Ubisoft’s always-on DRM mechanisms have been a point among a majority of gamers who feel they are a hassle to paying customers and ineffective at thwarting pirates. Well, it appears that even more worrisome side-effects are possible too, with the revelation that installing the company's UPlay game management system can open up your computer to malicious code insertion through the web browser.
The flaw was disclosed by Google security engineer Tavis Ormandy this morning, who noted that a browser plugin installed alongside Uplay, meant to launch locally-stored games from the web, doesn't have a filter for what websites can use it. This essentially left an open door on thousands of machines that can be exploited via a maliciously crafted web page.
Ormandy posted a few lines of JavaScript code as a tentative proof of concept. The story later made it onto Hacker News and so did a working implementation of the proof of concept that launched the built-in calculator in Windows. The code was confirmed to work on a Windows 7 PC with Assassin's Creed and Firefox installed.
Ubisoft has since released an update for their browser plug-in (found in over 20 different titles) to address the issue. You can also disable the plug-in altogether in your browser settings. Below is the company’s official statement and the full list of games that install the plug-in in question:
“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.
Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”
List of Uplay enabled games
- Assassin’s Creed II
- Assassin’s Creed: Brotherhood
- Assassin’s Creed: Project Legacy
- Assassin’s Creed Revelations
- Assassin’s Creed III
- Beowulf: The Game
- Brothers in Arms: Furious 4
- Call of Juarez: The Cartel
- Driver: San Francisco
- Heroes of Might and Magic VI
- Just Dance 3
- Prince of Persia: The Forgotten Sands
- Pure Football
- R.U.S.E.
- Shaun White Skateboarding
- Silent Hunter 5: Battle of the Atlantic
- The Settlers 7: Paths to a Kingdom
- Tom Clancy’s H.A.W.X. 2
- Tom Clancy’s Ghost Recon: Future Soldier
- Tom Clancy’s Splinter Cell: Conviction
- Your Shape: Fitness Evolved
No comments:
Post a Comment