Whenever a new form of digital rights management, or DRM, hits the market, people get antsy. Developer and publisher Ubisoft has their own particular brand of this nonsense which requires a launcher of their making: Uplay. Unfortunately for them, it looks like Uplay includes a major security hole which some hackers are decrying as an intentional rootkit. This is the kind of revelation that can lead to recalls and public statements.
News of the exploit first popped up on the Full Disclosure mailing list wherein Tavis Ormandy, a notorious Information Security Engineer at Google, remarks on his findings nonchalantly:
Your silly post reminded me of something, while on vacation recently I bought a video game called “Assassin’s Creed Revelations”. I didn’t have much of a chance to play it, but it seems fun so far. However, I noticed the installation procedure creates a browser plugin for it’s accompanying uplay launcher, which grants unexpectedly (at least to me) wide access to websites.
The exploitable code is found within a browser plugin involved with Uplay. It’s not exactly hidden — and can be disabled — but the fact that it exists at all is an issue. Forcibly requiring these sorts of programs only leads to more issues like this, and it looks like security for their own company’s sake and not the user’s sake takes first priority in the programmer’s mind. DRM, and the problems it creates and fails to solve, likely won’t be going away any time soon, however.
The web’s response has been to quickly confirm the exploit, though there are those calling the problem an issue of laughably poor coding, and generally fume about corporate giants including anything like this that installs to the hard drive in an attempt to keep an eye on how your video games are being used. With exploits like these being discovered, it’s easy to understand why.
- The Independence Day trailer for Assassin’s Creed III is a bit weird
- Ubisoft was in a copyright lawsuit over Assassin’s Creed too
- We Dare was probably another huge mistake
Have a tip we should know? email@example.com