By Alec Meer on July 30th, 2012 at 5:31 pm.
Well, we knew about the patch already thanks to watchful forum-folk, but Ubisoft have finally offered a public acknowledgement of the Uplay security flaw that in theory meant nasty folk could gain remote access to gamers’ PCs. Here’s their statement and instructions on how to update Uplay – they’re not recommending that anyone disable Uplay, and sound convinced the patch has fixed the exploit.
“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.
Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”
No apology and no addressing of quite why Uplay needs a silently-installed browser plugin that allows the firm to monitor its customers’ PCs in to addition the UPlay app itself, but right now the fix is the most important thing. The patch was pretty rapid (landing about nine hours after the exploit became public knowledge) and that’s very much to their credit, but I am personally of the opinion that all firms have a duty to warn their customers of such dangers just as soon as as they know the nature of the threat themselves.
Fortunately, no-one of dark intent seems to have exploited the exploit as yet – let’s hope everyone affected is able to safely patch their Uplay before anything nasty gets into the wild.
30/07/2012 at 17:34 pakoito says:
“We screwed up because we don’t test our apps enough, but we are very serious about it”
B Plan: “We already fired the underpaid intern in charge of the plugin. No more problems to happen. EVER.”
30/07/2012 at 17:41 tyrsius says:
This is unfair. People do not understand how completely impossible it is to test an application of standard complexity to 100% bug-free, exploit-free perfection.
Have you ever in your life heard of such a piece of software? Why should Ubisoft be held to a standard that nobody has ever met in the history of software development?
30/07/2012 at 17:44 Stackler says:
DO NOT defend these bungholes by saying that software development is hard. Earning money in MY fucking job is hard too, but I don’t implement DRM shit that gets installed in the BROWSER of the customers, just because I’m a paranoid and lying asshole like the guys at 90% of gaming companies are these days.
31/07/2012 at 03:57 Osi says:
Dev teams dont make up their own requirements.
Business people do. Dev teams just implement it as best as they can.
I refer to dev teams, to mean business analysts, programmers, testers, automators the whole lot.
The fact it was there- that’s because business wanted a solution that required it existed there.
The fact it went wrong, that’s on the dev team’s head.
31/07/2012 at 06:58 ombasfw says:
Stop using Steam guys: Valve has fixed a man-in-the-middle vulnerability in the Windows Steam client, which would have allowed a correctly-positioned attacker to divert and decrypt HTTPS traffic without the victim’s knowledge. This made sensitive payment details, such as PayPal credentials, vulnerable to eavesdropping.
http://ir.gl/f9550f
30/07/2012 at 17:48 pakoito says:
The thing is, this is not a exploit of a vulnerability, it’s just using the plugin’s primary task: execute commands remotely. It was planned and designed for it. The patch just makes the plugin able to execute a certain subset of commands, related to UPlay. AFTER being caught. In mere hours. No testing needed.
30/07/2012 at 17:49 KDR_11k says:
That’s why you don’t take unnecessary risks by stuffing shit like this into people’s browsers.
30/07/2012 at 18:54 LionsPhil says:
Dingdingdingdingding, we have a winner.
30/07/2012 at 21:19 stupid_mcgee says:
And for guessing correctly, you win a lifetime’s supply of life!
offer not valid in all countries or localities. certain restrictions may apply. The Gods Inc., owners of all life, may terminate life ownership without prior knowledge or consent of the recipient.
31/07/2012 at 03:57 eclipse mattaru says:
Also, The Gods Inc needs your permission to install this here little plugin in your browser. Nevermind, already did. kthxbye.
31/07/2012 at 13:20 innociv says:
Call me a huge jerk, but I think anyone who was affected by the exploit deserves it for giving Ubisoft their money for this junk.
This is what you gave them money for, not just the game itself.
30/07/2012 at 17:49 rocketman71 says:
Because, to begin with, nobody needed that application.
And because giving blanket access to your system via a browser plugin is just asking for trouble, not to mention effing STUPID.
30/07/2012 at 17:54 MisterBungle says:
What, a browser plugin that allows direct execution of anything on your system? As a software engineer who has worked on server side security for online systems with thousands of concurrent users, this is the worst and most visible back door left into a system that I have ever seen.
30/07/2012 at 17:55 ReV_VAdAUL says:
There is always a balance of tolerance and understanding and while certainly no piece of software is 100% perfect it is also very hard to feel goodwill to a company fucking up very badly on a browser plugin that was installed secretly and many users did not know existed. Even less goodwill is available when it is unclear why the stealth plugin even exists in the first place.
30/07/2012 at 18:01 dE says:
I’m baffled. I can’t possibly fathom how someone can honestly defend this security Waterloo with a straight face. Installing a backdoor on your customers computer, that loads up even when companies software isn’t even remotely affected, that same backdoor allowing full user access – and then being so goddamn smug to not even bother with any sort of security on that thing so even complete thought-a-phobics can abuse this.
And there’s people defending this as yet another bug?!
30/07/2012 at 18:33 tyrsius says:
Yep. There is no security at all. None.
In fact, the entire plugin is just a button that says “Compromise System.”
I find discussing topics solely under hypoerbolic conditions to be the most useful possible way to discuss. Don’t you?
30/07/2012 at 18:46 EPICTHEFAIL says:
I believe the point was that it might as well be a button saying “Compromise System” since there is NO logical chain of events that would lead to A DRM PROGRAM installing a security-compromising BROWSER PLUGIN on a user`s computer. This makes even less sense than Origin`s BS. At least they can defend themselves by saying that Steam does the same, except with search history. Unless someone finds the section of the EULA where you give Ubi permission to install a trojan in your system, Ubisoft could get sued clear out of the industry.
30/07/2012 at 18:58 ReV_VAdAUL says:
Would you care to respond to the other arguments people have made about your claims?
30/07/2012 at 19:44 Dark Nexus says:
If the only security is through obscurity, then practically speaking there is no security.
30/07/2012 at 20:01 dE says:
Did you even look at the code before you went ahead and claimed hyperbole?
The exploit calls the DRM Plugin from Ubisoft, neatly sitting in your browser. From there, you can/could make it do everything on your computer, that you can do with a simple command-line call.
Hit your windows Key and R. Enter:
C:WINDOWSSYSTEM32CALC.EXE
(comment system eats slashes, insert where appropiate)
Now Base64 Encode it. Google helps.
There, see that original post with the link? Look it up. I’ll wait.
See something familiar? Like that odd number and letter thing?
Congratulations, Hacker. You’ve successfully cracked the “security” on this exploit. They could have made it Hex and still have the same amount of security. Still claiming hyperbole?
(P.S.: All this information was linked in the original post, this post is to simply clarify how bad or rather non existant the security on that thing was).
P.P.S: Website ate my post. :(
30/07/2012 at 20:25 tyrsius says:
Wow. I had not looked at the code, I retract my statements.
Sorry for giving them any benfit of the doubt. That’s absolutely horrendous. My god.
30/07/2012 at 23:15 Stormwatcher says:
Are you being dense in purpose?
The quality of their code and the industry standards are 100% irrelevant.
The problem is that they silently injected a plugin that has absolutely ZERO use or benefit for the customers in order to “stop Piracy” (hint, if we have that crap on our machines, that means we’re not the pirates). Then that useless and invasive piece of code actually turns out to have introduced a serious security flaw on the paying customers’ system.
They get ZERO benefit of doubt in this scenario. Atually, they get NEGATIVE benefit of doubt. They should be working their asses off to show how fucking wonderful their horrendous flaky and vulnerable “always online” DRM system is.
Can you see the point now, or do I need to draw it with crayons?
31/07/2012 at 19:23 tyrsius says:
What do you mean am *I* being intentionally dense? Are YOU?
I just retracted my statement and apologized. Can you not read?
30/07/2012 at 18:39 andrewi31 says:
The myth that there cannot be error-free software needs to be destroyed, so I guess I’ll try to do so. Because I know such software. Most companies who make software or write code for someone else are actually liable for mistakes they make. If I make a mistake in some accounting code for a client that nobody else here catches, we’d lose millions in court, lose the client, and be openly trashed around the media. I’d be fired of course. The client could end up with a wrong tax calculation, or wrong pension payments for examples. It doesn’t matter how small or obscure the bug is, and when it pops up- if it produces bad output, or introduces a security flaw that is exploited, we get thrown in the garbage where we belong.
This is the responsibility you have in a competitive world if you write software that could introduce significant liability. The output simply has to be correct, the client must understand why they have it and how to use it correctly, and it has to be free of bugs and exploits. Maybe that’s not important in the gaming industry, but don’t pretend other industries have a similar culture.
31/07/2012 at 01:02 siliciferous says:
You’re completely right. I’ve often heard of aeronautical and military applications requiring even more thoroughly or equally as vetted code – generally, anything that could be considered ‘life-critical’ is a candidate. Of course, the average cost per line of code will go up by a factor of ten or a hundred or a thousand when it is written to such a caliber that it is effectively bug-free, but it does exist.
30/07/2012 at 18:42 MadMinstrel says:
They should be held to that standard because the application in question is not something we’re running willingly. We just want the games to run, not the Uplay spyware/malware. When we install uplay on our systems the trade is “you run your uplay on our system, we get to play games”, not “we open up our computers to any two-bit crook who wants in, we get to play games”.
30/07/2012 at 19:37 jalf says:
This has nothing to do with testing.
Any more than you need “testing” to ensure people’s safety if you build a kindergarten on the middle of a highway.
This is not a bug, in the sense that the software did exactly what it was supposed to. It was just terrible, incompetent, irresponsible software design.
The games industry has a long track record of being completely and utterly clueless about security, but this is even worse than most.
And it has nothing to do with testing, nothing to do with with evil hackers, nothing to do with being unlucky.
And everything to do with Ubisoft just not giving a damn about the quality and the security of the software they install on their customers’ PCs.
30/07/2012 at 21:11 aepervius says:
@tyrsius, I am software developper. There is buggy, and tehre is *shoddy*. Not checking what you are accepting as input all the while running code from the internet and taking for granted it will be your code only, it plain ass shoddy. It shows a torough misunderstanding of security and acceptable coding practice.
31/07/2012 at 00:12 Kittim says:
The articles I’ve been reading about this on /. and geek.com have been calling this a rootkit.
Let’s see, installs silently? Check.
Allows UBISOFT undetectable backdoor access to users computers without their consent or knowledge? Check.
From Geek.com:
“The discovery was made by Tavis Ormandy, and information security engineer at Google, when he installed Assassin’s Creed: Revelations on his laptop. He noticed that during the installation Uplay installed a browser plug-in that allows any website to gain access to your machine through a backdoor and take control of it.
The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user’s consent. If this was limited just to the Uplay service with regard to checking games are legal it would still be a major concern, but the fact any website could potentially use the plugin escalates the seriousness of what is happening here.”
Remember Sony? I wonder if Ubi have opened themselves up to to a similar suit?
30/07/2012 at 17:56 Asyne says:
“And don’t worry about that empty intern position, as we have hired another intern who is being paid at half the salary of the old one. Improving your service AND meeting the bottom line – that’s Ubisoft.”
30/07/2012 at 18:56 circadianwolf says:
What’s half of nothing?
30/07/2012 at 19:00 LionsPhil says:
Ah, getting the work experience placement student to do the boring bits.
30/07/2012 at 17:39 jonfitt says:
Well at least it was quick. Now we just weather the (correct but pointless) storm of righteous indignation about having to have this DRM installed anyway, and move on.
30/07/2012 at 19:23 Kadayi says:
It ever ends?
31/07/2012 at 13:24 RegisteredUser says:
Oddly enough, not everyone thinks people should just shut up and take it if something bad exists.
30/07/2012 at 17:40 sonofsanta says:
More worryingly, if they missed this – a wide open, screamingly obvious sort of exploit – what else have they missed?
Not trusting Uplay, not now, not ever.
30/07/2012 at 17:41 SirKicksalot says:
Stop using Steam guys: Valve has fixed a man-in-the-middle vulnerability in the Windows Steam client, which would have allowed a correctly-positioned attacker to divert and decrypt HTTPS traffic without the victim’s knowledge. This made sensitive payment details, such as PayPal credentials, vulnerable to eavesdropping.
http://www.highseverity.com/2012/03/valve-fixes-https-vulnerability-in.html
WHAT ELSE HAVE THEY MISSED?
30/07/2012 at 17:46 Stackler says:
totally different problem. Steam doesn’t install browser plugins. So what the hell are you trying to do here?!
30/07/2012 at 17:52 SirKicksalot says:
So that makes it a more acceptable exploit?
30/07/2012 at 19:26 Kadayi says:
But it’s Valve , Kicks…Gabes so love-able, and Steam do such great sales.
30/07/2012 at 17:52 Kaira- says:
Big holes in DRM-systems when it comes to security. Not validating certificates is a huge oversight, but at least Valve fixed it. While taking their sweet-ass time to do so. Again. I am worried that Valve takes “forever” to fix these exploits and notify their users.
Obviously not as bad as the remote code execution exploit that UPlay had, but still.
30/07/2012 at 17:56 psyk says:
Stackler
“HTTPS traffic without the victim’s knowledge. This made sensitive payment details, such as PayPal credentials, vulnerable to eavesdropping.”
It leads to pretty much the same thing, your account details getting compromised. One can just be used long term.
30/07/2012 at 18:55 EPICTHEFAIL says:
Edit: I`m an utter dullard. WHAT OTHER OBVIOUS THINGS HAVE I MISSED?
30/07/2012 at 18:36 MisterBungle says:
Note that you’d need to redirect users to a fake site by say hijacking their DNS to exploit this one – pretty hard to exploit. As opposed to simply leaving code on a website waiting for them to stumble across it.
30/07/2012 at 18:38 Kaira- says:
Not validating certificates is a god damn big mistake.
30/07/2012 at 18:41 MisterBungle says:
Yup, agreed
30/07/2012 at 19:23 Zephro says:
Agreed. However compared to this it is much harder to exploit a man in the middle attack. Especially if you’re not on wireless (ish). On a wired connection getting in between me and my ISP/DNS and/or between them and Steam is difficult. Compared to just slapping a uPlay script out on the open web.
30/07/2012 at 18:37 Kadayi says:
Hey how come this didn’t make the RPS front page?
30/07/2012 at 18:42 Kaira- says:
Probably because in this case the one to notice the flaw was a white-hat and went to Valve first. In UPlay’s case the one to notice this disclosed the information to all public without going to Ubi first, and in a completely unrelated thread even.
That is not only morally dubious but a non-responsible disclosing of information and generally shunned upon.
30/07/2012 at 19:08 ReV_VAdAUL says:
On the other hand Steam took months to fix the problem, Ubisoft did it in hours.
30/07/2012 at 19:29 Kadayi says:
Indeed it is morally dubious, which makes people getting righteous about it particularly funny because this sort of thing happens all the time. The only difference is by on large it get’s passed directly onto the programmers rather than publicly disseminated.
30/07/2012 at 20:14 Blackseraph says:
It’s about public perception. No one likes ubi already. For good reason I might add.
On the other hand valve has fairly good reputation among customers, whether deserved or not.
30/07/2012 at 18:44 Toberoth says:
Because you smell.
30/07/2012 at 19:39 ResonanceCascade says:
I don’t know, but I do that Valve’s response time to that is pretty damn disappointing. The fuck, Valve?
I get that obscure security problems happen, but taking 3 months to fix one isn’t acceptable.
31/07/2012 at 01:31 Runs With Foxes says:
I guess none of their liberated employees felt like doing it.
30/07/2012 at 18:47 Faxmachinen says:
The only way to prevent all MitM attack vectors are to permanently sever your PC from the Internet.
A simple example of a MitM attack would be to go to a place with free WIFI, clog up the router’s IP table so nobody else could connect, then flush everyone and let them reconnect through my computer instead. Which also happens to be their favourite online bank, for some reason.
Not quite as trivial as setting up a website to run malware through your browser plugin though.
30/07/2012 at 18:50 psyk says:
Been awhile but wasn’t that what the pineapple was for?
edit
yep
http://hakshop.myshopify.com/products/wifi-pineapple
Most things have been brought down to scrip kiddie level.
31/07/2012 at 21:20 Faxmachinen says:
You are absolutely right. Nowadays you get the full script kid package, where all you have to do is click a button.
Though you still have to QUOP your way to the Internet café, in this case. Or set up a 5-mile WiFi antenna.
30/07/2012 at 20:50 kalirion says:
The Steam Client browser sucks on so many levels that I doubt too many gamers were actually using it for purchasing games.
30/07/2012 at 23:48 spectone says:
One person unlocks the back door to your house so anyone can break in. The other has to break into your car and re-program your GPS so you drive to a fake bank.
30/07/2012 at 17:41 Yachmenev says:
So what´s the purpose of this browser plugin? You don´t launch their games from the browser do you?
30/07/2012 at 17:44 povu says:
That’s what I was wondering too. Why does this even exist?
30/07/2012 at 17:59 D3xter says:
This, what the fuck did/do they “need” this for (since it was apparently only installed with uPlay 2.0 a month ago) and what is its use and why didn’t they ask people if they would allow installing it instead of doing it stealthily?
I haven’t heard of any other DRM system doing anything like this…
30/07/2012 at 18:01 Brun says:
Apparently it’s so they can execute Uplay functions with links on their website. Kind of like what Steam does, although it does it as a file handler.
As for why they didn’t ask the user? Either it’s required for the Uplay store to work, or they knew people would say no.
30/07/2012 at 19:41 LionsPhil says:
Steam do it as a protocol handler, which is pretty cool, although some of the possible actions you perhaps don’t want to happen from just clicking a link. (Firefox and Opera at least prompt “hey, gonna use an external program to handle this”. I would assume it’s registered system-wide, but a quick test with the Run dialogue couldn’t actually invoke it, so perhaps not.)
And Valve’s solution is at least browser-agnostic and doesn’t involve having to do anything to said browsers.
30/07/2012 at 18:46 sqparadox says:
Exactly! What is that plugin for? What does Ubisoft use it for?
I updated Uplay to 2.04 and the exploit still works. Disable the plugin and the exploit disappears, however Uplay still launches fine as do games launched through it and they maintain their connection to Uplay (I only tested Assassin’s Creed Brotherhood; I can only assume the principle applies to the other affected games).
Why would I possibly ever have this plugin enabled? It doesn’t seem to impact the game experience, so whether Ubisoft ‘need’ it or not, I don’t.
Edit: figured out why the exploit was still working. The update download is for 2.03 not 2.04. On first launch it only shows the changelog up to 2.03, on second launch it patches up to 2.04. At least that’s what I found installing it twice… your mileage may vary.
30/07/2012 at 17:46 rocketman71 says:
Wow… not even “we’re sorry”? [which BTW wasn't mentioned when I first commented].
Curse you, Ubi Soft… CURSE YOU!
(Is that acceptable, oh mighty hive mind?. Isn’t Ubi deserving of FUs here?)
30/07/2012 at 17:51 DClark says:
In all fairness to Ubisoft, they’re probably not sorry so to say so would be disingenuous…
30/07/2012 at 18:18 Mbaya says:
I’m more old fashioned than most and an apology goes a long way for me.
The lack of one regarding this fiasco is probably more damaging than the situation itself (on a personal level). I will have to take some time thinking about how I approach Ubisoft games in the future, regardless of platform.
On a sidenote, I’d love to hear what developers under the Ubisoft banner think of all this mess, if any dare speak out.
30/07/2012 at 22:02 Arglebargle says:
Can’t aplogize. Legal staff says it might make you look liable for some court action. Deny, deny, deny.
30/07/2012 at 17:48 MythArcana says:
UB kidding? Nope, guess not.
30/07/2012 at 17:51 aliksy says:
Still want to know why this was in the browser to begin with.
30/07/2012 at 17:53 CrookedLittleVein says:
And the comedy continues . . .
30/07/2012 at 17:53 ZX k1cka55 48K says:
In soviet Russia Uplay playU.
30/07/2012 at 17:54 Kaira- says:
Well, good for them for fixing this fast. I do agree that they should’ve notified their users about this vulnerability as soon as they learned about it.
Sadly it seems that security in customer software isn’t that high priority.
30/07/2012 at 17:59 Brun says:
Are you surprised? Security costs too much and most customers don’t care about it – it’s not a value-added feature.
30/07/2012 at 18:02 Kaira- says:
Not excactly surprised, just very, very sad. Yesterday I learned about Tesco storing passwords in plaintext, and today this (and Valve’s fuckup pointed above in the thread).
30/07/2012 at 18:09 psyk says:
LMAO also just leave this here http://view.samurajdata.se/psview.php?id=0f33c46f&page=1
numbers that follow are made up
2 people make a product
20 people look at ways to get the product to do something it shouldn’t do
EDIT – I love tesco XD
30/07/2012 at 18:31 Milky1985 says:
Gotta get the valve jab in somewhere eh
30/07/2012 at 18:33 Kaira- says:
Gotta give credit where it’s due.
30/07/2012 at 18:07 ReV_VAdAUL says:
A lot of people got very angry about Lulzsec revealing exploits and such but at least they brought attention to the matter.
Given how unnoticeable a lot of exploits can be it and how expensive competent security is companies simply will not fix these problems until they are forced to. As long as no one notices their customers information and perhaps even their money being stolen they simply don’t care.
30/07/2012 at 19:32 Kadayi says:
This story broke today and they patched it today. Seems pretty responsive to me.
30/07/2012 at 18:00 psyk says:
Just leave this here https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed.
EDIT – dosen’t seem to be on the forum, nice way to spread the word on things that actually matter.
30/07/2012 at 18:27 Alec Meer says:
This is a videogame site, you see.
30/07/2012 at 18:29 psyk says:
And?
Other Stuff
(22 Viewing)
Other, lesser, formats.
Doesn’t say only game related stuff and the amount of rage over a game company maybe spying on you on is way more than GOVERNMENTS actually spying on you.
30/07/2012 at 18:31 Brun says:
The fact that you, personally, clearly have a vested interest in that particular topic (a citizen of that country, perhaps?) does not make it more important than what’s being discussed currently, on a website dedicated to video game news. Context is critical in judging the importance of topics, something people on the internet regularly fail to grasp.
30/07/2012 at 18:31 Alec Meer says:
This *is* a videogame site, you see.
30/07/2012 at 18:34 Brun says:
I believe Mr. Meer’s point is that that sort of thing belongs in the off-topic forum, not in the comments thread of a video game news story.
30/07/2012 at 19:44 ResonanceCascade says:
Also just in: there is rampant poverty in the third world and the atmosphere is heating up at an alarming rate. We should probably get those somewhere into the article, too.
30/07/2012 at 19:47 psyk says:
And?
The off topic forum is just that off topic, I just thought it was strange that people are all RAR RAR RAR over this but not one mention in the forum about finfisher which is way bigger and more damaging than this.
30/07/2012 at 19:50 Alec Meer says:
It really grinds my gears that World of Cross Stitching Magazine runs so many stories about cross stitching. Why can’t they run a feature about the civil war in Syria?
Post non-gaming stuff in the Other Stuff forum, Psyk. That’s what it’s there for. If and when we launch Rock, Paper, Government Skullduggery please feel free to post about government skullduggery in comments there.
30/07/2012 at 19:51 Brun says:
The question you need to be asking yourself is:
“What does Finfisher have to do with video games?”
This thread isn’t the off-topic forum. Even if it were, this is a video game website, people aren’t coming here to rage about government spyware. If you want to do that I’d suggest you take it to the ACLU’s website or whatever their international equivalent is.
30/07/2012 at 19:55 psyk says:
I’m not saying YOU (meer) should make an article about it, nowhere have I suggested RPS should write an article on it.
Brun that is probably the case but still
Stupid stupid devs vs devs eroding human rights on purpose
EDIT
Alec I eagerly await your responses to all “off topic” comments in the future ;)
30/07/2012 at 19:56 Alec Meer says:
Berating our other readers for not discussing your topic of choice in a thread about videogames isn’t on, no matter how important that issue may be. Encourage discussion in the right places and in thoughtful ways and you might achieve what you want.
I’ll be wiping this sub-thread if this mad debate continues, as it is not relevant to the topic at hand.
30/07/2012 at 18:03 Fatikis says:
So Ubisoft basically installed spyware on my computer.
30/07/2012 at 18:05 Kaira- says:
Not spyware, not a rootkit, but a backdoor. Which all things considered is far worse than spyware.
30/07/2012 at 18:06 psyk says:
non intended back door
30/07/2012 at 18:11 Torgen says:
That sounds like a euphemism for “surprise buttsecks”
30/07/2012 at 18:12 psyk says:
Or it was a mistake and nothing like ACTUAL SPYWARE being used by GOVERNMENTS
30/07/2012 at 18:11 HothMonster says:
The backdoor was intended, they just completely failed to lock it. But the whole purpose of the plug-in is for remote access of your machine through your browser.
30/07/2012 at 18:20 ReV_VAdAUL says:
This is something I hope RPS and other journalists pick up and run with. They clearly wanted a backdoor, just only for their use. Which is really very worrying.
Should Law enforcement be looking into this?
30/07/2012 at 18:25 Kaira- says:
I don’t think it as an intended backdoor. They wanted you to be able to launch your games via browser. However, this is such a huge oversight that someone oughta get slapped for this getting through Q&A.
30/07/2012 at 18:43 HothMonster says:
“A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on”
“back door: an undocumented way to get access to a computer system ”
“A software program that allows access to another software program. Meant as a method for programmers to go back and update programs, backdoors are a security vulnerability because malicious users can exploit them, possibly allowing confidential or personal information to be compromised”
“gets into a user’s computer bypassing its security mechanisms. Sometimes the program can be installed for good purposes (for different kind of troubleshooting). But more frequently it is represented as malware that helps penetrating other malware like worms, Nimda, etc.”
Again, it was an intended backdoor. The intended purpose was for their website to be able to launch programs on your computer. The unintended result was anyone could make your computer do anything from a browser window. But it was still a backdoor even if only Ubi was able to use it to do benign actions.
30/07/2012 at 18:53 Fatikis says:
I’m actually aware of what it is.
I’m used to dealing with people that know nothing about computers and so the simplistic thing is to tell them anything bad is spyware. I forget that people on the internet actually know things.
However, I feel that this is a criminal act that Ubisoft intended. They merely hoped they would not be found.
30/07/2012 at 18:03 G_Man_007 says:
So here’s a funny thing…
I looked in Chrome, Firefox and IE, and no trace of the plug-in, and the exploit doesn’t work. I reinstall uplay, try the exploit, and it now works, inspite of it being the updated 2.04 version. SHENANIGANS!!
30/07/2012 at 18:07 Miltrivd says:
What has to happen to make people angry enough to stop taking their bullshit? I haven’t bought a Ubisoft game since the first Prince of Persia Trilogy and I don’t plan on it until this madness stops (gotta buy Rayman tho, since is DRM free).
Seriously, wise up people, is not just about their system being abusive and cumbersome, they are just treating you like dogs you need to keep in line instead of customers.
30/07/2012 at 18:24 Mbaya says:
“What has to happen to make people angry enough to stop taking their bullshit?” – People have different levels of tollerance, for me, up to now their aggressive DRM was a major inconvenience, but not enough that I wouldn’t jump through its hoops to play a game that looks good and has had a lot of hard work put into it on behalf of its developers.
But as I said in a previous thread, this was the straw that broke the camels back, the lack of an apology regarding this issue adds insult to injury. I think its safe to say, there are less people willing to put up with their treatment of paying customers today, than yesterday.
31/07/2012 at 14:26 Llewyn says:
Let’s clear something up here: this is not fundamentally a story about DRM, it’s a story about a negligent approach to security and a shocking disregard for customers’ welfare. Yes, the offending plug-in is an element of Ubi’s DRM implementation but its function is not DRM-related and something equally bad could just as easily be included with a DRM-free game.*
Buying Rayman does not send out a message with regard to this behaviour, only one about their use of DRM in general.
*Arguably a company with Ubi’s paranoid approach to piracy might be more likely to intentionally include monitoring tools with their DRM-free releases to try to determine how widely they’re being pirated.
30/07/2012 at 18:22 Vinraith says:
Oddly, I find myself in no real hurry to reinstall any of this crap, nor do I think I’ll be buying anything that requires it ever again.
30/07/2012 at 18:35 Heliocentric says:
I guess I’ll only buy ubi releases on gog.
30/07/2012 at 18:37 Vinraith says:
Yep. I hate to do it, I love the Anno games, the Assassin’s Creed games, and I’ve been looking forward to some of their other titles as well, but at this point I think I’m done with them unless/until I see a change in this behavior.
30/07/2012 at 18:41 0rpheus says:
What will that achieve? Uplay will still come with it, regardless of where you buy it, surely?
30/07/2012 at 18:43 Vinraith says:
GOG games are DRM-free, by definition.
30/07/2012 at 18:43 Kaira- says:
Nope. You see, the lovely thing about GOG is that it is DRM-free.
[E] Vinraith, you damned ninja.
30/07/2012 at 19:02 0rpheus says:
Yeah, I knew that, but I’m struggling to see why UBI would remove uplay just for GOG, and nowhere else.
*checks GOG.*
Ah, I see. There are some (much) older UBI games on there, which presumably will be DRM free – I thought you meant you’d be buying newer games (you know, the ones with the DRM in the first place) from GOG, which you won’t, because there aren’t any. ;)
30/07/2012 at 18:29 Milky1985 says:
Have they patched it by removing its ability to run stuff from the web browser, or just hard coded a path into it so it only runs one thing?
So say if you found an exploit that could move and rename files in you have a way to run it….
30/07/2012 at 19:32 Zephro says:
haha I wouldn’t put that past them.
I’m trying to work out whether this is more or less embarrassing than our (sony’s) fuck up last year.
30/07/2012 at 22:31 HothMonster says:
Now it only runs .exe files, fixed!
31/07/2012 at 14:17 Llewyn says:
I’m struggling to think of a scenario where you’d be able to take advantage of forcing it to run a specific something that’s been modified without already having sufficient control over a system to have easier attacks available. If you can replace an application then replace the user’s browser rather than an application called by a plug-in for that browser.
30/07/2012 at 18:31 Heliocentric says:
Really Ubisoft? No apology? Is that how you want to play it?
30/07/2012 at 18:34 Vinraith says:
No explanation of what the hell they need a couple of stealth-installed browser plugins for in the first place, either. Forget the security hole, what are those even doing there?
30/07/2012 at 22:34 alundra says:
For me that is even more worrying, they made a huge security hole on their users PCs while installing stuff which is not really clear what does it do.
A wild guess, tracking users browsing behaviors, my best guess is, they wanted to see how many of their legit users visit the bay to get a fix for their malware<- now 110% true) infested games.
30/07/2012 at 18:39 Cooper says:
In anycase, firefox’s recent patch blacklists the UPlay plugin.
Given the Uplay plugin does not change nor report version numbers (the new one is version 1.0.0.0 as was the old one with the backdoor) it means firefox now simply blacklists and disables the plugin, regardless of whatever patches Ubisoft put out.
30/07/2012 at 18:59 LionsPhil says:
The funny thing is that I could have sworn a Firefox “feature” introduced quite some time ago, after the Microsoft .NET helper extension kept getting installed, was supposed to stop other software being able to silently register new plugins and extensions.
Guess that doesn’t work either. (Which is not entirely surprising, since it’s as impossible a problem as DRM with current user-centric security models. If I can write to my Firefox config (say, by running Firefox as me), anything else I run as me can write to my Firefox config.)
(IE9 tries to do this too. Just got the banner at the bottom of a window saying Skype had installed one, and asking if it should be activated or left disabled.)
30/07/2012 at 18:55 merseybeatnik says:
I feel impotent in this matter. I don’t like the situation we find ourselves in regarding DRM and the potential vulnerabilities it may expose us to like this. Its seems inconsiderate and inconvenient at the very least. I would be lying however if I said that I have not been given many hours of fun thanks to the creative people at Ubisoft and I am not going to start making promises I can’t keep such as vowing never to buy another Ubisoft game.
If anyone does make such a vow here, they know we are not going to be checking up whether they are sticking to it (unless we have a back door to their system.) I know if Watchdogs lives up to the hype I will buy it and I won’t be alone. So what can be done besides constantly making our displeasure known to Ubisoft? I am not trying to say we should just deal with it for the privilege of playing their games. We believe they are doing something wrong and we want the industry to change. I just don’t know how much simply shouting at each other on forums about how much we hate them will achieve.
Although there is no harm in venting I suppose.
30/07/2012 at 19:02 Dark Nexus says:
I vowed not to buy another Ubisoft game when they first announced Uplay… And I stuck with it for a few years too.
But I’ve since amended it to not buying any Ubisoft game that isn’t 100% DRM-free (not even Steam’s rolled-in DRM). I think buying their DRM-free games sends a stronger message than just not buying Ubisoft games at all.
30/07/2012 at 19:59 Chris D says:
I used to think that way too, but then I bought the supposedly DRM-free From Dust,so now I just don’t trust Ubisoft at all. While some of their games look interesting nothing has struck me as being worth this kind of hassle. I don’t particularly consider this a boycott, though, nor a test of willpower. It’s just that I’m not going to buy a hamburger from someone if I know they’ve wiped their arse with the bun.
30/07/2012 at 19:49 Mbaya says:
Its a difficult possition to be in, thats for sure.
On the one hand I really want to support the developers who’ve put so much effort into making great games…but this sort of activity on behalf of the publishers is hurting everyone involved and it really shouldn’t continue.
If you have the strength of will to not buy any of Ubisofts DRM enabled games, you’re doing a great thing. If you buy the games, I’d say vent away, at least let them know you aren’t happy with the situation as it stands, but are ‘at least for now’ willing to put up with them.
One thing I think people must not do, is turn around and pirate the games because of all this mess (this isn’t directed at you, but on comments from previous replies/threads). This will only enforce the publishers to push the DRM further down our collective throats.
Either buy the game and put up with the troubles, don’t buy the game and champion titles that release DRM free, or don’t touch anything with a Ubisoft label on it again, until they clear up their business practice.
Other than that, I think voicing your opinion in a respectable manner is the only thing we can do.
We also have to realise, this isn’t working in favour of the developers in many situations too…I imagine some developers would rather attempt to self fund than team up with Ubisoft in its current form.
31/07/2012 at 06:48 jarunasax says:
LoL this is where you see people migrating to onlive to not have to deal with uplay installing crap onto your computer
30/07/2012 at 19:05 ReV_VAdAUL says:
Can RPS in good conscience offer any positive coverage or general promotion to Ubisoft games given the shenanigans they’ve been up to?
Sure you can explain away this as a mistake, a massive mistake, but it was a mistake that occurred in a stealth browser plugin. You really do have to wonder what other dangerous and questionable stuff Ubi will pack in with games in the future.
30/07/2012 at 19:18 LionsPhil says:
This is arguably a lesser problem than, say, Starforce et. al. and their bloody ring 0 giveaway rootkits.
Put the two together and you’ve got remotely exploitable + local priviledge escalation, yaaay!
This is why I don’t let non-DRM-free (or non-sandboxed) games onto my development-and-seriousness laptop.
30/07/2012 at 19:12 kuuw says:
http://is.gd/PFQQs4
30/07/2012 at 19:15 JoeGuy says:
Not requiring a box to tick/un-tick for the plug-in is the bit that bothers me. It’s more convenient for them to have you go find the plug-in and let all the programs be able to execute URL links then be decent to the customer.
I feel more and more worried for the quality of the experience Watch Dogs will offer.
30/07/2012 at 19:20 LionsPhil says:
I’m going to bet on it being a brilliant game with horrendous DRM that leaves people arguing over supporting the developers vs penalising the publishers/not having to put up with that crap. (And nobody’s opinion will budge.)
30/07/2012 at 19:50 Wut The Melon says:
I’m going to bet on it being a mediocre game with some interesting ideas but in the end way too easy and ‘accessible’ in order to make lots of money.
It’ll probably get great reviews, though, because that would already be more than you can expect from your average AAA (who outside of PR actually likes that term?) developer…
30/07/2012 at 19:51 D3xter says:
So, have they actually patched the issue or not? Have you actually tested it?
Everyone I keep hearing from “updating” to this new miraculous fixed version apparently says the exploit still works and the Calculator still opens: http://pastehtml.com/view/c6gxl1a79.html
30/07/2012 at 19:52 Brun says:
I think you have to restart your browser for the update to take effect, although I’m not certain as I don’t have any of these games and thus can’t test it.
30/07/2012 at 20:00 HothMonster says:
Hmm, so I went to read there Eula to see if I gave them permission to install web plugins and oddly enough the liks to “legal info” “terms of use” and “privacy policy” all 404 on uplay.com
30/07/2012 at 20:01 Brun says:
The cynic in me says that this means they’re quickly updating the EULA to include permission to install web plugins.
30/07/2012 at 20:33 JoeGuy says:
That reminds me of the time the iPhone got announced for Verizon, so AT&T sneaked policies onto the store site that required premium costs for terminating your contract and stated the policy was their all along.
Even after someone posted a screen capture from the week before without the policy on the page. I hope Ubisoft doesn’t do that, someone will definitely have a screen cap and burn them on it.
30/07/2012 at 20:04 tedesco says:
I’m a software tester and I know that it is impossible to guarantee a 100% bug-free app.
But it feels good when happens to these type of a*******. They deserve. :)
30/07/2012 at 21:48 TechnicalBen says:
It’s not a “bug” if it’s a feature! ;)
Oh, I’ve heard of some programmers using that line as an official retort to all bug reports. :D
31/07/2012 at 13:20 mispelledyouth says:
Hah. That excuse plays second fiddle to “Well, it works on MY machine.”
31/07/2012 at 06:44 jarunasax says:
Nevermind I agree with you, ubi deserved this to happen to them
30/07/2012 at 20:19 Sisco says:
Those responsible for coming up with the greater Uplay business scheme should update their common sense or deactivate their currents positions in this world…
30/07/2012 at 23:22 Cryo says:
What’s offensive about this story isn’t just a bug, it’s that it’s a bug in a piece of software that has no reason to exist. And Ubisoft’s reaction will be to simply fire some schmuck who was working on it, even though he wasn’t the one who ordered the pointless plug-in to be created.
31/07/2012 at 06:38 jarunasax says:
So Ubi tried to prevent it’s customers from playing their games without being connected to the internet and a way to monitor that they never use pirated versions of their game either, and in doing that they created an even bigger security risk for the same consumers…
It’s like using a grenade launcher to clear out an ant infestation. Stop trying to drag valve into this either, this is Ubisoft here, where Steam is a 3rd party that does allow drm free play, Ubi does not. Ubi is a distributor that created something to protect it’s intellectual property interests, which means they don’t give a damn about you the “user”. This is more in line with what could happen with EA Origin. These companies do not know enough to safeguard their consumers and their very actions leave us vulnerable to external attacks.
31/07/2012 at 06:57 Bahoxu says:
Amusing (in a very sad way) to think that the most certain way to have a really nasty virus installed on your computer is to buy computer games legally. If one plays games and buys them legally one will eventually have a virus installed by the big companies.
We have antivirus, no-script and firewalls to protect us against shady chinese websites. We scan for and remove spyware. We try to educate people not to open and click strange attachments in email. But we dont protect ourselves against dangerous DRM.
Maybe there is a market here for a new type of anti-virus program that specifically protects against SONY, Ubisoft and EA?
31/07/2012 at 10:40 Wolfhound-Nine says:
1. Create DRM that’s significantly more dangerous than pirated copies.
2. Wonder why everyone pirates your software.
3. ???
4. Profit!
I legitimately swore off purchasing anything published by EA at the start of the year and now I find myself adding Ubisoft to the list. I’ve honestly never felt so irate at game publishers nor so firm in the conviction to stop buying their products in every medium. The worst part is that I’m a fairly big fan of Assassin’s Creed, but I’d really much rather do without AC3 than put up with more of this crap.
Oh, and I don’t have to put up with Desmond, either. That’s a huge bonus, at least.
31/07/2012 at 12:58 RegisteredUser says:
Pirates of course being (often? always?) unaffected by this. Maybe we should reclassify crackers to security specialists/computer doctors, given that they remove both classic rootkit like protections(starforce and friends e.g.) and the need for these kind of things as well.
31/07/2012 at 13:12 RegisteredUser says:
Its almost a shame this got patched so quickly and the security hole possibly closed.
I am starting to think that since normal, rational, logical thinking can’t do it, maybe if people lose their work, letters, music, art, videos, collected links, family fotos and similiar all at once, thanks to a remote “for the lulz” exploit-delete-all, they might begin to understand that supporting companies that “allow you” to pay them for installing intrusive, controlling, restricting DRM/control-software/flat-out-honest-to-god-spy-and-reportingware on your pc isn’t the smartest thing in the world.
TL;DR: Maybe if you lose all your most valuable work and data thanks to financing DRM, that may at least get you over the hump in understanding that its a bad thing to support.
31/07/2012 at 14:06 Hardmood says:
someone here who is technically versatile enough to varify, if there was an issue with usb-ports (under winxp 32bit os), which couldve been the the failures i had with my usb-mouse. since i uninstalled these plugins i havent had any issues with my mouse and they where starting since the time ive installed two ubisoft-games with uplay (and never before). some delays while using firefox happened too which almost all time it happened was leading to a complete loss of usb-mouse connection.
thx anyway