping statements.
By the way “If” you get round to paying for AC2? How long a demo have you awarded yourself? The full game? If you progressed beyond 1 or 2 levels, you damn well should be paying for it BY YOUR OWN RULES. You really have just shown your quality, by which I mean lack of quality.
Oh and would you be so kind as to post an honest screen capture of your P2P history? I would very much like to see if you’ve pirated a game which had a demo. I’m guessing yes.
Look, everyone pirates. 99.9999% of people who tell you they haven’t and never would are lying. I’ve pirated in the past plenty of times.
What I don’t do is try to distort the truth and perception that I am somehow doing a good thing or that I have any justification as to what I was doing. I was doing a bad thing and I was completely unjustified to do so. It’s this pretence that what you are doing isn’t wrong or that you somehow have the moral high ground that makes me think you are a complete dick and all the other things I wrote.
30/07/2012 at 17:30 Nic Clapper says:
@mrmalodor
“Every consumer has an inherent right to try or at least see the product they are about to buy”
Yep — haven’t tried that brand of groundbeef at the market? Well open that sucker up and toss it on that grille for sale (2 birds cause I haven’t tried that grille either!). Maybe give that TP a test drive afterwards — its my inherent right!!!
30/07/2012 at 12:44 Sheng-ji says:
Well, there’s reviews for one, youtube videos showing gameplay often accompanied by a review for two, your local game store will often let you have a go for three – should I go on destroying your feeble excuse for piracy?
Why don’t you try the one where piracy somehow helps the game do better.
30/07/2012 at 12:52 Llewyn says:
It’s very simple. If a game is worth playing there will be a demo for it. If the publisher is so ashamed of it that they’re not willing to risk people being put off by a demo then it’s safe to assume that the game is crap in at least one important way.
30/07/2012 at 15:37 Dark Nexus says:
There are far, far too many games that don’t have a demo, and they exist across the entire quality spectrum.
And a lot of games that do have a demo don’t have one that does a good job of actually demoing the full game – you get a bunch of tutorials without a taste of the full gameplay.
30/07/2012 at 13:13 Kadayi says:
Indeed. If you’re prepared to play it you should be prepared to pay for it. Regardless of whom the publisher is and whatever ‘crimes’ they are alleged to have committed. People worked hard on making the games and the money made from sales helps towards funding new projects and keeping them in jobs. This ‘You fucked up Ubi, I’m pirating all your games from now on!!!’ mentality is morally bankrupt.
30/07/2012 at 15:59 Milky1985 says:
Problem is i have seen people who say “I’m not getting the game cause of the drm / publisher actions” ALSO get berated on places like this, becuase then “you are not supporting the PC gaming crowd and so publsihers won’t make games on the PC”
Do you also get damned if you simply do not play the game :P
30/07/2012 at 17:18 Sheng-ji says:
Often the people berating those who make a stand are overwhelmed by the people saying “I respect your position”.
In fact a much worse problem is the people who are boycotting a game berating the people who buy the game because whatever the reason for the boycott is not an issue for many. They accuse those people of destroying the games industry too.
01/08/2012 at 14:36 Hmm-Hmm. says:
That could be a problem, but so far I’ve not noticed a lot of that. Well, around here at any rate. Similar has happened regarding Steam, as Valve is a weak spot for many hiveminders. But overall I’d expect better from the folk here. In fact one of the few things gamers can do is demonstratively not buy a game. At the very least such a gamer can save more money for other things (like other games) and sometimes devs/publishers even change things up after enough cause for them to review their product. And diminished revenue is a big party of that.
Overall, I’d say most RPS folk would stand behind better gaming rather than more gaming regardless.
-edit- That, and supporting choice for gamers is better than to support the industry without question. More games doesn’t equal more choice.
30/07/2012 at 14:42 fish99 says:
No, you suck. Every time you pirate something you’re just making the case for DRM stronger, and you’re depriving that publisher/developer of the money to invest in future titles.
30/07/2012 at 16:47 PitfireX says:
Adding DRM because of pirates is just like making stricter gun laws… the pirates will always find a away and your just getting in the way of good honest people. That being said today’s game companies are always trying to nickel and dime us, working for every cent. If most people who don’t enjoy supporting “Call of duty:Copy Paste 6″ didn’t pirate, they most likely wouldn’t have any games to play.
I personally feel like were at a point where the big guys (EA, Activ, UBI) are making garbage, but the independents cant yet make a A+ title. Feels like the medium guys are getting pushed out.
30/07/2012 at 18:00 Sheng-ji says:
Er… bad analogy, gun crime is incredibly rare in countries with strict gun control, unlike countries in which it is easy to get one.
30/07/2012 at 11:41 Ministry says:
I love it! Any time bullshit policies run into issues it makes me happy. I hope Ubisoft is at least a bit embarrassed and\or ashamed, but that is naive of me to think they care about problems that face their customers due to their shit policies.
30/07/2012 at 11:42 MrCraigL says:
For potential “what this could do” – if it has command line access to launch the calculator then it could, in theory, use cmd to download any executable it likes through FTP, and then run it.
Anti-virus *might* detect it, but it’s unlikely.
30/07/2012 at 11:55 Optimaximal says:
It depends on the user account. If they try to execute cmd.exe with administrator rights (needed to actually harm system files or write to protected areas), Vista/7 should throw a UAC prompt.
If you’re still on XP or are running with UAC turned off, this is your own fault.
30/07/2012 at 11:59 BubuIIC says:
You can do enough harm with a non-privileged account. Think about deleting user files fore a start.
30/07/2012 at 12:23 RaveTurned says:
Most modern malicious attacks aren’t about deleting data or causing harm, but about getting access to your computer or the data on it without the users realising. The kind of attack you describe is the kind that people would definitely notice, which would draw unwanted attention to the exploit.
A more likely danger is the kind of scenario where someone has their credit card details, on-line banking credentials or other personal information saved somewhere in their user data (for instance a password file in My Documents), that the attacker could make off with. Also if the attacker had knowledge of a separate exploit to raise their access privileges and do more nasty things, this security hole could allow them to make use of that knowledge.
30/07/2012 at 12:07 MrCraigL says:
I’d blame Ubi before anyone running Xp or without UAC to be honest – plus the last Steam survey had 15% of people running XP. There are standards to stick by, and enabling an argument that makes your plugin run any exe path should be a red flag to any developer.
With cmd, I don’t think it needs admin to write to your documents, so it could ftp there and then run a file. Stuff might block it, but for some it will get through.
Also, hello!
30/07/2012 at 12:13 Optimaximal says:
Yes, deleting user files is an issue, particularly if they target %USERPROFILE% etc.
What people are probably thinking when they hear these things is either their Windows folder being maliciously deleted or their system being controlled as part of a botnet, both of which require alteration of key files and the registry, which *should* be protected.
Again, providing you’re on a newer OS.
30/07/2012 at 13:44 Kdansky says:
There’s another problem. If any other software on your PC has a known escalation exploit, then that can be easily targeted. For example, if Adobe Reader has an ugly bug (that can be abused by a specific PDF) then this pdf can be downloaded and opened through this exploit. That’s a ton easier than getting you to open a PDF on a webpage.
In essence, any problematic bug in any piece of software you have on your PC can be abused through a web-page.
And of course, everything that runs in user-space can be done. For example, crash your graphics card driver, delete your documents or read any file on your disk and send it to anyone. Anything that does not explicitly require a “Are you sure you want to grant Admin-privileges” dialog.
30/07/2012 at 14:37 fish99 says:
Logic fail. Lots of people still use XP and it’s still supported by MS. Using it doesn’t mean you deserve to get malware through some security hole in a 3rd party plug-in you didn’t even know a game had installed into your browser. That’s like saying every time you leave the house without a kevlar vest you deserve to be stabbed.
30/07/2012 at 11:42 Derppy says:
Basically if you have the browser extension installed, any website you visit can execute anything on your computer.
I wouldn’t even call that a “security risk”, it’s a security disaster. A trojan on every customer’s computer, which can be abused right now by pretty much anyone. Hopefully Google and Mozilla are fast to blacklist it, even if it isn’t their mistake.
I really hope Ubisoft won’t easily get away with this, demand trashing their intrusive piece-of-crap DRM system. Sony had trash their rootkit, this should face the same fate.
30/07/2012 at 11:53 Milky1985 says:
Mozilla won’t blacklist this quickly, they are only quick to blacklist stuff from MS like they did with the .net helper a while back :P
Oddly that was because it installed without asking the user and they had put stuff in to stop that sort of thing from happening again!
30/07/2012 at 16:50 cgf says:
It is already blocked: https://bugzilla.mozilla.org/show_bug.cgi?id=778686#c4
30/07/2012 at 11:46 Sheps says:
Couldn’t have happened to a shittier company with a shittier stance on pirating. Isn’t it quite comical that Ubisoft, in an attempt to curve piracy, have turned far more would be customers to piracy with their shitty DRM.
You can either pay Ubisoft a stupid amount for AC and play under severe limitations or you can go download it from thepiratebay and play without all the BS. Great work Ubisoft.
30/07/2012 at 11:55 SanguineAngel says:
Presumably pirates also benefit from a lack of security breaching “features” too!
30/07/2012 at 12:38 RaveTurned says:
It really depends how much you trust downloading and installing software that you *know* has been tampered with by an anonymous third-party with criminal intent. :/
Although given the story, it seems you’re almost as likely to have some dodgy code slipped into the official product as you are a pirate copy.
30/07/2012 at 12:40 Kaira- says:
The joys of proprietary software.
30/07/2012 at 13:29 ArcaneSaint says:
Actually, the whole “pirates slipping malicious code into their releases” risk is quite minimal. Why? Because if they did, and were caught out on it, they would be immediately and completely abandoned by the community. And they, more than others, rely on the community to remain afloat, if they are no longer trusted they will be replaced (remember, the bigger groups don’t do this out of “criminal intent”, but more for “the fame”). Also, you may have noticed that thepiratebay has so-called “VIP” and “trusted” users (marked with a purple/green skull), these are users with a very excellent track record, usually the “official spokesperson” of release groups, and the skulls mark that they are trusted/confirmed by the community (example: VIP user ‘extremezone’).
Of course, if you download files from unknown/unconfirmed sources and get malware on your system, then that’s your own damn fault.
30/07/2012 at 16:42 Faxmachinen says:
Cracked software is mostly harmless, but I’d not log into any valuable accounts through it.
30/07/2012 at 11:47 Stephen1212 says:
If you uninstall Uplay from your machine it can’t launch. The games can stay, they just will not work until you reinstall Uplay from the website.
30/07/2012 at 11:48 Gap Gen says:
Wait, is this the software that installed itself last night after I booted up From Dust for the first time, and which has no discernable purpose except to annoy me? Good to know it’s potentially malign as well as a waste of my time.
30/07/2012 at 12:26 Zephro says:
That’s the one. I got it installed by Anno 2070.
I think my whole reaction can be summed up in 2 words “Fucking typical.”
30/07/2012 at 15:16 wu wei says:
I got From Dust through Steam and Anno 2070 through another online vendor.
The Uplay for Steam games doesn’t display non-Steam games (and vice versa), despite using the same damn account. An account which has a password truncated to 16 chars without telling you, with a client that will accept more than 16 chars, which then doesn’t match the short version. “This has been an issue for some,” is how one of the forum reps put it, as if the blame was ours for not intuiting their secret password size limit.
It’s just a piece of garbage.
30/07/2012 at 11:49 destroy.all.monsters says:
Proving once again that you’re better off pirating Ubi’s games than buying them.
30/07/2012 at 11:52 kregg says:
That’s if the games are even worth pirating to be honest.
30/07/2012 at 11:49 benjymous says:
Yes, that’s nasty – I haven’t got uPlay installed to test that it works, but the proof of concept apparently launches calc.exe without the user prompting.
This basically means that a website could launch any exe on your PC. For example it could reformat your hard drive, or at the very least delete all your files in “My Documents”
30/07/2012 at 11:50 Gwilym says:
Well, piss. I only just installed Driver: SF yesterday, and was already angry at myself for giving them my money after A) sitting through an irritating series of patching processes completely separate to Steam, B) having to use Uplay at all and C) seeing what an awful port it is (of a rather brilliant game). I guess now we have a D. And it turns out, just as the legends told, Ds are fucking huge.
THAT’S THE WORST JOKE I’VE EVER TOLD THANKS A LOT UBISOFT
30/07/2012 at 16:53 Skabooga says:
Ds what?
30/07/2012 at 11:50 faillord_adam says:
My computers unplugged because the CPU’s overheating. What do I do?
30/07/2012 at 12:17 Toberoth says:
Boot it up with your router/wireless card turned off (or network cable unplugged).
30/07/2012 at 15:16 FriendlyFire says:
Um, you realize that this won’t automagically execute something nasty right?
You need to browse to an infected page. Just start a new empty browser session and immediately deactivate the thing. No need for voodoo magic or unplugging of network adapters or hard drives.
30/07/2012 at 11:50 vandinz says:
Weird, I bought some Ubisift games in the Steam sale and even though I get the Uplay crap on startup of the games, there’s no plugin for it in Chrome. Does it still count if the game is through Steam then or just stand-alones?
30/07/2012 at 11:54 vandinz says:
Scrub that, was looking in the wrong place :P
30/07/2012 at 11:54 dE says:
Dunno about your local case. In my case, I bought Heroes 6 in the summer sale on Steam and I’ve had Uplay sitting in my browser plugin space (Firefox though). Might be a browser thing.
30/07/2012 at 11:50 Unaco says:
UPlay… You pay.
30/07/2012 at 11:51 Milky1985 says:
So UPlay installs a (possibly) dodgy web plugin, but refuses to give me the uPlay points for completing Driver : San franisco, good going there!
All stick and no carrot!
30/07/2012 at 11:51 Paul says:
Yeah I am not uninstalling Driver and AssCreedRev, two games I am currently in the middle of playing. I disabled those firefox plugins though. This is ridiculous and Ubi should get on it ASAP.
30/07/2012 at 11:52 Optimaximal says:
Well, there’s the point that Browser and OS security & sandboxing *should* prevent anyone directly placing trojans on your PC. What the PoC seems to show is a) files can be run that are already on your machine & b) a malicious party can base 64 encode a complete string that could be used to silently FTP files onto your machine to execute in case a).
It’s a shocking lapse in security, but equally something that should be a) easily fixable, given how Ubisoft recently updated UPlay without my intervention (it just installed a new version when I went to play AC2) and b) would require some thought to execute a coordinated attack on a number of UPlay users.
I guess XP users are at risk because they’re more than likely running a superuser account, but Windows Vista/7 & Mac OS should throw a UAC/Credentials confirmation if the script tries to do anything more than execute an already accessible program like Calc or (at worse) do something to the current users User folder.
30/07/2012 at 12:20 jalf says:
No, not really. Sandboxing doesn’t help against plugins installed into the browser with the express purpose of bypassing the sandbox.
Well, there’s the point that Browser and OS security & sandboxing *should* prevent anyone directly placing trojans on your PC. What the PoC seems to show is a) files can be run that are already on your machine & b) a malicious party can base 64 encode a complete string that could be used to silently FTP files onto your machine to execute in case a).
So.. it’s fixable *when you try to launch your game. Until then, you’re vulnerable. So if someone, hypothetically, has a game installed that they no longer play….. no automatic fix for them any time soon.
Not really. You can run any process on the PC which you have permissions to access. You can do quite a lot of fun stuff in that way. Deleting user files is an obvious one, but if you can find anything like a command-line FTP client or scp, or just a mail client or, well, a number of other applications with network access, then you can probably get them to fetch a new file from some remote server. And execute it.
I don’t know what kind of privileges the process is executed with. I’d assume that it’s run with the user’s own privilege level (which, for nearly everyone means they’re administrators, possibly with UAC enabled — but again, there are quite simple ways to bypass UAC prompts, so even then, you’re essentially fucked)
- *Many* people, not least gamers, disable UAC
- UAC prompts can be avoided, and that’s been known since Win7 was in beta. Microsoft’s response: “UAC is not a security boundary”, so that’s ok.
- you don’t need to gain administrator privileges to fuck the user over. Deleting or corrupting a few files in the current user’s home dir is more than bad enough.
30/07/2012 at 11:53 DanPryce says:
Ah man, I was hoping to play Beowulf: The Game this evening.
Seriously though, I’ve only got Assassin’s Creed 2 installed from that list. I did pick up Splinter Cell: Conviction in the Steam sale; glad I didn’t install that.
30/07/2012 at 11:53 Strabo says:
The list of games isn’t complete. Anno 2070 uses UPlay and From Dust too (although that game never worked for me at all).
30/07/2012 at 15:19 FriendlyFire says:
I believe the list is only for those games which are actually problematic, perhaps because UPlay doesn’t exhibit that behavior in other games?
30/07/2012 at 11:54 Visualante says:
Given Ubisoft’s mailing list leak from the Watch_Dogs website earlier this year, you could imagine that someone might have a perfect list of users to e.mail executable code to…
30/07/2012 at 11:58 overburning says:
I’ll just be playing Splinter Cell Chaos Theory then :)
Edit: I’ve never see the plug-in in my browser, but the link worked for me. After I uninstalled the Ubi game launcher however the link stopped working.
30/07/2012 at 11:58 JD Ogre says:
Raise your hand if you are actually surprised.
…
Anyone…? No? Thought so.
30/07/2012 at 12:02 Mbaya says:
Appreciate the heads up Alec, thank you.
Possible offenders uninstalled. As if people didn’t like their aggressive DRM enough, it now rears its head as being more abusive to its customers, terrible.
30/07/2012 at 12:02 Gramarye says:
And I just finished the six-hour download of AssCreed Rev this weekend. :(
30/07/2012 at 12:02 bill says:
Furious 4 was released already?
30/07/2012 at 12:03 misterT0AST says:
There is a good way and a bad way to do DRM,
in the same way that there is a good way and a bad way to get your head chopped off in your execution.
The result is still bad for you, and yet sometimes it’s way, way worse than what it should be.
Ubisoft missed the neck and had to strike seven times to decapitate us.
I hope they’ll do this painful thing more competently in the future.
30/07/2012 at 12:09 DPB says:
I’ve got Assassin’s Creed II, Brotherhood and Revelations installed but there’s no sign of the extension in Firefox, and the test link just tells me it needs to install a missing plugin. I think NoScript must’ve stopped it in its tracks.
30/07/2012 at 12:11 Rinox says:
And so the boycott proves me right.
30/07/2012 at 12:12 Shantara says:
If chrome://chrome/settings/search#plugins didn’t work for you, try opening chrome://plugins/ in Chrome.
30/07/2012 at 12:13 sonofsanta says:
Oh dear.
Oh dear oh dear oh dear.
I nearly bought one of the PoP games in the Steam sale as well, and thought, nah, it has that stupid DRM, I’ll not bother. Lucky me…
30/07/2012 at 12:14 DodgyG33za says:
I made a mistake and bought a Ubisoft game in my mid-summer madness last week. Quit once I realised I needed an account with uplay to play.
Started up GTA4 instead. Different company, same bollocks. Wanted me to set up some crappy microsoft account to save my offline game.
No, no and no. Steam is set to lose longer term because if in doubt, I won’t bloody well be buying in future, I will be pirating, because chances are I won’t have this bollocks.
And on the plus side, even if the pirate copy is riven with malware, it is probably still more secure than buying a legit copy because my virus checker will pick it up.
30/07/2012 at 14:28 Fierce says:
While I understand your frustration, frankly you’re buying your games wrong.
1) While not on 100% of Store Pages, the vast majority of Steam store pages will show if the purchase requires and uses 3rd-Party DRM. This information is located on the right side of the page, above the ESRB rating and/or the game features written in green text such as “Co-op” or “Controller supported”. This information is located on the GTA4 page and all Ubisoft games that were on sale recently.
2) Even in the case of vague information (GTA4 says “SecuROM and unlimited activations, while saying nothing about Rockstar Social Club), the Internet is of course full of first-hand information about the impact of the DRM that is just a search string away. This is just one of the resources available, with the Steam Forums being a common second resource.
So before you deny content creators cash they sometimes deserve and possibly become a blip on some litigation trolls radar, consider changing your critical consumer habits so you can better enjoy the games you want. Looking before leaping will take you surprisingly far in life.
30/07/2012 at 14:44 fish99 says:
Click ‘start offline’ and you don’t need to logged into anything to play and save in GTA4.
30/07/2012 at 12:14 Chris Evans says:
Don’t know if this has been mentioned, but this seems to have only snuck in since Uplay 2.0 was launched. I just launched Driver San Fran and it updated my Uplay client from the old 1.x version to 2.x. I ran the test again and this time Uplay launched. I have now disabled the plugin.
30/07/2012 at 12:22 DPB says:
Yeah, the plugin appears to be a new addtion. As I said above, I didn’t have it installed either, but running one of the games updated it and installed the plugin.
30/07/2012 at 12:14 drewski says:
I feel a lot less guilty about renting Ubisoft games for my console rather than buying them for my PC now.
30/07/2012 at 12:16 Post-Internet Syndrome says:
I didn’t know uplay installed a browser plugin. I’m not hating on the backdoor, such things happen, but installing stuff on my computer without asking is rude.
30/07/2012 at 12:21 dejawolf says:
can we sue ubisoft for this shit?
30/07/2012 at 13:07 Sheng-ji says:
If something actually happened on your computer that somehow causes you damage (deleting important files is a good example of this) and you can prove to an expert that it was caused directly through this exploit (or hire yourself an expert who can prove it) then yes you can – £25 fee and the small claims court beckons!
30/07/2012 at 13:46 Milky1985 says:
It doesn’t even need to cause damage, unless the EULA was updated to give permission to install the plugin they have broken the computer misuse act in theory.
“A person is guilty of an offence if—
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [F1, or to enable any such access to be secured] ;
(b)the access he intends to secure [F2, or to enable to be secured,] is unauthorised; and
(c)he knows at the time when he causes the computer to perform the function that that is the case. ”
The app is to secure access to uplay, it is unauthorised since there was no permission and that was what the plugin was designed for.
Of course ubisoft have bigger lawyers than us so i’m sure theres a few loopholes they can abuse.
Not a lawyer anyway :P
30/07/2012 at 17:13 Sheng-ji says:
Yes, but how is a judge supposed to award you damages if you haven’t been damaged?
30/07/2012 at 12:23 Quxxy says:
Alec, I just want to thank you for not just blindly copy+pasting that sensationalist Hacker News headline. Far too many outlets parroted that this is a rootkit when it really isn’t.
People need to know this is dangerous, but it’s hard to get the message across clearly when the original headline is factually wrong.
Again, thanks for being the first journalists I’ve seen covering this story thus far to actually act like journalists. hugs
30/07/2012 at 12:25 mrmalodor says:
But it IS a rootkit.
30/07/2012 at 12:37 Kaira- says:
Except it is not. Rootkit hides its existence. UPlay? Not so much.
30/07/2012 at 13:43 mrmalodor says:
Except it clearly is a rootkit. Uplay doesn’t tell you before installation that you are about to install something that gives people full control over your computer.
30/07/2012 at 13:48 Milky1985 says:
Its not full control, its only while the browser is loaded, for it to be a full on proper rootkit it has to be at all times. This is just rootkit like with the way it acts, and still just as bad.
30/07/2012 at 12:41 Milky1985 says:
Not a rootkit, does rootkit like things but not a rootkit because of the level its installed at.
They are in theory in breach of the computer misact ac thowever, as they modified the comptuers settings without permission, unless the latest EULA that no-one reads said they can install a web plugin :P
30/07/2012 at 12:24 nasenbluten says:
I wonder where is that guy that argued every single time that Uplay wasn’t DRM and that it was just “as bad” as Steam.
Where is your god now?
30/07/2012 at 12:25 GlasWolf says:
Ubi press release blaming third-party developer in 3… 2…
30/07/2012 at 12:28 D3xter says:
Here’s a complete list of games (out now) that utilize the uPlay DRM btw.: http://steamdrm.flibitijibibo.com/index.php?page=DRM_Lists/Account-based#07_account_based_ubisoft_drm.txt
I generally find that Website/List very helpful before buying any game: http://steamdrm.flibitijibibo.com/index.php?page=DRM_Lists/The_Big_DRM_List
30/07/2012 at 12:29 Kadayi says:
“I urge you to uninstall it and any games that use it immediately, until we know more.”
Alternatively maybe just disable the plugin in your browser settings and hold off playing any games until it’s patched.
30/07/2012 at 12:30 Chris Evans says:
As Uplay is also used on the consoles, does anyone know if this would have an impact on those in any way?
30/07/2012 at 12:33 Metalhead9806 says:
I uninstalled the two games that used Uplay (AC Rev, SC Conv), I uninstalled the Ubisoft game launcher.
Problem is i dont see the extention in my Chrome or Internet explorer web browser.
I use Chrome 100% and i pased that url link and i didnt see any Uplay PC addon/extension.
How do i look for it in Internet explorer, Even though i dont use it Uplay could have installed the extension to that browser at the time.
Please help im having a small panic attack.
30/07/2012 at 13:04 Optimaximal says:
Uninstalling UPlay may have removed them.
IE Plugins are managed via Tools > Manage Add-Ons.
30/07/2012 at 12:36 Axess Denyd says:
Uplay sucks in every way possible.
It even breaks savegames in AssCreed 2.
Every time I want to play, I hit play in Steam, wait for Uplay to happen, load AssCreed in safe mode, load a saved game, which is always right at the beginning of the game, then exit, watch uplay sync with the cloud, then load AssCreed in safe mode again, and then load my saved game which will actually be in the right place.
Failure to load in safe mode causes my saved game to be completely lost.
There are a TON of people with this issue, and they completely failed to patch it. Seriously considering pirating AssCreed 2 so I can actually play it without loading repeatedly. …also all the times the launcher sits idle gets recorded as playtime, so it looks like I have played almost 60 hours instead of 9 or so.
30/07/2012 at 12:40 AbyssUK says:
This is awesome, please hackers of the world can you go for the Origin plugin next, am sure that’s got more security holes than the Olympic park.
30/07/2012 at 13:15 Kadayi says:
Hackers didn’t do this.
30/07/2012 at 13:49 Milky1985 says:
i think he means for them to go poke the origin system to find the expliots and holes, as i think the origional poster is either a white hat hacker or a serurity researcher.
30/07/2012 at 17:01 Kaira- says:
More likely a grey hat, throwing this info into the wild before Ubisoft had time to act.
30/07/2012 at 12:41 Tim Ward says:
Would it be untoward of me to ask what a piece of DRM is doing silently installing a browser plugin?
30/07/2012 at 12:48 GlasWolf says:
I suspect it’s “because everyone else does it”.
30/07/2012 at 14:52 Tyraa Rane says:
But…everyone else doesn’t do it. I’ve got Steam and (Cthulhu help me) GFWL installed on my PC right now. My Firefox install remains cheerfully unmolested; no browser plugins from either of them. This is the first time I’ve ever heard of a DRM scheme sticking its nose into a web browser.
And “what in the bloody hell is uPlay doing installing a browser plugin without my consent” was the first question that came to mind when I read this article, too. Seriously, Ubisoft. What the actual hell made you think that was a good idea and not a privacy (and now security) debacle waiting to happen?
30/07/2012 at 17:43 Cooper says:
Nope. Sure, many installers ASK to install annoying toolbars and whatnnot.
but, importantly, they ask.
This was installed without request; that’s the awful thing about this.
30/07/2012 at 18:53 Tim Ward says:
But *what is it doing* – what purpose does the plugin serve? If it’s hidden, i.e not some zany toolbar, then I can only assume it’s up to no good.
30/07/2012 at 12:47 Metalhead9806 says:
Is it possible that I dont have the extension in my chrome or internet explorer browsers? I looked everywhere and I dont see Uplay PC anywhere. Only Ubisoft game i played in the last four months was AC Rev and I dont remember Uplay updating at all.
30/07/2012 at 13:07 Optimaximal says:
This is only a problem with the recent 2.0 update to UPlay that happened about a month ago. The older version wasn’t affected.
30/07/2012 at 12:47 Cryo says:
Why the hell would it install browser plugin in the first place? What purpose does it serve? Just mindboggling. I’ve never joined any boycotts but I think I’m just done with ubisoft now.
30/07/2012 at 13:05 explodeydendron says:
I can’t find any Uplay plugins, even with Ass Creed Bro installed. What’s up with that?
30/07/2012 at 13:06 Diago says:
I can confirm that a lone installation of From Dust (Steam version) is also vulnerable to this exploit. The link provided also summons Windows Calculator after activating Uplay.
30/07/2012 at 13:08 nēģeris says:
Pirates do not have problems like this…
30/07/2012 at 13:15 TwwIX says:
As if i needed another reason to avoid their games. Somebody needs to make an example out these assholes. How the fuck do we not have laws against this type of invasive DRM?
30/07/2012 at 13:15 Martel says:
This is my punishment for finally buying an Ubisoft game. I held out for so long due to all their various garbage and got one on the Steam sales. Then this….guess I learned my lesson about buying their games.
30/07/2012 at 13:15 Elmokki says:
I bought some Assassin’s Creed games in the Steam sale. Is it safe to install these if I remove the plugin right after or does it get mysteriously reinstalled all the time when I try to play?
It’s pretty damn sad, but there’s a big incentive here to just pirate the game I actually own just to avoid terrible DRM.
Oh well, my own fault I suppose. I was boycotting Ubisoft due to the DRM that I hated even before this backdoor, but Steam sale made me buy some games since they were cheap.
30/07/2012 at 13:16 Maldomel says:
Can I laugh at Ubisoft?
Seriously, I hope they don’t get away clean with this shit.
30/07/2012 at 13:25 WJonathan says:
“Calculator’s hardly scary of course,”
Speak for yourself!
30/07/2012 at 13:27 Heliocentric says:
Freaking Ubisoft DRM, when will they learn. I’d actually argued in favour of a few recent Ubisoft games despite UPlay’s presence, without them formally apologising and rescinding UPlay entirely I will not be talking about anything they play, and not buying anything either for that matter.
30/07/2012 at 14:22 Mbaya says:
I think I’m pretty much in the same boat. Never been a fan of their DRM, but I lived with it…it exhists, if I want to play a selection of their games I can jump through that hoop.
This on top of every other situation their DRM has raised…well, its the straw that broke the camels back for me.
It might be hard to resist some titles, if I’m weak and cave in maybe I’ll even still get them for a console (its sucky to miss out on a great game and the work a developer has put into that, when this seems to be a publisher controlled issue) but they seriously need to reevaluate how they’re handling the PC space and at the very, very least we need a well thought out apology and not their usual PR jibberish over this matter.
30/07/2012 at 13:27 malkav11 says:
It’s not installed on my machine, though uPlay and several games that use it (acquired for dirt cheap, mind you) are. I assume this is because I haven’t run any of them in months and so uPlay has not updated itself to turn into a webstore.
30/07/2012 at 13:42 Rossi says:
It would be ironic if this exploit managed to give hackers what they need to pirate ubisoft software.
30/07/2012 at 13:49 rocketman71 says:
Glad I didn’t buy anything Ubi in the Steam sale due to their shitty DRM. Seems it was shitty in more ways that I thought.
What a mess. Are the idiots at Ubi ever going to recant their shitware?.
30/07/2012 at 14:02 mechabuddha says:
Now I know for a fact that I have UPlay installed on my computer. But I can’t find a UPlay plugin in Chrome. Should I uninstall UPlay entirely just to be on the safe side?
30/07/2012 at 16:46 Torgen says:
Given this asshattery on Ubisoft’s part, I wouldn’t assume uninstalling Uplay would uninstall the browser extension.
30/07/2012 at 14:21 boxfish says:
Hm, I uninstalled AC: Revelations and now can’t find any trace of Uplay on my system. Not sure if it’s been automatically uninstalled or something. Any ideas?
30/07/2012 at 14:47 Stuart Walton says:
Chrome lists the file as being installed at:
C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
MIME type: application/x-uplaypc
So you can always see if you can find it there.
It ended up being installed after I went back to play a bit more Assassins Creed Brotherhood (via Steam). When I first installed it I was able to play without a uPlay account, but they patched it and I could find no way to launch the game without logging into uPlay.
That in itself was a poor show from UbiSoft. This browser plugin is a catastrophe.
30/07/2012 at 14:55 Tyraa Rane says:
Would someone care to enlighten me as to why a DRM scheme is installing a plugin in my web browser?
30/07/2012 at 16:53 akeso says:
So ubisoft can use a link on their website to launch uplay.
That’s the only reason your computer was just left naked on a street corner in the internet universe.
Gotta love improved user functionality right?
30/07/2012 at 14:56 Dark Nexus says:
I can confirm that “From Dust” does install the browser plugin. So it can be added to the list of affected games.
30/07/2012 at 16:24 yhancik says:
I have installed and played From Dust (although it was in january) but I couldn’t find the plugin in Firefox nor Chrome…
30/07/2012 at 15:28 Daryl says:
Good thing I do not support Ubisoft. Otherwise, I might be worried.
30/07/2012 at 15:29 Wynter says:
OK, so I’ve disabled the plugin in both Chrome and Firefox; tried the exploit link in both and they’re fine.
I could not find a Uplay plugin in IE under “Manage add-ons” anywhere, looked in all the sub-categories. The exploit still works there, though. Is it named something else in IE9? Is there a different way to disable it?
I do not want to disable IE9, since for some rare sites IE is still necessary. Similarly, I’m playing Driver: SF and don’t want to kill off Uplay completely.
Any thoughts on how to find/disable this plugin in IE9?
30/07/2012 at 15:33 Dark Nexus says:
I can’t speak for IE9, but it doesn’t seem to have installed in IE8. Every other browser on my system had it, but checking the link to test with from the article in IE8 brought no results.
30/07/2012 at 15:51 Wynter says:
Exploit still present in Internet Explorer 9, cannot find any way to disable the Uplay plugin. Does not seem to be an issue in IE9 64-bit version.
Any thoughts?
30/07/2012 at 15:56 Dark Nexus says:
Okay, found it in 8…
Tools > Manage Add-Ons > Change “Show: Currently loaded add-ons” to “Show: All add-ons” > Scroll down the list to find Uplay.
I’m installing IE9 right now, so I’ll hunt it down there too.
30/07/2012 at 15:33 BlitzThose says:
guess I should consider myself lucky I only installed one of these affected ubitard games in the last couple of days
30/07/2012 at 15:37 Metalhead9806 says:
Ubisoft why do you punish me for supporting you?
30/07/2012 at 15:42 Jim9137 says:
That’s a wonderful shot headlining. Is there a higher resolution one?
30/07/2012 at 15:54 Calabi says:
This should be illegal. Installing things without the players consent and other such trangressions like not know what they fuck they are doing.
The internet is like the wild west only worse. There’s no one looking after the consumers, or upholding a law or minimum standards. No one looking at these sorts of things. If your not an expert or go to people in the know your fucked.
The lack of security and accountability must be a major impact economically on the internet. Through people to worried to buy, losing money, or not investing.
30/07/2012 at 16:02 Milky1985 says:
It is in the UK, its a breach of the computer misuse act, only a minor breach (slap on wrist) but still illegal.
30/07/2012 at 17:49 psyk says:
LMAO
30/07/2012 at 16:01 Bettymartin says:
Posted on the first post for visibility but it looks like Ubi have issued a fix. My Uplay has updated and the revision notes suggest the plugin can now only start Uplay.
30/07/2012 at 16:02 vandinz says:
JUST GOT AN UPDATE ON UPLAY. Fix addressing browser plugin. Plugin now only able to open Uplay application.
30/07/2012 at 16:39 merseybeatnik says:
I downloaded the update claiming to have fixed the issue from Ubisoft and before disabling the plug-in I clicked on Revisor’s link to test whether the the vulnerability was still exploitable and windows calculator still opens so I don’t know whether the update has solved it or not.
30/07/2012 at 17:03 dE says:
Well… yeah.
I tried it, the update downloaded but this definitely did not fix it for me.
30/07/2012 at 17:11 Bettymartin says:
Calculator doesn’t open on mine since installing the update. Could it be a browser based issue maybe? I’m using Chrome.
30/07/2012 at 17:15 cgf says:
Did you restart the browser? It may still have the old version loaded.
30/07/2012 at 16:28 Urthman says:
I played AssCreed 2 a while ago, but apparently not recently enough to have received the U-Play plugin. It’s not installed in my Firefox.
30/07/2012 at 17:01 Skabooga says:
Well, now that you’ve used the ‘aaaaargh’ tag, I request, nay demand, that it be used once more to do a retrospective on this game:
http://www.mobygames.com/game/aaargh
30/07/2012 at 17:11 Blackseraph says:
Hehe. Wow.
Marvellous way to advertise drm for their customers.Not only are they useless they are also harmful!
Good thing I don’t play their games, yet another reason not to.
30/07/2012 at 17:22 Kid_A says:
The worst part of this isn’t the security hole – that can be patched, and in the event that anyone has lost anything, they can pursue damages.
The worst part is the complete lack of communication from Ubisoft about the error apart from that one tiny patch note that does little to really allay any worries about UPlay. PC gaming and PC gamers yet again being mistreated and swept under the rug. This is why I refuse to buy any Ubisoft game unless it’s on a console second-hand: I refuse to give a company who treats their customers so poorly a single penny.
30/07/2012 at 17:23 zeroskill says:
Well, good thing I don’t own any Ubisoft games!
30/07/2012 at 17:23 Azhrarn says:
Oddly enough, I have both H.A.W.X. 2 and R.U.S.E., they’re currently not installed, but were until recently. However the plug-in isn’t present in either of my browsers (Chrome and IE).
So it looks like uPLAY uninstalls it’s plug-ins when you remove the software that was using it.
30/07/2012 at 17:30 Forceflow says:
If the only reason that this plugin exists is to let browsers launch Uplay, Ubisoft have been retards.
Steam registers itself to launch steam:// URL’s, much like a file handler. That’s the right way to do it, not using a plug-in.
Sigh.
30/07/2012 at 17:48 psyk says:
Rar rar rar oh wait meh https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/
EDIT – people are clicking on a “clean” exploit link HAHAHAHAHAHAHAH oh dear and after RPS was hacked.
30/07/2012 at 17:48 webtax says:
anyone knows which browsers are affected?
30/07/2012 at 17:52 Dark Nexus says:
Pretty much all of them.
30/07/2012 at 20:32 captain nemo says:
Good thing I stopped buying anything from Ubisoft a while back
30/07/2012 at 23:38 Shodex says:
I enjoy a lot of Ubisoft franchises, and as a result I have a level of respect for them. Moreso than most of the big gaming corporations. But Uplay is getting out of hand, how can something that previously wasn’t needed at all be so damn troublesome?
31/07/2012 at 00:09 E_FD says:
Incredible. I have Assassin’s Creed: Brotherhood installed, so I checked the link and Chrome’s plugins; the link didn’t do anything and Uplay wasn’t listed among the plugins, so I figured I was safe, but I decided to run AssBro again just to make sure.
The game starts up with a “Patching…” bit, then tells me “Congratulations, Uplay has been updated to 2.03!” 2.03, not 2.04, the one that’s supposed to fix this crap. And NOW I’ve got the Uplay plugin on Chrome that I have to disable.
What a f***ing pathetic piece of s***.
31/07/2012 at 12:47 RegisteredUser says:
“the flaw lies specifically in a browser plugin Uplay quietly installs”
You couldn’t make anything more genius up. An illegitimately installed piece of DRM related nonsense leading to PC intrusion / malware results from the same folks that ideally would like you to be online all the time, so that being vulnerable to the world ideally makes the most sense.
Hooray for taking away every last bit of consumer rights and control over what you get, own, and install.
31/07/2012 at 17:44 tomemozok says:
Am i the only one that noticed Assassins creed 3 on this list???
How can a game that hasn’t come out yet be affected by this???
Does this mean that AC 3 is in beta or smthing?