• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Ubisoft DRM features exploit that allows arbitrary code execution (update: patched)

Edit:

Seems to have been patched already, so update Uplay and it should be ok:

wydYB.png

Original OP content below:

http://news.ycombinator.com/item?id=4311264

The important bit of that post:

Ubisoft installs a backdoor that allows any website to take over your computer. The Sony BMG rootkit was also DRM and required product recall when it was discovered.

The original post for the hack:

http://seclists.org/fulldisclosure/2012/Jul/375


Fixes before people start going crazy:

SparkTR said:
You want to fix this? Disable the plug-in in your browser. Done. People talking about reformatting their PCs are making me facepalm.

Google chrome users: You can go to "about:plugins" and disable this and all other things that might expose you to extra security risks such as "Microsoft Office" (even "Native Client") or any other plugins that exposed in there by 3rd party without any confirmation.
 

Corky

Nine out of ten orphans can't tell the difference.
So if I once installed uplay on my pc I can't get rid of all it's traces?
 

mclem

Member
Thought one: There was a Just Dance 3 on PC?

Thought two: Anno isn't listed. Omission, or is it actually exempt?
 

Game Guru

Member
And this is why companies need to just use Steam's DRM if any. Seriously, Valve would've never had something like this.
 

Maxwood

Oh rock of ages, do not crumble, love is breathing still. Oh lady moon shine down, a little people magic if you will.
Ubicrap takes a whole new meaning.
 
Jeez and I wasn't far off installing Driver San Fran too! Also already have a copy of AC3 paid for on GMG. Hopefully they clear this up nice and fast to avoid the shit hitting the fan for them.
 

Des0lar

will learn eventually
FUCK I just bought from Dust during the Steam sale. I knew it was a fucking bad idea to buy a Ubi game....
 

Ryoku

Member
And this is why companies need to just use Steam's DRM if any. Seriously, Valve would've never had something like this.

No. No DRM at all would be lovely. Valve worship is something I don't get. Great company, but the worship is not needed.
 

Omikaru

Member
Well fuck. Glad I never installed uPlay on my newest machine.

Almost did though. Was very close to buying the Assassin's Creed pack on Steam.
 
I don't really understand it. Basically installing a Ubisoft game enables random sites to hack your PC? If so, why on earth would a company do that?
 

SparkTR

Member
Can anyone explain what this means? Like, Ubisoft's DRM allows anyone to get into your PC? Or just Ubisoft itself?

People are exaggerating. Uplay just installs a web browser plug-in that has poor security standards. There's nothing to suggest it can be used to alter protected Windows processes or Ubisoft games. You want to fix this? Disable the plug-in in your browser. Done. People talking about reformatting their PCs are making me facepalm. This is more down to incompetence than malicious intent, and I don't expect competence from Ubisoft.
 
I am glad that Uplay has been outed as the rootkit it is. I only hope they come up with a way to completely remove all traces for their loyal customers.
 

Haunted

Member
wow!

Ubi will be getting a shitton of backlash for that, if true. And it'll definitely have a visible negative impact on PC sales (and deservedly so) if they continue to do so.
 

Ryoku

Member
I don't really understand it. Basically installing a Ubisoft game enables random sites to hack your PC? If so, why on earth would a company do that?

You can disable it through your web browser. People get pissed at terrible service from Ubisoft on the PC front, and this just adds to their reasons.
 

Tomat

Wanna hear a good joke? Waste your time helping me! LOL!
More like Ufail am I right?

I'll be here all week, I've got nothing better to do.
 

Ryoku

Member
Well, I said if a company must use DRM... I would prefer it if Steam's games didn't have DRM either.

You do realize that you don't own the games that you pay money to buy on Steam, and that they can be taken from you at anytime, right?
 
Mother fuckers. No mention of this in the EULA at all?

Guessing this breaks some EU law and would require a recall if not, as with the Sony products.

e. I think you're over reacting when it comes to the 'rootkit' comparison. It's a browser plugin, surely you can just disable the browser plugin? Or is there some deep seeded authorisation given to the plugin on your computer's hardware?
 

Cade

Member
People are exaggerating. Uplay just installs a web browser plug-in that has poor security standards. There's nothing to suggest it can be used to alter protected Windows processes or Ubisoft games. You want to fix this? Disable the plug-in in your browser. Done. People talking about reformatting their PCs are making me facepalm. This is more down to incompetence than malicious intent, and I don't expect competence from Ubisoft.

You're a gentlemen and a scholar, thanks.
 

TheD

The Detective
Uhh, I don't see how this is a rootkit.

This just looks like a normal exploitable software flaw.
 

Iceblade

Member
People are exaggerating. Uplay just installs a web browser plug-in that has poor security standards. There's nothing to suggest it can be used to alter protected Windows processes or Ubisoft games. You want to fix this? Disable the plug-in in your browser. Done. People talking about reformatting their PCs are making me facepalm. This is more down to incompetence than malicious intent, and I don't expect competence from Ubisoft.

Thanks, nice to see some level-headedness amongst all of the silly quickfire reactions in here.
 

Dingotech

Member
People are exaggerating. Uplay just installs a web browser plug-in that has poor security standards. There's nothing to suggest it can be used to alter protected Windows processes or Ubisoft games. You want to fix this? Disable the plug-in in your browser. Done. People talking about reformatting their PCs are making me facepalm. This is more down to incompetence than malicious intent, and I don't expect competence from Ubisoft.

Thanks just diabled the addins.

Will UPlay still run with the addins disabled? I'd like to play more Driver at some point...
 
Top Bottom