Backdoor in Ubisoft's Uplay DRM could leave PCs vulnerable

Ubisoft gets a lot of flak from the PC gaming community for the borderline draconian digital rights management (DRM) of its games. Earlier when it was launched, Assassin’s Creed II had a DRM that required the player to stay connected to the Internet at all times, even though the game is single-player. This gained Ubisoft a lot of infamy, and it reported a sharp drop in sales of its PC games. Later, they removed the requirement to always stay online, but players needed to go online occasionally to verify the game.

Recently, it has been discovered that Ubisoft’s Uplay, which the company uses as DRM for many titles, has a backdoor. The vulnerability allows a potential hacker to install whatever they would want on your computer. The flaw lies specifically in a browser plugin that Uplay quietly installs. The general consensus is to get rid of the plugin as soon as possible. To remove the plugin, users of Google Chrome, Internet Explorer and Mozilla Firefox can go to “about:plugins” and disable it.

Uplay leaves a vulnerability in PCs

As explained here, any website can start a Uplay window with the right code, slip in any malicious program, and install it on your PC. If one was to inject the code into a commonly visited website, it will be possible to install keyloggers, viruses, or gain control of PCs.

In a conversation with Rock Paper Shotgun, a security expert said, “You could click on a weblink, thinking you were visiting the BBC News Website from a friendly list of bookmarks. Except it’d also install a program via UBISoft’s DRM plugin which wiped your hard drive. It is a genuine threat. All it would take is an exploited wordpress, say.”

Here’s the list of games that are known to be affected:

• Assassin’s Creed II
• Assassin’s Creed: Brotherhood
• Assassin’s Creed: Project Legacy
• Assassin’s Creed Revelations
• Assassin’s Creed III
• Beowulf: The Game
• Brothers in Arms: Furious 4
• Call of Juarez: The Cartel
• Driver: San Francisco
• Heroes of Might and Magic VI
• Just Dance 3
• Prince of Persia: The Forgotten Sands
• Pure Football
• R.U.S.E.
• Shaun White Skateboarding
• Silent Hunter 5: Battle of the Atlantic
• The Settlers 7: Paths to a Kingdom
• Tom Clancy’s H.A.W.X. 2
• Tom Clancy’s Ghost Recon: Future Soldier
• Tom Clancy’s Splinter Cell: Conviction
• Your Shape: Fitness Evolved

Ubisoft appears to have plugged the hole, but they aren’t discussing the issue. So it’s difficult to know for sure. Reports from Ubisoft’s forums say that Uplay has been updated to a new version, which has this in the patch note: “fix addressing browser plugin. Plugin now only able to open uPlay application.”

It would be good to be on the safe side, and remove that plugin in any case, until it is confirmed that the problem has been solved.