In association with heise online

30 July 2012, 17:57

Ubisoft DRM opens backdoor

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Uplay patched The Uplay copy protection system from the game publisher Ubisoft comes with a browser plugin that tears a huge security hole in the computer. It is possible for attackers to use a few lines of JavaScript to persuade the plugin to launch arbitrary processes – the potential victim only needs to open a specially crafted web page. The problem was discovered by Google security expert Tavis Ormandy, who, while on vacation, bought "Assassin's Creed Revelations" and reported his observations on the Full Disclosure mailing list – apparently he did not inform Ubisoft about the problem beforehand.

Uplay is installed with numerous games from the publisher such as Anno 2070, various Assassin's Creed editions, Heroes of Might and Magic VI, The Settlers 7, and various Tom Clancy titles on the system. A detailed list can be found at Wikipedia. It is also possible to download and install Uplay separately.

Using a proof-of-concept page, users can check if their system is vulnerable: the page attempts to start the Windows Calculator. Mozilla has now placed the Uplay plugin on its blacklist which stops it from running on Firefox. Ubisoft has not yet commented on the issue. However, the company recently distributed an update, version 2.04, which seems to eliminate the problem. The version number can be found by clicking on the i-button, which can be found in the top right corner of the Uplay window.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit