Early yesterday, reports stated that Ubisoft’s Uplay DRM system contained code that could allow malicious web sites access to a user’s PC system. The news broke when Google security engineer Tavis Ormany posted a claim on SecList’s full disclosure site that the security oversight creates a backdoor for web sites that attempt to access the machine.
This is due to Uplay installing a browser plugin—one consumers aren’t made aware of—which allows full access to any file on a computer through the Ubisoft service. Many of Ubisoft’s most popular titles are potentially affected.
Ormandy explains how he came across the issue:
While on vacation recently I bought a video game called ‘Assassin’s Creed Revelations’. I didn’t have much of a chance to play it, but it seems fun so far. However, I noticed the installation procedure creates a browser plugin for its accompanying UPlay launcher, which grants unexpectedly (at least to me) wide access to websites.
The full list of potentially affected titles is as follows:
• Assassin’s Creed II
• Assassin’s Creed: Brotherhood
• Assassin’s Creed: Project Legacy
• Assassin’s Creed Revelations
• Assassin’s Creed III
• Beowulf: The Game
• Call of Juarez: The Cartel
• Driver: San Francisco
• Heroes of Might and Magic VI
• Just Dance 3
• Prince of Persia: The Forgotten Sands
• Pure Football
• Shaun White Skateboarding
• Silent Hunter 5: Battle of the Atlantic
• The Settlers 7: Paths to a Kingdom
• Tom Clancy’s H.A.W.X. 2
• Tom Clancy’s Ghost Recon: Future Soldier
• Tom Clancy’s Splinter Cell: Conviction
• Your Shape: Fitness Evolved
Ubisoft has since confirmed a fix for the security flaw via a forced game update that they recommended be run with your browser closed. Ubisoft went on to state:
We have made a forced patch to correct the flaw in the browser plug-in for the uPlay PC application that was brought to our attention earlier today.
We recommend that all uPlay users update their uPlay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the uPlay PC installer with the patch also is available from uPlay.com.
Ubisoft has not released a statement on how many, if any, users were affected.
Analysis: After E3, a fair number of gamers began to forget and look over Ubisoft’s poor treatment of the PC gaming world, especially once it became known that the highly anticipated Watch_Dogs would be coming to the platform. All that good will that Ubisoft gained amongst the PC gamer crowd has gone completely out of the window after this particular revelation.
Ubisoft’s DRM has been a point of contention with PC gamers all over and for good reason: it only hassles those who actually purchase the product. Meanwhile, those who pirate, the individuals the DRM is attempting to keep out, get a superior experience free from the shackles of a poorly implemented DRM mechanic, which opens up paying customers to a considerable amount of risk.
This is exactly why I have never purchased an Ubisoft product for my PC, and at this point, it’s a lot less rage-inducing to me if I imagine that Ubisoft is a console-only publisher. Sure, Ubisoft addressed the issue within the same day, but the issue should never have existed. Expecting your customers to always be online to access your game through a service that isn’t run correctly is absurd.
The fact that they haven’t revealed any figures as to how may have been affected comes as no surprise, and the lack of an apology is unforgivable.