Ubisoft Responds To UPlay Security Drama, Issues Patch

By Alec Meer on July 30th, 2012 at 5:31 pm.

WATCHING YOU PLAY

Well, we knew about the patch already thanks to watchful forum-folk, but Ubisoft have finally offered a public acknowledgement of the Uplay security flaw that in theory meant nasty folk could gain remote access to gamers’ PCs. Here’s their statement and instructions on how to update Uplay – they’re not recommending that anyone disable Uplay, and sound convinced the patch has fixed the exploit.

“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.

Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”

No apology and no addressing of quite why Uplay needs a silently-installed browser plugin that allows the firm to monitor its customers’ PCs in to addition the UPlay app itself, but right now the fix is the most important thing. The patch was pretty rapid (landing about nine hours after the exploit became public knowledge) and that’s very much to their credit, but I am personally of the opinion that all firms have a duty to warn their customers of such dangers just as soon as as they know the nature of the threat themselves.

Fortunately, no-one of dark intent seems to have exploited the exploit as yet – let’s hope everyone affected is able to safely patch their Uplay before anything nasty gets into the wild.

, , .

151 Comments »

  1. pakoito says:

    “We screwed up because we don’t test our apps enough, but we are very serious about it”

    B Plan: “We already fired the underpaid intern in charge of the plugin. No more problems to happen. EVER.”

    • tyrsius says:

      This is unfair. People do not understand how completely impossible it is to test an application of standard complexity to 100% bug-free, exploit-free perfection.

      Have you ever in your life heard of such a piece of software? Why should Ubisoft be held to a standard that nobody has ever met in the history of software development?

      • Stackler says:

        DO NOT defend these bungholes by saying that software development is hard. Earning money in MY fucking job is hard too, but I don’t implement DRM shit that gets installed in the BROWSER of the customers, just because I’m a paranoid and lying asshole like the guys at 90% of gaming companies are these days.

        • Osi says:

          Dev teams dont make up their own requirements.
          Business people do. Dev teams just implement it as best as they can.
          I refer to dev teams, to mean business analysts, programmers, testers, automators the whole lot.
          The fact it was there- that’s because business wanted a solution that required it existed there.
          The fact it went wrong, that’s on the dev team’s head.

          • ombasfw says:

            Stop using Steam guys: Valve has fixed a man-in-the-middle vulnerability in the Windows Steam client, which would have allowed a correctly-positioned attacker to divert and decrypt HTTPS traffic without the victim’s knowledge. This made sensitive payment details, such as PayPal credentials, vulnerable to eavesdropping.
            http://ir.gl/f9550f

      • pakoito says:

        The thing is, this is not a exploit of a vulnerability, it’s just using the plugin’s primary task: execute commands remotely. It was planned and designed for it. The patch just makes the plugin able to execute a certain subset of commands, related to UPlay. AFTER being caught. In mere hours. No testing needed.

      • KDR_11k says:

        That’s why you don’t take unnecessary risks by stuffing shit like this into people’s browsers.

        • LionsPhil says:

          Dingdingdingdingding, we have a winner.

        • stupid_mcgee says:

          And for guessing correctly, you win a lifetime’s supply of life!

          offer not valid in all countries or localities. certain restrictions may apply. The Gods Inc., owners of all life, may terminate life ownership without prior knowledge or consent of the recipient.

        • innociv says:

          Call me a huge jerk, but I think anyone who was affected by the exploit deserves it for giving Ubisoft their money for this junk.

          This is what you gave them money for, not just the game itself.

      • rocketman71 says:

        Because, to begin with, nobody needed that application.

        And because giving blanket access to your system via a browser plugin is just asking for trouble, not to mention effing STUPID.

      • MisterBungle says:

        What, a browser plugin that allows direct execution of anything on your system? As a software engineer who has worked on server side security for online systems with thousands of concurrent users, this is the worst and most visible back door left into a system that I have ever seen.

      • ReV_VAdAUL says:

        There is always a balance of tolerance and understanding and while certainly no piece of software is 100% perfect it is also very hard to feel goodwill to a company fucking up very badly on a browser plugin that was installed secretly and many users did not know existed. Even less goodwill is available when it is unclear why the stealth plugin even exists in the first place.

      • dE says:

        I’m baffled. I can’t possibly fathom how someone can honestly defend this security Waterloo with a straight face. Installing a backdoor on your customers computer, that loads up even when companies software isn’t even remotely affected, that same backdoor allowing full user access – and then being so goddamn smug to not even bother with any sort of security on that thing so even complete thought-a-phobics can abuse this.
        And there’s people defending this as yet another bug?!

        • tyrsius says:

          Yep. There is no security at all. None.

          In fact, the entire plugin is just a button that says “Compromise System.”

          I find discussing topics solely under hypoerbolic conditions to be the most useful possible way to discuss. Don’t you?

          • EPICTHEFAIL says:

            I believe the point was that it might as well be a button saying “Compromise System” since there is NO logical chain of events that would lead to A DRM PROGRAM installing a security-compromising BROWSER PLUGIN on a user`s computer. This makes even less sense than Origin`s BS. At least they can defend themselves by saying that Steam does the same, except with search history. Unless someone finds the section of the EULA where you give Ubi permission to install a trojan in your system, Ubisoft could get sued clear out of the industry.

          • ReV_VAdAUL says:

            Would you care to respond to the other arguments people have made about your claims?

          • Dark Nexus says:

            If the only security is through obscurity, then practically speaking there is no security.

          • dE says:

            Did you even look at the code before you went ahead and claimed hyperbole?

            The exploit calls the DRM Plugin from Ubisoft, neatly sitting in your browser. From there, you can/could make it do everything on your computer, that you can do with a simple command-line call.

            Hit your windows Key and R. Enter:
            C:WINDOWSSYSTEM32CALC.EXE
            (comment system eats slashes, insert where appropiate)
            Now Base64 Encode it. Google helps.
            There, see that original post with the link? Look it up. I’ll wait.
            See something familiar? Like that odd number and letter thing?

            Congratulations, Hacker. You’ve successfully cracked the “security” on this exploit. They could have made it Hex and still have the same amount of security. Still claiming hyperbole?
            (P.S.: All this information was linked in the original post, this post is to simply clarify how bad or rather non existant the security on that thing was).
            P.P.S: Website ate my post. :(

          • tyrsius says:

            Wow. I had not looked at the code, I retract my statements.

            Sorry for giving them any benfit of the doubt. That’s absolutely horrendous. My god.

          • Stormwatcher says:

            Are you being dense in purpose?

            The quality of their code and the industry standards are 100% irrelevant.

            The problem is that they silently injected a plugin that has absolutely ZERO use or benefit for the customers in order to “stop Piracy” (hint, if we have that crap on our machines, that means we’re not the pirates). Then that useless and invasive piece of code actually turns out to have introduced a serious security flaw on the paying customers’ system.

            They get ZERO benefit of doubt in this scenario. Atually, they get NEGATIVE benefit of doubt. They should be working their asses off to show how fucking wonderful their horrendous flaky and vulnerable “always online” DRM system is.

            Can you see the point now, or do I need to draw it with crayons?

          • tyrsius says:

            What do you mean am *I* being intentionally dense? Are YOU?

            I just retracted my statement and apologized. Can you not read?

      • MadMinstrel says:

        They should be held to that standard because the application in question is not something we’re running willingly. We just want the games to run, not the Uplay spyware/malware. When we install uplay on our systems the trade is “you run your uplay on our system, we get to play games”, not “we open up our computers to any two-bit crook who wants in, we get to play games”.

      • jalf says:

        This has nothing to do with testing.

        Any more than you need “testing” to ensure people’s safety if you build a kindergarten on the middle of a highway.

        This is not a bug, in the sense that the software did exactly what it was supposed to. It was just terrible, incompetent, irresponsible software design.

        The games industry has a long track record of being completely and utterly clueless about security, but this is even worse than most.

        And it has nothing to do with testing, nothing to do with with evil hackers, nothing to do with being unlucky.

        And everything to do with Ubisoft just not giving a damn about the quality and the security of the software they install on their customers’ PCs.

      • aepervius says:

        @tyrsius, I am software developper. There is buggy, and tehre is *shoddy*. Not checking what you are accepting as input all the while running code from the internet and taking for granted it will be your code only, it plain ass shoddy. It shows a torough misunderstanding of security and acceptable coding practice.

      • Kittim says:

        The articles I’ve been reading about this on /. and geek.com have been calling this a rootkit.

        Let’s see, installs silently? Check.
        Allows UBISOFT undetectable backdoor access to users computers without their consent or knowledge? Check.

        From Geek.com:
        “The discovery was made by Tavis Ormandy, and information security engineer at Google, when he installed Assassin’s Creed: Revelations on his laptop. He noticed that during the installation Uplay installed a browser plug-in that allows any website to gain access to your machine through a backdoor and take control of it.

        The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user’s consent. If this was limited just to the Uplay service with regard to checking games are legal it would still be a major concern, but the fact any website could potentially use the plugin escalates the seriousness of what is happening here.”

        Remember Sony? I wonder if Ubi have opened themselves up to to a similar suit?

      • siliciferous says:

        You’re completely right. I’ve often heard of aeronautical and military applications requiring even more thoroughly or equally as vetted code – generally, anything that could be considered ‘life-critical’ is a candidate. Of course, the average cost per line of code will go up by a factor of ten or a hundred or a thousand when it is written to such a caliber that it is effectively bug-free, but it does exist.

    • Asyne says:

      “And don’t worry about that empty intern position, as we have hired another intern who is being paid at half the salary of the old one. Improving your service AND meeting the bottom line – that’s Ubisoft.”

  2. jonfitt says:

    Well at least it was quick. Now we just weather the (correct but pointless) storm of righteous indignation about having to have this DRM installed anyway, and move on.

  3. Premium User Badge

    sonofsanta says:

    More worryingly, if they missed this – a wide open, screamingly obvious sort of exploit – what else have they missed?

    Not trusting Uplay, not now, not ever.

  4. SirKicksalot says:

    Stop using Steam guys: Valve has fixed a man-in-the-middle vulnerability in the Windows Steam client, which would have allowed a correctly-positioned attacker to divert and decrypt HTTPS traffic without the victim’s knowledge. This made sensitive payment details, such as PayPal credentials, vulnerable to eavesdropping.
    http://www.highseverity.com/2012/03/valve-fixes-https-vulnerability-in.html

    WHAT ELSE HAVE THEY MISSED?

    • Stackler says:

      totally different problem. Steam doesn’t install browser plugins. So what the hell are you trying to do here?!

      • SirKicksalot says:

        So that makes it a more acceptable exploit?

        • Kadayi says:

          But it’s Valve , Kicks…Gabes so love-able, and Steam do such great sales.

      • Kaira- says:

        Big holes in DRM-systems when it comes to security. Not validating certificates is a huge oversight, but at least Valve fixed it. While taking their sweet-ass time to do so. Again. I am worried that Valve takes “forever” to fix these exploits and notify their users.

        Obviously not as bad as the remote code execution exploit that UPlay had, but still.

      • psyk says:

        Stackler

        “HTTPS traffic without the victim’s knowledge. This made sensitive payment details, such as PayPal credentials, vulnerable to eavesdropping.”

        It leads to pretty much the same thing, your account details getting compromised. One can just be used long term.

        • EPICTHEFAIL says:

          Edit: I`m an utter dullard. WHAT OTHER OBVIOUS THINGS HAVE I MISSED?

    • MisterBungle says:

      Note that you’d need to redirect users to a fake site by say hijacking their DNS to exploit this one – pretty hard to exploit. As opposed to simply leaving code on a website waiting for them to stumble across it.

      • Kaira- says:

        Not validating certificates is a god damn big mistake.

        • MisterBungle says:

          Yup, agreed

        • Premium User Badge

          Zephro says:

          Agreed. However compared to this it is much harder to exploit a man in the middle attack. Especially if you’re not on wireless (ish). On a wired connection getting in between me and my ISP/DNS and/or between them and Steam is difficult. Compared to just slapping a uPlay script out on the open web.

    • Kadayi says:

      Hey how come this didn’t make the RPS front page?

      • Kaira- says:

        Probably because in this case the one to notice the flaw was a white-hat and went to Valve first. In UPlay’s case the one to notice this disclosed the information to all public without going to Ubi first, and in a completely unrelated thread even.

        That is not only morally dubious but a non-responsible disclosing of information and generally shunned upon.

        • ReV_VAdAUL says:

          On the other hand Steam took months to fix the problem, Ubisoft did it in hours.

        • Kadayi says:

          Indeed it is morally dubious, which makes people getting righteous about it particularly funny because this sort of thing happens all the time. The only difference is by on large it get’s passed directly onto the programmers rather than publicly disseminated.

          • Blackseraph says:

            It’s about public perception. No one likes ubi already. For good reason I might add.

            On the other hand valve has fairly good reputation among customers, whether deserved or not.

      • Toberoth says:

        Because you smell.

      • ResonanceCascade says:

        I don’t know, but I do that Valve’s response time to that is pretty damn disappointing. The fuck, Valve?

        I get that obscure security problems happen, but taking 3 months to fix one isn’t acceptable.

        • Runs With Foxes says:

          I guess none of their liberated employees felt like doing it.

    • Faxmachinen says:

      The only way to prevent all MitM attack vectors are to permanently sever your PC from the Internet.

      A simple example of a MitM attack would be to go to a place with free WIFI, clog up the router’s IP table so nobody else could connect, then flush everyone and let them reconnect through my computer instead. Which also happens to be their favourite online bank, for some reason.

      Not quite as trivial as setting up a website to run malware through your browser plugin though.

      • psyk says:

        Been awhile but wasn’t that what the pineapple was for?

        edit
        yep
        http://hakshop.myshopify.com/products/wifi-pineapple

        Most things have been brought down to scrip kiddie level.

        • Faxmachinen says:

          You are absolutely right. Nowadays you get the full script kid package, where all you have to do is click a button.

          Though you still have to QUOP your way to the Internet café, in this case. Or set up a 5-mile WiFi antenna.

    • kalirion says:

      The Steam Client browser sucks on so many levels that I doubt too many gamers were actually using it for purchasing games.

    • spectone says:

      One person unlocks the back door to your house so anyone can break in. The other has to break into your car and re-program your GPS so you drive to a fake bank.

  5. Premium User Badge

    Yachmenev says:

    So what´s the purpose of this browser plugin? You don´t launch their games from the browser do you?

    • povu says:

      That’s what I was wondering too. Why does this even exist?

    • D3xter says:

      This, what the fuck did/do they “need” this for (since it was apparently only installed with uPlay 2.0 a month ago) and what is its use and why didn’t they ask people if they would allow installing it instead of doing it stealthily?

      I haven’t heard of any other DRM system doing anything like this…

      • Brun says:

        Apparently it’s so they can execute Uplay functions with links on their website. Kind of like what Steam does, although it does it as a file handler.

        As for why they didn’t ask the user? Either it’s required for the Uplay store to work, or they knew people would say no.

    • sqparadox says:

      Exactly! What is that plugin for? What does Ubisoft use it for?

      I updated Uplay to 2.04 and the exploit still works. Disable the plugin and the exploit disappears, however Uplay still launches fine as do games launched through it and they maintain their connection to Uplay (I only tested Assassin’s Creed Brotherhood; I can only assume the principle applies to the other affected games).

      Why would I possibly ever have this plugin enabled? It doesn’t seem to impact the game experience, so whether Ubisoft ‘need’ it or not, I don’t.

      Edit: figured out why the exploit was still working. The update download is for 2.03 not 2.04. On first launch it only shows the changelog up to 2.03, on second launch it patches up to 2.04. At least that’s what I found installing it twice… your mileage may vary.

  6. rocketman71 says:

    Wow… not even “we’re sorry”? [which BTW wasn't mentioned when I first commented].

    Curse you, Ubi Soft… CURSE YOU!

    (Is that acceptable, oh mighty hive mind?. Isn’t Ubi deserving of FUs here?)

    • DClark says:

      In all fairness to Ubisoft, they’re probably not sorry so to say so would be disingenuous…

    • Mbaya says:

      I’m more old fashioned than most and an apology goes a long way for me.

      The lack of one regarding this fiasco is probably more damaging than the situation itself (on a personal level). I will have to take some time thinking about how I approach Ubisoft games in the future, regardless of platform.

      On a sidenote, I’d love to hear what developers under the Ubisoft banner think of all this mess, if any dare speak out.

    • Arglebargle says:

      Can’t aplogize. Legal staff says it might make you look liable for some court action. Deny, deny, deny.

  7. MythArcana says:

    UB kidding? Nope, guess not.

  8. aliksy says:

    Still want to know why this was in the browser to begin with.

  9. CrookedLittleVein says:

    And the comedy continues . . .

  10. ZX k1cka55 48K says:

    In soviet Russia Uplay playU.

  11. Kaira- says:

    Well, good for them for fixing this fast. I do agree that they should’ve notified their users about this vulnerability as soon as they learned about it.

    Sadly it seems that security in customer software isn’t that high priority.

    • Brun says:

      Are you surprised? Security costs too much and most customers don’t care about it – it’s not a value-added feature.

      • Kaira- says:

        Not excactly surprised, just very, very sad. Yesterday I learned about Tesco storing passwords in plaintext, and today this (and Valve’s fuckup pointed above in the thread).

      • ReV_VAdAUL says:

        A lot of people got very angry about Lulzsec revealing exploits and such but at least they brought attention to the matter.

        Given how unnoticeable a lot of exploits can be it and how expensive competent security is companies simply will not fix these problems until they are forced to. As long as no one notices their customers information and perhaps even their money being stolen they simply don’t care.

    • Kadayi says:

      This story broke today and they patched it today. Seems pretty responsive to me.

  12. psyk says:

    Just leave this here https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed.

    EDIT – dosen’t seem to be on the forum, nice way to spread the word on things that actually matter.

    • Alec Meer says:

      This is a videogame site, you see.

      • psyk says:

        And?

        Other Stuff
        (22 Viewing)

        Other, lesser, formats.

        Doesn’t say only game related stuff and the amount of rage over a game company maybe spying on you on is way more than GOVERNMENTS actually spying on you.

        • Brun says:

          The fact that you, personally, clearly have a vested interest in that particular topic (a citizen of that country, perhaps?) does not make it more important than what’s being discussed currently, on a website dedicated to video game news. Context is critical in judging the importance of topics, something people on the internet regularly fail to grasp.

        • Alec Meer says:

          This *is* a videogame site, you see.

          • Brun says:

            I believe Mr. Meer’s point is that that sort of thing belongs in the off-topic forum, not in the comments thread of a video game news story.

        • ResonanceCascade says:

          Also just in: there is rampant poverty in the third world and the atmosphere is heating up at an alarming rate. We should probably get those somewhere into the article, too.

          • psyk says:

            And?

            The off topic forum is just that off topic, I just thought it was strange that people are all RAR RAR RAR over this but not one mention in the forum about finfisher which is way bigger and more damaging than this.

          • Alec Meer says:

            It really grinds my gears that World of Cross Stitching Magazine runs so many stories about cross stitching. Why can’t they run a feature about the civil war in Syria?

            Post non-gaming stuff in the Other Stuff forum, Psyk. That’s what it’s there for. If and when we launch Rock, Paper, Government Skullduggery please feel free to post about government skullduggery in comments there.

          • Brun says:

            The question you need to be asking yourself is:

            “What does Finfisher have to do with video games?”

            This thread isn’t the off-topic forum. Even if it were, this is a video game website, people aren’t coming here to rage about government spyware. If you want to do that I’d suggest you take it to the ACLU’s website or whatever their international equivalent is.

          • psyk says:

            I’m not saying YOU (meer) should make an article about it, nowhere have I suggested RPS should write an article on it.

            Brun that is probably the case but still
            Stupid stupid devs vs devs eroding human rights on purpose

            EDIT
            Alec I eagerly await your responses to all “off topic” comments in the future ;)

          • Alec Meer says:

            Berating our other readers for not discussing your topic of choice in a thread about videogames isn’t on, no matter how important that issue may be. Encourage discussion in the right places and in thoughtful ways and you might achieve what you want.

            I’ll be wiping this sub-thread if this mad debate continues, as it is not relevant to the topic at hand.

  13. Fatikis says:

    So Ubisoft basically installed spyware on my computer.

    • Kaira- says:

      Not spyware, not a rootkit, but a backdoor. Which all things considered is far worse than spyware.

      • psyk says:

        non intended back door

        • Torgen says:

          That sounds like a euphemism for “surprise buttsecks”

          • psyk says:

            Or it was a mistake and nothing like ACTUAL SPYWARE being used by GOVERNMENTS

        • HothMonster says:

          The backdoor was intended, they just completely failed to lock it. But the whole purpose of the plug-in is for remote access of your machine through your browser.

          • ReV_VAdAUL says:

            This is something I hope RPS and other journalists pick up and run with. They clearly wanted a backdoor, just only for their use. Which is really very worrying.

            Should Law enforcement be looking into this?

          • Kaira- says:

            I don’t think it as an intended backdoor. They wanted you to be able to launch your games via browser. However, this is such a huge oversight that someone oughta get slapped for this getting through Q&A.

          • HothMonster says:

            “A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on”

            “back door: an undocumented way to get access to a computer system ”

            “A software program that allows access to another software program. Meant as a method for programmers to go back and update programs, backdoors are a security vulnerability because malicious users can exploit them, possibly allowing confidential or personal information to be compromised”

            “gets into a user’s computer bypassing its security mechanisms. Sometimes the program can be installed for good purposes (for different kind of troubleshooting). But more frequently it is represented as malware that helps penetrating other malware like worms, Nimda, etc.”

            Again, it was an intended backdoor. The intended purpose was for their website to be able to launch programs on your computer. The unintended result was anyone could make your computer do anything from a browser window. But it was still a backdoor even if only Ubi was able to use it to do benign actions.

      • Fatikis says:

        I’m actually aware of what it is.
        I’m used to dealing with people that know nothing about computers and so the simplistic thing is to tell them anything bad is spyware. I forget that people on the internet actually know things.

        However, I feel that this is a criminal act that Ubisoft intended. They merely hoped they would not be found.

  14. G_Man_007 says:

    So here’s a funny thing…

    I looked in Chrome, Firefox and IE, and no trace of the plug-in, and the exploit doesn’t work. I reinstall uplay, try the exploit, and it now works, inspite of it being the updated 2.04 version. SHENANIGANS!!

  15. Miltrivd says:

    What has to happen to make people angry enough to stop taking their bullshit? I haven’t bought a Ubisoft game since the first Prince of Persia Trilogy and I don’t plan on it until this madness stops (gotta buy Rayman tho, since is DRM free).

    Seriously, wise up people, is not just about their system being abusive and cumbersome, they are just treating you like dogs you need to keep in line instead of customers.

    • Mbaya says:

      “What has to happen to make people angry enough to stop taking their bullshit?” – People have different levels of tollerance, for me, up to now their aggressive DRM was a major inconvenience, but not enough that I wouldn’t jump through its hoops to play a game that looks good and has had a lot of hard work put into it on behalf of its developers.

      But as I said in a previous thread, this was the straw that broke the camels back, the lack of an apology regarding this issue adds insult to injury. I think its safe to say, there are less people willing to put up with their treatment of paying customers today, than yesterday.

    • Premium User Badge

      Llewyn says:

      Let’s clear something up here: this is not fundamentally a story about DRM, it’s a story about a negligent approach to security and a shocking disregard for customers’ welfare. Yes, the offending plug-in is an element of Ubi’s DRM implementation but its function is not DRM-related and something equally bad could just as easily be included with a DRM-free game.*

      Buying Rayman does not send out a message with regard to this behaviour, only one about their use of DRM in general.

      *Arguably a company with Ubi’s paranoid approach to piracy might be more likely to intentionally include monitoring tools with their DRM-free releases to try to determine how widely they’re being pirated.

  16. Vinraith says:

    Oddly, I find myself in no real hurry to reinstall any of this crap, nor do I think I’ll be buying anything that requires it ever again.

    • Heliocentric says:

      I guess I’ll only buy ubi releases on gog.

      • Vinraith says:

        Yep. I hate to do it, I love the Anno games, the Assassin’s Creed games, and I’ve been looking forward to some of their other titles as well, but at this point I think I’m done with them unless/until I see a change in this behavior.

      • 0rpheus says:

        What will that achieve? Uplay will still come with it, regardless of where you buy it, surely?

        • Vinraith says:

          GOG games are DRM-free, by definition.

        • Kaira- says:

          Nope. You see, the lovely thing about GOG is that it is DRM-free.

          [E] Vinraith, you damned ninja.

          • 0rpheus says:

            Yeah, I knew that, but I’m struggling to see why UBI would remove uplay just for GOG, and nowhere else.

            *checks GOG.*

            Ah, I see. There are some (much) older UBI games on there, which presumably will be DRM free – I thought you meant you’d be buying newer games (you know, the ones with the DRM in the first place) from GOG, which you won’t, because there aren’t any. ;)

  17. Milky1985 says:

    Have they patched it by removing its ability to run stuff from the web browser, or just hard coded a path into it so it only runs one thing?

    So say if you found an exploit that could move and rename files in you have a way to run it….

    • Premium User Badge

      Zephro says:

      haha I wouldn’t put that past them.

      I’m trying to work out whether this is more or less embarrassing than our (sony’s) fuck up last year.

    • HothMonster says:

      Now it only runs .exe files, fixed!

    • Premium User Badge

      Llewyn says:

      I’m struggling to think of a scenario where you’d be able to take advantage of forcing it to run a specific something that’s been modified without already having sufficient control over a system to have easier attacks available. If you can replace an application then replace the user’s browser rather than an application called by a plug-in for that browser.

  18. Heliocentric says:

    Really Ubisoft? No apology? Is that how you want to play it?

    • Vinraith says:

      No explanation of what the hell they need a couple of stealth-installed browser plugins for in the first place, either. Forget the security hole, what are those even doing there?

      • alundra says:

        For me that is even more worrying, they made a huge security hole on their users PCs while installing stuff which is not really clear what does it do.

        A wild guess, tracking users browsing behaviors, my best guess is, they wanted to see how many of their legit users visit the bay to get a fix for their malware<- now 110% true) infested games.

  19. Cooper says:

    In anycase, firefox’s recent patch blacklists the UPlay plugin.

    Given the Uplay plugin does not change nor report version numbers (the new one is version 1.0.0.0 as was the old one with the backdoor) it means firefox now simply blacklists and disables the plugin, regardless of whatever patches Ubisoft put out.

    • LionsPhil says:

      The funny thing is that I could have sworn a Firefox “feature” introduced quite some time ago, after the Microsoft .NET helper extension kept getting installed, was supposed to stop other software being able to silently register new plugins and extensions.

      Guess that doesn’t work either. (Which is not entirely surprising, since it’s as impossible a problem as DRM with current user-centric security models. If I can write to my Firefox config (say, by running Firefox as me), anything else I run as me can write to my Firefox config.)

      (IE9 tries to do this too. Just got the banner at the bottom of a window saying Skype had installed one, and asking if it should be activated or left disabled.)

  20. merseybeatnik says:

    I feel impotent in this matter. I don’t like the situation we find ourselves in regarding DRM and the potential vulnerabilities it may expose us to like this. Its seems inconsiderate and inconvenient at the very least. I would be lying however if I said that I have not been given many hours of fun thanks to the creative people at Ubisoft and I am not going to start making promises I can’t keep such as vowing never to buy another Ubisoft game.

    If anyone does make such a vow here, they know we are not going to be checking up whether they are sticking to it (unless we have a back door to their system.) I know if Watchdogs lives up to the hype I will buy it and I won’t be alone. So what can be done besides constantly making our displeasure known to Ubisoft? I am not trying to say we should just deal with it for the privilege of playing their games. We believe they are doing something wrong and we want the industry to change. I just don’t know how much simply shouting at each other on forums about how much we hate them will achieve.

    Although there is no harm in venting I suppose.

    • Dark Nexus says:

      I vowed not to buy another Ubisoft game when they first announced Uplay… And I stuck with it for a few years too.

      But I’ve since amended it to not buying any Ubisoft game that isn’t 100% DRM-free (not even Steam’s rolled-in DRM). I think buying their DRM-free games sends a stronger message than just not buying Ubisoft games at all.

      • Chris D says:

        I used to think that way too, but then I bought the supposedly DRM-free From Dust,so now I just don’t trust Ubisoft at all. While some of their games look interesting nothing has struck me as being worth this kind of hassle. I don’t particularly consider this a boycott, though, nor a test of willpower. It’s just that I’m not going to buy a hamburger from someone if I know they’ve wiped their arse with the bun.

    • Mbaya says:

      Its a difficult possition to be in, thats for sure.

      On the one hand I really want to support the developers who’ve put so much effort into making great games…but this sort of activity on behalf of the publishers is hurting everyone involved and it really shouldn’t continue.

      If you have the strength of will to not buy any of Ubisofts DRM enabled games, you’re doing a great thing. If you buy the games, I’d say vent away, at least let them know you aren’t happy with the situation as it stands, but are ‘at least for now’ willing to put up with them.

      One thing I think people must not do, is turn around and pirate the games because of all this mess (this isn’t directed at you, but on comments from previous replies/threads). This will only enforce the publishers to push the DRM further down our collective throats.

      Either buy the game and put up with the troubles, don’t buy the game and champion titles that release DRM free, or don’t touch anything with a Ubisoft label on it again, until they clear up their business practice.

      Other than that, I think voicing your opinion in a respectable manner is the only thing we can do.

      We also have to realise, this isn’t working in favour of the developers in many situations too…I imagine some developers would rather attempt to self fund than team up with Ubisoft in its current form.

    • jarunasax says:

      LoL this is where you see people migrating to onlive to not have to deal with uplay installing crap onto your computer

  21. ReV_VAdAUL says:

    Can RPS in good conscience offer any positive coverage or general promotion to Ubisoft games given the shenanigans they’ve been up to?

    Sure you can explain away this as a mistake, a massive mistake, but it was a mistake that occurred in a stealth browser plugin. You really do have to wonder what other dangerous and questionable stuff Ubi will pack in with games in the future.

    • LionsPhil says:

      This is arguably a lesser problem than, say, Starforce et. al. and their bloody ring 0 giveaway rootkits.

      Put the two together and you’ve got remotely exploitable + local priviledge escalation, yaaay!

      This is why I don’t let non-DRM-free (or non-sandboxed) games onto my development-and-seriousness laptop.

  22. JoeGuy says:

    Not requiring a box to tick/un-tick for the plug-in is the bit that bothers me. It’s more convenient for them to have you go find the plug-in and let all the programs be able to execute URL links then be decent to the customer.

    I feel more and more worried for the quality of the experience Watch Dogs will offer.

    • LionsPhil says:

      I’m going to bet on it being a brilliant game with horrendous DRM that leaves people arguing over supporting the developers vs penalising the publishers/not having to put up with that crap. (And nobody’s opinion will budge.)

      • Wut The Melon says:

        I’m going to bet on it being a mediocre game with some interesting ideas but in the end way too easy and ‘accessible’ in order to make lots of money.

        It’ll probably get great reviews, though, because that would already be more than you can expect from your average AAA (who outside of PR actually likes that term?) developer…

  23. D3xter says:

    So, have they actually patched the issue or not? Have you actually tested it?
    Everyone I keep hearing from “updating” to this new miraculous fixed version apparently says the exploit still works and the Calculator still opens: http://pastehtml.com/view/c6gxl1a79.html

    • Brun says:

      I think you have to restart your browser for the update to take effect, although I’m not certain as I don’t have any of these games and thus can’t test it.

  24. HothMonster says:

    Hmm, so I went to read there Eula to see if I gave them permission to install web plugins and oddly enough the liks to “legal info” “terms of use” and “privacy policy” all 404 on uplay.com

    • Brun says:

      The cynic in me says that this means they’re quickly updating the EULA to include permission to install web plugins.

      • JoeGuy says:

        That reminds me of the time the iPhone got announced for Verizon, so AT&T sneaked policies onto the store site that required premium costs for terminating your contract and stated the policy was their all along.

        Even after someone posted a screen capture from the week before without the policy on the page. I hope Ubisoft doesn’t do that, someone will definitely have a screen cap and burn them on it.

  25. tedesco says:

    I’m a software tester and I know that it is impossible to guarantee a 100% bug-free app.
    But it feels good when happens to these type of a*******. They deserve. :)

    • TechnicalBen says:

      It’s not a “bug” if it’s a feature! ;)

      Oh, I’ve heard of some programmers using that line as an official retort to all bug reports. :D

      • mispelledyouth says:

        Hah. That excuse plays second fiddle to “Well, it works on MY machine.”

    • jarunasax says:

      Nevermind I agree with you, ubi deserved this to happen to them

  26. Sisco says:

    Those responsible for coming up with the greater Uplay business scheme should update their common sense or deactivate their currents positions in this world…

  27. Cryo says:

    What’s offensive about this story isn’t just a bug, it’s that it’s a bug in a piece of software that has no reason to exist. And Ubisoft’s reaction will be to simply fire some schmuck who was working on it, even though he wasn’t the one who ordered the pointless plug-in to be created.

  28. jarunasax says:

    So Ubi tried to prevent it’s customers from playing their games without being connected to the internet and a way to monitor that they never use pirated versions of their game either, and in doing that they created an even bigger security risk for the same consumers…

    It’s like using a grenade launcher to clear out an ant infestation. Stop trying to drag valve into this either, this is Ubisoft here, where Steam is a 3rd party that does allow drm free play, Ubi does not. Ubi is a distributor that created something to protect it’s intellectual property interests, which means they don’t give a damn about you the “user”. This is more in line with what could happen with EA Origin. These companies do not know enough to safeguard their consumers and their very actions leave us vulnerable to external attacks.

  29. Bahoxu says:

    Amusing (in a very sad way) to think that the most certain way to have a really nasty virus installed on your computer is to buy computer games legally. If one plays games and buys them legally one will eventually have a virus installed by the big companies.

    We have antivirus, no-script and firewalls to protect us against shady chinese websites. We scan for and remove spyware. We try to educate people not to open and click strange attachments in email. But we dont protect ourselves against dangerous DRM.

    Maybe there is a market here for a new type of anti-virus program that specifically protects against SONY, Ubisoft and EA?

  30. Wolfhound-Nine says:

    1. Create DRM that’s significantly more dangerous than pirated copies.
    2. Wonder why everyone pirates your software.
    3. ???
    4. Profit!

    I legitimately swore off purchasing anything published by EA at the start of the year and now I find myself adding Ubisoft to the list. I’ve honestly never felt so irate at game publishers nor so firm in the conviction to stop buying their products in every medium. The worst part is that I’m a fairly big fan of Assassin’s Creed, but I’d really much rather do without AC3 than put up with more of this crap.

    Oh, and I don’t have to put up with Desmond, either. That’s a huge bonus, at least.

  31. RegisteredUser says:

    Pirates of course being (often? always?) unaffected by this. Maybe we should reclassify crackers to security specialists/computer doctors, given that they remove both classic rootkit like protections(starforce and friends e.g.) and the need for these kind of things as well.

  32. RegisteredUser says:

    Its almost a shame this got patched so quickly and the security hole possibly closed.

    I am starting to think that since normal, rational, logical thinking can’t do it, maybe if people lose their work, letters, music, art, videos, collected links, family fotos and similiar all at once, thanks to a remote “for the lulz” exploit-delete-all, they might begin to understand that supporting companies that “allow you” to pay them for installing intrusive, controlling, restricting DRM/control-software/flat-out-honest-to-god-spy-and-reportingware on your pc isn’t the smartest thing in the world.

    TL;DR: Maybe if you lose all your most valuable work and data thanks to financing DRM, that may at least get you over the hump in understanding that its a bad thing to support.

  33. Hardmood says:

    someone here who is technically versatile enough to varify, if there was an issue with usb-ports (under winxp 32bit os), which couldve been the the failures i had with my usb-mouse. since i uninstalled these plugins i havent had any issues with my mouse and they where starting since the time ive installed two ubisoft-games with uplay (and never before). some delays while using firefox happened too which almost all time it happened was leading to a complete loss of usb-mouse connection.

    thx anyway