Well, we knew about the patch already thanks to watchful forum-folk, but Ubisoft have finally offered a public acknowledgement of the Uplay security flaw that in theory meant nasty folk could gain remote access to gamers’ PCs. Here’s their statement and instructions on how to update Uplay – they’re not recommending that anyone disable Uplay, and sound convinced the patch has fixed the exploit.
“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.
Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”
No apology and no addressing of quite why Uplay needs a silently-installed browser plugin that allows the firm to monitor its customers’ PCs in to addition the UPlay app itself, but right now the fix is the most important thing. The patch was pretty rapid (landing about nine hours after the exploit became public knowledge) and that’s very much to their credit, but I am personally of the opinion that all firms have a duty to warn their customers of such dangers just as soon as as they know the nature of the threat themselves.
Fortunately, no-one of dark intent seems to have exploited the exploit as yet – let’s hope everyone affected is able to safely patch their Uplay before anything nasty gets into the wild.