Earlier today, stories were hitting the web that Ubisoft's DRM installed a browser plug-in that contained a backdoor. Ubisoft acted quickly and has released a patch to fix the security hole as it turns out that the backdoor was an accident and was in no way meant to be there, or at least not exploitable as it was.
Tavis Ormandy, a Google security engineer, found the backdoor and wrote about it on the Seclists.org mailing list on Sunday. Mr. Ormandy went as far as to post a few lines of Javascript as an untested proof of concept. This morning, the story made it onto Hacker News along with a working proof of concept.
The list of games which come with Uplay, and the vulnerability, are as follows:
Assassin's Creed II
Assassin's Creed: Brotherhood
Assassin's Creed: Project Legacy
Assassin's Creed Revelations
Assassin's Creed III
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Pure Football
R.U.S.E.
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy's H.A.W.X. 2
Tom Clancy's Ghost Recon: Future Soldier
Tom Clancy's Splinter Cell: Conviction
Your Shape: Fitness Evolved
Ubisoft has issued a statement regarding the vulnerability. They say that a patch has been provided and is a forced patch. It's important to update now that the proof of concept has been released. The statement is below for your viewing pleasure:
We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.
Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.
Blizzard praises Microsoft's 'let it be' hands-off approach to management
Target confirms plans to reduce physical media, but games are unaffected
Fallout 4 conquers PlayStation Plus charts amid TV show success
Meet Microsoft's VASA-1: AI can now take a photo and turn it into a 'talking head' video clip
Microsoft has brought its OneNote app to the Apple Vision Pro, get it now
FlexiSpot C7B-Mesh Ergonomic Office Chair Review
Samsung G8 34-inch QD-OLED Gaming Monitor Review - 175Hz for $900
ASRock NUCBOX-155H Mini PC Review
NuPhy Air96 V2 Wireless Mechanical Keyboard Review
TEAM T-FORCE Siren DUO360 RGB Liquid CPU Cooler Review
AVerMedia Live Streamer ULTRA HD Review
AVerMedia Live Gamer 4K 2.1 Review
XPG Invader X Mid-Tower Chassis Review
Intel Core i9-14900KS CPU Review
Arbiter Polar 65 Magnetic Gaming Keyboard Review
Everything you need to know about the latest ASUS NUC Mini PCs - NUC 14 Pro and ROG NUC
How to Overclock Your GPU and Boost Your PC Gaming with ASUS GPU Tweak III
ASUS's AMD Radeon RX 7000 Series GPU lineup has something for every gamer
ASUS OLED Premium Care defends the ROG Swift OLED PG32UCDM gaming monitor from burn-in
Patriot Viper Xtreme 5 Engineering Prototype 48GB Dual-Channel Memory Kit Preview