Ubisoft's DRM leaves your computer wide open to browser-based system hijacking

Yesterday, noted security researcher (and Google employee) Tavis Ormandy published his discovery that Ubisoft's UPlay DRM installs a browser plugin that leaves your computer terribly vulnerable to drive-by attacks over the Internet. The plugin is meant to allow Ubisoft to start games on your computer over the Internet, but it lacks an effective authentication mechanism. This means that an attacker could check your browser to see if you have Ubisoft's DRM installed, and if it finds it, cause the plugin to run malicious software that hijacks your computer.

An early report on Hacker News characterized this as a "rootkit," which triggered a long (and tedious) debate about the formal definition of rootkits and whether Ubisoft's system qualified. To me, this seems rather beside the point, which is that Ubisoft's overall installation process involves a high degree of secrecy and obfuscation, because none of Ubisoft's users want DRM (some may not mind it, but it's a rare gamer who says, "Please install software on my computer that watches what I do and orders my computer to prevent me from doing things that displease a distant corporation"). As a result, security vulnerabilities that arise from sloppiness (or malice) are more difficult to discover and to put right.

PC Gamer got a rare and terse quote from Ubisoft on the issue, in which the company says it is "looking into" the issue, later updated with the statement that a "forced patch" has been issued to fix the issue (though this claim hasn't been independently verified by any source I can find).

There's more commentary on TorrentFreak, which places the DRM in context -- "seen as an essential part of life for many games developers." The Slashdot thread on the issue is lively, but also full of deeply misinformed legal speculation about which laws Ubisoft may or may not have broken in the process.


    1. Yeah, “always on” DRM is heinous.  I had a client with a Mac that was constantly having nasty “wake from sleep” issues.  After hundreds of dollars of troubleshooting, I found out it was a DRM daemon that was installed from a Photoshop plug-in from Alien Skin Software.

      A fricken Photoshop plug-in.  Not only was there the cost of finding this issue, the time lost for my client fitzing with this issue was probably in the hundreds of dollars as well.

      1. Well, I certainly hope that you showed due respect for Intellectual Property and left that poor daemon alone… If people somehow get the idea that the property rights of the computer owner should be taken into consideration who knows what the world will come to?

  1. I propose the following: In order to induce Ubisoft to get off its ass and actually fix this, we must appeal to something that it actually cares about(ie. not customers or security).

    To wit: let it be resolved that Warez sites and similar locations of ill-repute shall exploit this drive-by download bug in order to check the list of installed Ubisoft games, install cracks for the same, and then pop up a convenient menu offering the user the option of downloading and installing de-crippled versions of other Ubisoft titles…

    That should get their attention right quick.

    1. Seriously, it seems like if you pay for Ubisoft products you shouldn’t install them and install a cracked version instead after checking it for malware.  Or better yet, since they are wasting your time and willing to jeopardize your computer’s security, just don’t pay them at all.

      1.  Better yet, don’t give them money. Giving them money validates their decisions because they know the income is there. If you stop giving them money, they’ll either start making decisions that attracts people back to their games, or stop making games with DRM schemes that have giant security holes.

  2. Dangit, I thought they were finally learning their lesson.  They even released Rayman Origins without DRM.  Silly Ubisoft.

    And why the heck are applications still able to toss plugins into your browsers without permission!?  Have we learned NOTHING?  (I thought maybe Firefox had finally gotten over this until I got hit by Babylon Search last week.)

    1. I got hit by that too, though I *swear* I unchecked the “infect my browser” option. Fortunately I don’t mind playing with dragons and could remove all traces but it was still annoying :(

  3. I understand they do this to protect their revenue:  Guess what fellows?  I used to spend $500 to $1,000 or more per year on games and such on my and my wife’s machines.  I don’t now because I’ll damned if I’ll let stuff like this load on my system.  How’s that revenue protection working for you now?

  4. Correct me if I’m wrong, but doesn’t Chrome, Firefox and/or others have a way to push up an update blocking known security risks in plugins? Especially on version number so that a patched version can be enabled again.

    Debate aside if you want to actually keep the Ubi plug-in, I’m curious for the answer if something more useful (Flash, Java) had a similar security issue.

  5. One more thing I thought of and different question from my other comment.

    If they wanted a game launcher, wouldn’t it be better to register a protocol URL (http, ftp)? In this case “uplay://” where an application handler would be needed to launch by a client application installed on the system.

    When installed, Steam registered “steam://” to the user’s computer with an array of commands. That way browsers can launch, install, and mangage games with-in Steam. The key is that you can’t arbitrarily launch as a command prompt. “Launch” and “Install” is of a number to a specific game. From there it’s Steam handling things.

    It looks like a better layout would be for Ubi to implement a launcher app and registered to a domain. Easier to support as you’re not at the whim of browser support.

    1. While Steam (still, after all these years, WTF?) has some ugly warts(the UI of the ‘downloads’ system, for example, lacks pretty much every convenience feature, even basic stuff like queuing and priority, that every other download manager and bittorrent client in the universe seem to have mastered years ago and, despite the fact that most of the Steam interface is basically just a customized web browser, there. is. no. tab. support. Obviously I would never, say, want to open multiple tabs from the main ‘Store’ page because I’m interested in checking out more than one game…) one gets the horrible impression that their competitors are genuinely years behind in competence and execution.

      Games for Windows Live is a bad joke so bad that it isn’t even funny for being bad, Ubisoft built a browser plugin that allowed executing arbitrary binaries from javascript embedded in any website and actually shipped it, EA’s system is a mess…

      It’s honestly a bit surprising. DRM is a fundamentally hard problem(on open platforms) because of the ‘you have to give them the key to the locked box but still control how they can unlock it’ problem; but the ‘build a website with a shopping cart’ and “construct a download manager that doesn’t suck’ problems seem like they should be fairly easy…

Comments are closed.