Update – Ubisoft may have plugged the hole, but it’s difficult to know for sure as they don’t appear to be discussing the issue. There are reports on the Ubi forums (thanks, Imperial Dane) that Uplay has been updated to version 2.04, which if the commenter is accurate bears the note “‘Fix addressing browser plugin. Plugin now only able to open uPlay application.” If your Uplay hasn’t/won’t update to version 2.04, I’d get rid of it and its plugin for now. To be honest I’d get rid of the plugin regardless, until we’re sure the problem’s been resolved.
We’re currently investigating the full extent of this, but moralising and recrimination can come later. For now, the important thing is to warn folks who have certain Ubisoft games installed on their PCs that an apparent backdoor has been discovered in the Uplay infrastructure/DRM which may in theory allow any anyone so minded to install God knows what horrors on your PC. It isn’t confirmed as definite, but certainly proof of concept code is calling up Uplay windows and then loading other programs from websites that have nothing to do with Ubisoft. If Uplay is on your PC, I urge you to uninstall it and any games that use it immediately, until we know more. Update: the flaw lies specifically in a browser plugin Uplay quietly installs, and the general consensus is now that’s all you need to remove to protect yourself. See below for details on how to rid your PC of it.
Read the rest of this entry »