Ubisoft's DRM leaves your computer wide open to browser-based system hijacking


19 Responses to “Ubisoft's DRM leaves your computer wide open to browser-based system hijacking”

  1. Deb Johnson says:

    http://www.rockpapershotgun.com/2012/07/30/ubisoft-respond-to-uplay-security-drama/  they’ve responded, somewhat. What I do hope is that this turns into as big a deal as the SONY drm debacle.  We can only wish, eh?  Would be nice to see “always on drm” die a fast, painful death like it deserves.

    • Cowicide says:

      Yeah, “always on” DRM is heinous.  I had a client with a Mac that was constantly having nasty “wake from sleep” issues.  After hundreds of dollars of troubleshooting, I found out it was a DRM daemon that was installed from a Photoshop plug-in from Alien Skin Software.

      A fricken Photoshop plug-in.  Not only was there the cost of finding this issue, the time lost for my client fitzing with this issue was probably in the hundreds of dollars as well.

      • fuzzyfuzzyfungus says:

        Well, I certainly hope that you showed due respect for Intellectual Property and left that poor daemon alone… If people somehow get the idea that the property rights of the computer owner should be taken into consideration who knows what the world will come to?

  2. fuzzyfuzzyfungus says:

    I propose the following: In order to induce Ubisoft to get off its ass and actually fix this, we must appeal to something that it actually cares about(ie. not customers or security).

    To wit: let it be resolved that Warez sites and similar locations of ill-repute shall exploit this drive-by download bug in order to check the list of installed Ubisoft games, install cracks for the same, and then pop up a convenient menu offering the user the option of downloading and installing de-crippled versions of other Ubisoft titles…

    That should get their attention right quick.

  3. Thad Boyd says:

    Pirates, as always, are unaffected.

    • Cowicide says:

      Seriously, it seems like if you pay for Ubisoft products you shouldn’t install them and install a cracked version instead after checking it for malware.  Or better yet, since they are wasting your time and willing to jeopardize your computer’s security, just don’t pay them at all.

      • Nimdae says:

         Better yet, don’t give them money. Giving them money validates their decisions because they know the income is there. If you stop giving them money, they’ll either start making decisions that attracts people back to their games, or stop making games with DRM schemes that have giant security holes.

  4. Jorpho says:

    Dangit, I thought they were finally learning their lesson.  They even released Rayman Origins without DRM.  Silly Ubisoft.

    And why the heck are applications still able to toss plugins into your browsers without permission!?  Have we learned NOTHING?  (I thought maybe Firefox had finally gotten over this until I got hit by Babylon Search last week.)

    • McGreens says:

      I got hit by that too, though I *swear* I unchecked the “infect my browser” option. Fortunately I don’t mind playing with dragons and could remove all traces but it was still annoying :(

  5. foobar says:

    And the pirated versions were entirely unaffected.

  6. James Penrose says:

    I understand they do this to protect their revenue:  Guess what fellows?  I used to spend $500 to $1,000 or more per year on games and such on my and my wife’s machines.  I don’t now because I’ll damned if I’ll let stuff like this load on my system.  How’s that revenue protection working for you now?

  7. ahclem says:

    From the same outfit that forced Starforce on their players.  Never forgive, never forget.

  8. Seg says:

    Correct me if I’m wrong, but doesn’t Chrome, Firefox and/or others have a way to push up an update blocking known security risks in plugins? Especially on version number so that a patched version can be enabled again.

    Debate aside if you want to actually keep the Ubi plug-in, I’m curious for the answer if something more useful (Flash, Java) had a similar security issue.

  9. MadLogician says:

    I will never buy a game that requires me to be on-line to play it.

  10. Seg says:

    One more thing I thought of and different question from my other comment.

    If they wanted a game launcher, wouldn’t it be better to register a protocol URL (http, ftp)? In this case “uplay://” where an application handler would be needed to launch by a client application installed on the system.

    When installed, Steam registered “steam://” to the user’s computer with an array of commands. That way browsers can launch, install, and mangage games with-in Steam. The key is that you can’t arbitrarily launch as a command prompt. “Launch” and “Install” is of a number to a specific game. From there it’s Steam handling things.

    It looks like a better layout would be for Ubi to implement a launcher app and registered to a domain. Easier to support as you’re not at the whim of browser support.

    • fuzzyfuzzyfungus says:

      While Steam (still, after all these years, WTF?) has some ugly warts(the UI of the ‘downloads’ system, for example, lacks pretty much every convenience feature, even basic stuff like queuing and priority, that every other download manager and bittorrent client in the universe seem to have mastered years ago and, despite the fact that most of the Steam interface is basically just a customized web browser, there. is. no. tab. support. Obviously I would never, say, want to open multiple tabs from the main ‘Store’ page because I’m interested in checking out more than one game…) one gets the horrible impression that their competitors are genuinely years behind in competence and execution.

      Games for Windows Live is a bad joke so bad that it isn’t even funny for being bad, Ubisoft built a browser plugin that allowed executing arbitrary binaries from javascript embedded in any website and actually shipped it, EA’s system is a mess…

      It’s honestly a bit surprising. DRM is a fundamentally hard problem(on open platforms) because of the ‘you have to give them the key to the locked box but still control how they can unlock it’ problem; but the ‘build a website with a shopping cart’ and “construct a download manager that doesn’t suck’ problems seem like they should be fairly easy…

Leave a Reply