Ubisoft is a company renowned among PC gamers for two major things. The first is that it produces some truly excellent games, while the second is that its PC game development is driven by a deep-seated belief that all PC gamers are pirates and need to be policed accordingly.
This has led to a history of antagonism with PC gamers, and DRM tactics that are a constant source of contention. Last decade it was one of the biggest proponents of the notorious Starforce copy protection technology, and its current system involves having a constant connection to Ubisoft’s servers in order to play games (if your connection drops the game pauses and won’t continue until it returns).
This system, which ties into Ubisoft’s Uplay network, has been plagued with issues – the most recent of which were outages that effected people who had purchased Ubisoft games during Steam’s latest sale, leaving them unable to play. But while the DRM by its very nature is highly contentious issues, the latest scandal to hit the games publisher revolves around a different aspect of the Uplay network.
It turns out that the Uplay client software stealthily installs browser plugins when you install a Ubisoft game on your PC. This plugin is designed to allow the web client to launch games directly, and is something most users have been unaware even existed.
According to a post on Seclists by Tavis Ormandy, an engineer from Google, the plugin was capable of executing any application remotely, not just Ubisoft games. This was rapidly turned into a proof of concept test that enabled people to launch Windows Calculator with a few lines of simple code. Such a security hole is potentially massive, and could well have been engineered to run malicious applications via a seemingly innocuous web link.
It took less than half a day after the exploit was first posted for Ubisoft to deploy a patch to its Uplay software that ensured the plugin could only run Uplay titles. To get this fix Ubisoft reccomends either running Uplay without a browser open to force an update or to download and install the latest client from the Uplay website.
Oddly though, there has been no statement made on the Uplay website itself, no emails to people with Uplay accounts or any kind of general warning that there is a security hole needing to be plugged.
The fix means that the stealth browser plugin still exists; it just can’t run non-Ubisoft sanctioned applications. Given that the mere existence of the plugin has been enough to enrage some gamers, disabling it completely is probably still a good option. This can be done by going to your browser’s plugin page and disabling or removing the offending Uplay Plugin. In Firefox this is done by heading to Tools -> Add-ons -> Plugins, while in Chrome just type about:plugins into the address bar. For Internet explorer 9 users should be able to go to Tools -> Manage Add-ons and select All Add-ons from the drop down list under Show.
