Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Ubisoft's DRM leaves your computer wide open to browser-based system hijacking

Cory Doctorow at 9:48 am Mon, Jul 30, 2012

— FEATURED —

Book Review

The Man Who Laughs: grotesque Victor Hugo potboiler was the basis for The Joker

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle

Yesterday, noted security researcher (and Google employee) Tavis Ormandy published his discovery that Ubisoft's UPlay DRM installs a browser plugin that leaves your computer terribly vulnerable to drive-by attacks over the Internet. The plugin is meant to allow Ubisoft to start games on your computer over the Internet, but it lacks an effective authentication mechanism. This means that an attacker could check your browser to see if you have Ubisoft's DRM installed, and if it finds it, cause the plugin to run malicious software that hijacks your computer.

An early report on Hacker News characterized this as a "rootkit," which triggered a long (and tedious) debate about the formal definition of rootkits and whether Ubisoft's system qualified. To me, this seems rather beside the point, which is that Ubisoft's overall installation process involves a high degree of secrecy and obfuscation, because none of Ubisoft's users want DRM (some may not mind it, but it's a rare gamer who says, "Please install software on my computer that watches what I do and orders my computer to prevent me from doing things that displease a distant corporation"). As a result, security vulnerabilities that arise from sloppiness (or malice) are more difficult to discover and to put right.

PC Gamer got a rare and terse quote from Ubisoft on the issue, in which the company says it is "looking into" the issue, later updated with the statement that a "forced patch" has been issued to fix the issue (though this claim hasn't been independently verified by any source I can find).

There's more commentary on TorrentFreak, which places the DRM in context -- "seen as an essential part of life for many games developers." The Slashdot thread on the issue is lively, but also full of deeply misinformed legal speculation about which laws Ubisoft may or may not have broken in the process.

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  Business • Copyfight • drm • Games • malware • security

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • Deb Johnson

    http://www.rockpapershotgun.com/2012/07/30/ubisoft-respond-to-uplay-security-drama/  they’ve responded, somewhat. What I do hope is that this turns into as big a deal as the SONY drm debacle.  We can only wish, eh?  Would be nice to see “always on drm” die a fast, painful death like it deserves.

    • Cowicide

      Yeah, “always on” DRM is heinous.  I had a client with a Mac that was constantly having nasty “wake from sleep” issues.  After hundreds of dollars of troubleshooting, I found out it was a DRM daemon that was installed from a Photoshop plug-in from Alien Skin Software.

      A fricken Photoshop plug-in.  Not only was there the cost of finding this issue, the time lost for my client fitzing with this issue was probably in the hundreds of dollars as well.

      • fuzzyfuzzyfungus

        Well, I certainly hope that you showed due respect for Intellectual Property and left that poor daemon alone… If people somehow get the idea that the property rights of the computer owner should be taken into consideration who knows what the world will come to?

  • fuzzyfuzzyfungus

    I propose the following: In order to induce Ubisoft to get off its ass and actually fix this, we must appeal to something that it actually cares about(ie. not customers or security).

    To wit: let it be resolved that Warez sites and similar locations of ill-repute shall exploit this drive-by download bug in order to check the list of installed Ubisoft games, install cracks for the same, and then pop up a convenient menu offering the user the option of downloading and installing de-crippled versions of other Ubisoft titles…

    That should get their attention right quick.

  • Thad Boyd

    Pirates, as always, are unaffected.

    • Cowicide

      Seriously, it seems like if you pay for Ubisoft products you shouldn’t install them and install a cracked version instead after checking it for malware.  Or better yet, since they are wasting your time and willing to jeopardize your computer’s security, just don’t pay them at all.

      • Nimdae

         Better yet, don’t give them money. Giving them money validates their decisions because they know the income is there. If you stop giving them money, they’ll either start making decisions that attracts people back to their games, or stop making games with DRM schemes that have giant security holes.

        • Deb Johnson

          I don’t buy any Ubisoft games since they started it.  

        • Bonobo

          I think that was covered by “just don’t pay them at all.”

  • Jorpho

    Dangit, I thought they were finally learning their lesson.  They even released Rayman Origins without DRM.  Silly Ubisoft.

    And why the heck are applications still able to toss plugins into your browsers without permission!?  Have we learned NOTHING?  (I thought maybe Firefox had finally gotten over this until I got hit by Babylon Search last week.)

    • McGreens

      I got hit by that too, though I *swear* I unchecked the “infect my browser” option. Fortunately I don’t mind playing with dragons and could remove all traces but it was still annoying :(

  • foobar

    And the pirated versions were entirely unaffected.

  • James Penrose

    I understand they do this to protect their revenue:  Guess what fellows?  I used to spend $500 to $1,000 or more per year on games and such on my and my wife’s machines.  I don’t now because I’ll damned if I’ll let stuff like this load on my system.  How’s that revenue protection working for you now?

    • http://twitter.com/sqlrob Rob

      This.

      My only sources for PC games are GoG and Humble Bundle because I don’t trust anything else.

  • ahclem

    From the same outfit that forced Starforce on their players.  Never forgive, never forget.

  • http://segonmedia.com/ Seg

    Correct me if I’m wrong, but doesn’t Chrome, Firefox and/or others have a way to push up an update blocking known security risks in plugins? Especially on version number so that a patched version can be enabled again.

    Debate aside if you want to actually keep the Ubi plug-in, I’m curious for the answer if something more useful (Flash, Java) had a similar security issue.

  • MadLogician

    I will never buy a game that requires me to be on-line to play it.

  • http://segonmedia.com/ Seg

    One more thing I thought of and different question from my other comment.

    If they wanted a game launcher, wouldn’t it be better to register a protocol URL (http, ftp)? In this case “uplay://” where an application handler would be needed to launch by a client application installed on the system.

    When installed, Steam registered “steam://” to the user’s computer with an array of commands. That way browsers can launch, install, and mangage games with-in Steam. The key is that you can’t arbitrarily launch as a command prompt. “Launch” and “Install” is of a number to a specific game. From there it’s Steam handling things.

    It looks like a better layout would be for Ubi to implement a launcher app and registered to a domain. Easier to support as you’re not at the whim of browser support.

    • fuzzyfuzzyfungus

      While Steam (still, after all these years, WTF?) has some ugly warts(the UI of the ‘downloads’ system, for example, lacks pretty much every convenience feature, even basic stuff like queuing and priority, that every other download manager and bittorrent client in the universe seem to have mastered years ago and, despite the fact that most of the Steam interface is basically just a customized web browser, there. is. no. tab. support. Obviously I would never, say, want to open multiple tabs from the main ‘Store’ page because I’m interested in checking out more than one game…) one gets the horrible impression that their competitors are genuinely years behind in competence and execution.

      Games for Windows Live is a bad joke so bad that it isn’t even funny for being bad, Ubisoft built a browser plugin that allowed executing arbitrary binaries from javascript embedded in any website and actually shipped it, EA’s system is a mess…

      It’s honestly a bit surprising. DRM is a fundamentally hard problem(on open platforms) because of the ‘you have to give them the key to the locked box but still control how they can unlock it’ problem; but the ‘build a website with a shopping cart’ and “construct a download manager that doesn’t suck’ problems seem like they should be fairly easy…