Another week, another Ubisoft DRM controversy, as browser plug-in included with DRM acts as rootkit to allow hackers to run any program on your PC
Ubisoft's controversial DRM and online platform, Uplay, became even more controversial this week as a Google engineer revealed a huge flaw that allows hackers to gain full control of user's computers via a misbehaving browser plugin.
The Uplay platforms performs anti-piracy authentication, including "always-on" online authentication, as well as providing additional features such as achievements, additional game content.
Tavis Ormandy, a Google information security engineer, discovered the flaw while trying to download and install Ubisoft's Assassin's Creed: Revelations game, which is one of 21 titles to feature the Uplay platform. The flaw allowed users with malicious intent to use the included Uplay browser plug-in to run any program on the user's computer, which then makes it trivial to control that user's entire computer - these kind of malicious software are traditionally called "rootkits". As the plug-in is included with Uplay by default, this means hundreds of thousands of PCs have been put at risk due to this flaw.
Ubisoft was quick to respond to the issue, by releasing a patch (version 2.0.4) right away that fixes the flaw: the browser plug-in can now only launch Uplay apps. Users are urged to update their Uplay installation right away, but by doing so without having any browsers open to allow the browser update to occur. Ubisoft issued a statement saying they will "continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues".
The most high profile case of DRM acting as a rootkit was the infamous Sony rootkit scandal, which forced the company to recall music CDs that had included the DRM, as well as offer financial settlements to the hundreds of thousands that were potentially affected.