Ubisoft Uplay plugin has nasty security hole

A nasty security hole discovered in Ubisoft's Uplay browser plugin could let naughty people run commands and programs on your PC simply with a few lines of code stuck into a webpage. And you may have the plugin installed without knowing it.

5

Update: Ubisoft's statement included below.

A nasty security hole discovered in Ubisoft's Uplay browser plugin could let naughty people run commands and programs on your PC simply with a few lines of code stuck into a webpage. "But I'm fine," you may think, "because why would I ever choose to install a uPlay plugin?" Well, Ubisoft may have kindly done it for you.

Yes, games which use Uplay--ie most of Ubisoft's PC games from the past few years--may have installed the plugin, which you should disable double quick. Head into the addons or plugins section of your browser's options, and disable that nonsense before ne'er-do-wells exploit it.

The hole (via Rock, Paper, Shotgun) lets a webpage execute commands on your PC. The proof of concept, which you can use to test if you've been vulnerable, launches the Windows Calculator program, but it could also do any number of naughty and dangerous things.

Ubisoft has since issued a statement on the issue, via Rock Paper Shotgun:

"We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.

"Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues."

Filed Under
From The Chatty
  • reply
    July 30, 2012 8:15 AM

    Alice O'Connor posted a new article, Ubisoft Uplay plugin has nasty security hole.

    A nasty security hole discovered in Ubisoft's Uplay browser plugin could let naughty people run commands and programs on your PC simply with a few lines of code stuck into a webpage. And you may have the plugin installed without knowing it.

    • reply
      July 30, 2012 8:30 AM

      Does this affect the games functionality at all if disabled?

      • reply
        July 30, 2012 8:31 AM

        I doubt it, I have all their games, I am gonna disable it when I get home and lunch a bunch of games and see.

    • reply
      July 30, 2012 8:30 AM

      Huh pretty lame :(, still its not that hard to fix this security hole :

      How to

      Firefox = Tools -->Add-ons -->Plugins -->Disable the Uplay and Uplay PC Hub plugins

      Chrome = Visit about --> plugins and disable

      Opera = Settings --> Preferences -->Advanced -->Downloads -->Search "Uplay", delete

      Internet Explorer = http://windows.microsoft.com/is-IS/windows7/How-to-manage-add-ons-in-Internet-Explorer-9

      Problem solved, sigh if only we could have a DD environment that had no DRM :(

      • reply
        July 30, 2012 8:46 AM

        I couldn't find it installed on IE9, but I disabled it on Firefox. Is it possible it only puts the add-on in your default browser?

        • reply
          July 30, 2012 8:48 AM

          Probably, that be my guess and how they would set it up in the installer, doing all browser on the system is more work.

    • reply
      July 30, 2012 8:30 AM

      once again, who pirates games gets more...
      let the insults begin

    • reply
      July 30, 2012 9:04 AM

      Between the DDoS outage on Assassin's Creed 2's launch, this remote execution exploit, and the many other problems, UPlay has proven to be a DRM suite built with lowest-bidder effort, with minimal regard for customer experience, and maximum attention on "100% protection" (even though UPlay has been disabled by pirates for no-net local play for many titles). Ubisoft will continue to call UPlay a resounding success; they're just going to attempt to evade responsibility for this security vulnerability. So far, no comment from Ubisoft, aside from a "looking into it" comment to PC Gamer.

    • reply
      July 30, 2012 9:35 AM

      Now, this is the thing they did for security purposes, right? Oh. for THEIR security...my bad.

    • reply
      July 30, 2012 9:40 AM

      Hey Ubisoft, learn 2 program. Wtf

    • reply
      July 30, 2012 11:41 AM

      Ubisoft, making bad games and easy ways to f**k their users.

Hello, Meet Lola