Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[alway]

http://www.rockpapershotgun.com/2012/07/30/psa-possible-security-risk-in-some-ubisoft-pc-games/
Ubisoft DRM has a massive gaping security exploit in it. Complete with proof of concept program which will open a program on your PC. Uninstall UPlay ASAP, as well as hunting down the browser plugin it installs in all your browsers.

Essentially UPlay's browser plugin gives easy command-line access to your PC.

Update: http://www.rockpapershotgun.com/2012/07/30/ubisoft-respond-to-uplay-security-drama/
Patch is now available.

[Catastrophic lolcats]

Oh Ubisoft. Don't ever change.

[Dutchling]

Seems like I stopped playing the Heroes of Might and Magic and Assassin's Creed series just in time

[Seriyu]

As a note, someone posted in the comments on that article a little webpage to use to check if you've got the vulnerability. What it'lld o if you're vulnerable is run Calculator.exe. http://pastehtml.com/view/c6gxl1a79.html

I visited the website and had no ill effects, as a side note.

[alway]

Yep; that's the proof of concept code mentioned. If you see a calculator open up, you haven't killed the plugin for that browser.

[TripJack]

but drm istops evil pirates and brings in more sales and stuffs so it must be good right?
 

[UltraValican]

but drm istops evil pirates and brings in more sales and stuffs so it must be good right?
 

Companies have right to stop piracy, and some form of DRM is necessary.
What we don't need is half-baked , half-assed DRM.

[jocan2003]

It's me or they arent learning at all? the more DRM you include in a game, the more you aer HURTING PAYING customer while giving hackers a challenge.

[ScriptWolf]

All I can say is holyy fucking shit O.o all the hackers are going to have a field day on this, damn do they not even check for vulnerabilities anymore ! But this will be fun to play with on my lab computer so I better install it before the patch ( if there is one I doubt it )

[LordSlowpoke]

How absolutely unexpected. It's Ubisoft after all. How could they not create the most secure DRM in existence? After all, they put so much effort into it every single time they created any.

But seriously now, it's no wonder they cooked up something halfhearted and served it with their games. They just can't create something that works decently that's also not (absurdly) intrusive and doesn't install things without telling you, can they?

[Knight of Fools]

Hold up - Uninstalling Uplay won't do it, as it doesn't uninstall the Plugin that's actually responsible for it.

It looks like some moron over at Ubisoft thought it was a good idea to leave a gaping back door for them to open Uplay through your browser. No one thought that taking the entire back wall of your computer out was a bad way to do this, I guess.

So, you have to manually go in and disable the Plugin with whatever browser you use. Uninstalling Uplay won't fix a darn thing.

Edit:

It's me or they arent learning at all? the more DRM you include in a game, the more you aer HURTING PAYING customer while giving hackers a challenge.

This... Isn't even a challenge. Anyone with a fair understanding of how to take advantage of a security risk could just open up your computer like a can of deliciousness and do whatever he wants with it. Ubisoft screwed up big with this one.

As a side note, they did update Uplay itself so the next time you run it it'll "only allow the browser plugin to start Uplay". Which doesn't instill much confidence in me, honestly.

[TripJack]

Companies have right to stop piracy

stopping piracy is not possible, and whether drm reduces piracy significantly is debatable topic with no clear answer

the time and resources that it takes to implement some worthless drm scheme are time and resources that could be better served by improving the actual game in some way

[Knight of Fools]

But then the pirates would enjoy the game more!

[UltraValican]

Companies have right to stop piracy

stopping piracy is not possible

the time and resources that it takes to implement some worthless drm scheme are time and resources that could be better served by improving the actual game in some way

I agree, but let me rephrase that. Companies have the right to try to impede pirates as much as possible. Just like I have the right not to buy their product if their DRM is too intrusive/inconvenient.

[alway]

This... Isn't even a challenge. Anyone with a fair understanding of how to take advantage of a security risk could just open up your computer like a can of deliciousness and do whatever he wants with it. Ubisoft screwed up big with this one.

It's actually even worse than that; the site linked to by RPS has the proof of concept code; it's literally 4 lines of code. Just replace the calculator with whatever you want it to do, and congratulations, you now have the power to do almost anything on anyone's computer who visits your site.