Ubisoft uPlay Security Flaw

Computer and Video Games has follow-up on reports of a vulnerability in Ubisoft's uPlay service that could possibly allow the access of files on user's PCs. The story reflects initial impressions that this may have been included intentionally as a rootkit DRM, but they have subsequent comments from researchers indicating they think this was more likely an unintentionally security mess-up (thanks Joao). There's a follow up note on Kotaku on how to clean this out of your system if you are "infected" (thanks nin).
View : : :
43 Replies. 3 pages. Viewing page 1.
Newer [  1  2  3  ] Older
43.
 
Re: Ubisoft uPlay Security Flaw
Aug 2, 2012, 03:36
Dev
43.
Re: Ubisoft uPlay Security Flaw Aug 2, 2012, 03:36
Aug 2, 2012, 03:36
Dev
 
Verno wrote on Jul 31, 2012, 09:12:
It wasn't Steam surprisingly. I installed From Dust and it completed the setup procedures then when I ran UPlay it installed everything without consent. I had no idea the browser plugins were even installed until I tested the exploit yesterday morning. They fixed it quickly which is all well and good but they should never be using elevated process privileges to install things without users consent.
I think thats because steam only installs pre-reqs such as directx, and visual c++ redistributable. Technically the uplay might not be one.

I dunno though, maybe it just depends on how the company tells steam they want to install the stuff.
42.
 
Re: Ubisoft uPlay Security Flaw
Jul 31, 2012, 09:12
42.
Re: Ubisoft uPlay Security Flaw Jul 31, 2012, 09:12
Jul 31, 2012, 09:12
 
Creston wrote on Jul 30, 2012, 17:12:
Admittedly, the only game I ever had that installed Uplay was the latest Assassin's Creed, and I got that outside of Steam. And it simply asked me "Do you want to install our wonderful Uplay add-ins for your browser? It will let you do really awesome stuff, like... ehm... well... erm, really AMAZING STUFF!!!!"

I guess I didn't think about Steam just forcing that shit straight onto your computer. THANKS STEAM!

It wasn't Steam surprisingly. I installed From Dust and it completed the setup procedures then when I ran UPlay it installed everything without consent. I had no idea the browser plugins were even installed until I tested the exploit yesterday morning. They fixed it quickly which is all well and good but they should never be using elevated process privileges to install things without users consent.
Avatar 51617
41.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 22:45
Dev
41.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 22:45
Jul 30, 2012, 22:45
Dev
 
2nd_floor wrote on Jul 30, 2012, 19:06:
Monkey-B did not come out easily! That was virus technology back then! Today, haha, I bet they can do nasty things!
Eh, back then they were after a laugh. Nowadays they want to make money, so its more of putting spyware on your computer to get your bank account password and suck all your money. Or hold your computer hostage and continually demand you pay for fake antivirus.
40.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 20:31
40.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 20:31
Jul 30, 2012, 20:31
 
Creston wrote on Jul 30, 2012, 17:12:

Admittedly, the only game I ever had that installed Uplay was the latest Assassin's Creed, and I got that outside of Steam. And it simply asked me "Do you want to install our wonderful Uplay add-ins for your browser? It will let you do really awesome stuff, like... ehm... well... erm, really AMAZING STUFF!!!!"

I guess I didn't think about Steam just forcing that shit straight onto your computer. THANKS STEAM!

Creston

That's not what's happening. uPlay 1.xx asked permission to install the browser plugins, but the recently released 2.0 silently installs it and actually requires it or the launcher refuses to function.

I have a copy of AC:B (from Amazon, not Steam) and installed uPlay on a brand new PC a week ago, straight from Ubi's website, in order to redownload it as Ubi's servers are faster. It didn't ask or even mention anything about a browser plugin, and there's nothing in the settings either. It was installed to FF and attempts to remove it caused uPlay to insist that it's installation was broken. Disabling it was the only option short of just not installing the game.

Try it for yourself and see what happens.

Nothing to do with Steam or "mindless clicking," sorry Creston.
39.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 19:10
39.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 19:10
Jul 30, 2012, 19:10
 
Closed Betas wrote on Jul 30, 2012, 18:51:
lol, they give cleanup instructions?!?! If you been root kitted in todays age, you need to toss out your hard drive and probably your motherboard too in some cases. They can get pretty low... We really have the technology to stop this if someone wants to take virtual machines in the right direction... Also need to segregate common traffic more than currently done. which is hard for me to say since its a step closer to communism.

Trying to do a proper reply with the original quote there.
Avatar 57402
38.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 19:08
38.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 19:08
Jul 30, 2012, 19:08
 
2nd_floor wrote on Jul 30, 2012, 19:06:
"lol, they give cleanup instructions?!?! If you been root kitted in todays age, you need to toss out your hard drive and probably your motherboard too in some cases. They can get pretty low..."

Haha. I remember back in 1996 my first computer with Windows 95 got a virus called "Monkey-B", that infected the MBR I think. We had to find a special program called "Killmonk" to get rid of it, Norton Antivirus didn't do it. Back in 1996, that was a big deal, and took a few weeks! The computer had to go in to get professionally repaired!

Monkey-B did not come out easily! That was virus technology back then! Today, haha, I bet they can do nasty things!
Avatar 57402
37.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 19:06
37.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 19:06
Jul 30, 2012, 19:06
 
"lol, they give cleanup instructions?!?! If you been root kitted in todays age, you need to toss out your hard drive and probably your motherboard too in some cases. They can get pretty low..."

Haha. I remember back in 1996 my first computer with Windows 95 got a virus called "Monkey-B", that infected the MBR I think. We had to find a special program called "Killmonk" to get rid of it, Norton Antivirus didn't do it. Back in 1996, that was a big deal, and took a few weeks! The computer had to go in to get professionally repaired!

Monkey-B did not come out easily! That was virus technology back then! Today, haha, I bet they can do nasty things!
Avatar 57402
36.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 19:03
Bet
 
36.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 19:03
Jul 30, 2012, 19:03
 Bet
 
Closed Betas wrote on Jul 30, 2012, 18:51:
lol, they give cleanup instructions?!?! If you been root kitted in todays age, you need to toss out your hard drive and probably your motherboard too in some cases. They can get pretty low... We really have the technology to stop this if someone wants to take virtual machines in the right direction... Also need to segregate common traffic more than currently done. which is hard for me to say since its a step closer to communism.
It's not a root kit, it's an exploit. An exploit that can be used to give you a rootkit, granted, but not directly a rootkit.

As far as paranoia regarding whether we all have been rooted thanks to the exploit, that's further down the rabbit hole.
Avatar 9253
35.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 18:51
35.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 18:51
Jul 30, 2012, 18:51
 
lol, they give cleanup instructions?!?! If you been root kitted in todays age, you need to toss out your hard drive and probably your motherboard too in some cases. They can get pretty low... We really have the technology to stop this if someone wants to take virtual machines in the right direction... Also need to segregate common traffic more than currently done. which is hard for me to say since its a step closer to communism.
34.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 18:38
Dev
34.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 18:38
Jul 30, 2012, 18:38
Dev
 
Creston wrote on Jul 30, 2012, 17:12:
Admittedly, the only game I ever had that installed Uplay was the latest Assassin's Creed, and I got that outside of Steam. And it simply asked me "Do you want to install our wonderful Uplay add-ins for your browser? It will let you do really awesome stuff, like... ehm... well... erm, really AMAZING STUFF!!!!"
Yeah thats what happened to me with settlers 7 which I got as a steam version. It opened a web page and begged me to install the plugin, and I said NO FRACKING WAY.

I don't think steam installs the plugin as the first time install script. Thats more stuff like updated direct x and updated visual C++ redistributables.
33.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 18:10
33.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 18:10
Jul 30, 2012, 18:10
 
Another reason to avoid Ubisoft games like the plague. Have not bought one since they implemented their horrid DRM.

Made the kids take a couple of their games back.
32.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 18:06
32.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 18:06
Jul 30, 2012, 18:06
 
NKD wrote on Jul 30, 2012, 17:51:
Creston wrote on Jul 30, 2012, 17:12:
[

I guess I didn't think about Steam just forcing that shit straight onto your computer. THANKS STEAM!

Creston

But Steam is the greatest and can do no wrong.

All Hail King Gabe Newell, the First of His Name. King of the Andals, the Rhoynar, and the First Men. Lord of the Seven Kingdoms and Protector of the Realm.

Hallowed are the Ori!


Wait...
Avatar 13977
31.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 17:51
NKD
31.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 17:51
Jul 30, 2012, 17:51
NKD
 
Creston wrote on Jul 30, 2012, 17:12:
[

I guess I didn't think about Steam just forcing that shit straight onto your computer. THANKS STEAM!

Creston

But Steam is the greatest and can do no wrong.

All Hail King Gabe Newell, the First of His Name. King of the Andals, the Rhoynar, and the First Men. Lord of the Seven Kingdoms and Protector of the Realm.
Do you have a single fact to back that up?
Avatar 43041
30.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 17:44
30.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 17:44
Jul 30, 2012, 17:44
 
Mordecai Walfish wrote on Jul 30, 2012, 17:19:
Just got a message on firefox telling me the uplay plugin would be disabled because of security reasons, with this information linked:


Ubisoft Uplay has been blocked for your protection.

Why was it blocked?
Version 1.0.0.0 of the Ubisoft Uplay plugin has a security vulnerability that can be exploited by malicious websites to gain control of the user's system.

Who is affected?
All Firefox users who have this plugin installed.

What does this mean?
Users are strongly encouraged to disable the problematic add-on or plugin, but may choose to continue using it if they accept the risks described.

When Mozilla becomes aware of add-ons, plugins, or other third-party software that seriously compromises Firefox security, stability, or performance and meets certain criteria, the software may be blocked from general use. For more information, please read this support article.

Blocked on July 30, 2012. View block request.

Firefox FTW. I really cannot imagine myself using any other browser, ever. They all suck rotten dog cocks in hell.
29.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 17:27
29.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 17:27
Jul 30, 2012, 17:27
 
Creston wrote on Jul 30, 2012, 17:12:
jacobvandy wrote on Jul 30, 2012, 14:45:
Creston wrote on Jul 30, 2012, 14:36:
What's really baffling is that people apparently said "Yes, that sounds like a GREAT IDEA!" when uplay asked if it could install plugins in their browsers...

Users mindlessly clicking "yes" is the number one reason why PCs are so horribly infected with all kinds of shit.

Creston

Unfortunately, when Steam does the 'first time setup' installation of whatever various runtimes and add-on apps the publisher wants the player to have, it's almost always done in the background with no dialog windows at all...

Admittedly, the only game I ever had that installed Uplay was the latest Assassin's Creed, and I got that outside of Steam. And it simply asked me "Do you want to install our wonderful Uplay add-ins for your browser? It will let you do really awesome stuff, like... ehm... well... erm, really AMAZING STUFF!!!!"

I guess I didn't think about Steam just forcing that shit straight onto your computer. THANKS STEAM!

Creston

I can attest to this, I only had the uplay plugin from installing Anno 2070 a couple weeks ago for the Summer Sale on Steam. No notification of browser plugins whatsoever.

I would leave it up to the publisher/producer to make these kinds of options available to opt-out, as Valve/Steam cannot police the install routines of every installation to prevent them from installing browser plugins. I would say the trust is more broken from UBI (who has control of how their installer deploys, after the initial steam layer)

Avatar 56178
28.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 17:19
28.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 17:19
Jul 30, 2012, 17:19
 
Just got a message on firefox telling me the uplay plugin would be disabled because of security reasons, with this information linked:


Ubisoft Uplay has been blocked for your protection.

Why was it blocked?
Version 1.0.0.0 of the Ubisoft Uplay plugin has a security vulnerability that can be exploited by malicious websites to gain control of the user's system.

Who is affected?
All Firefox users who have this plugin installed.

What does this mean?
Users are strongly encouraged to disable the problematic add-on or plugin, but may choose to continue using it if they accept the risks described.

When Mozilla becomes aware of add-ons, plugins, or other third-party software that seriously compromises Firefox security, stability, or performance and meets certain criteria, the software may be blocked from general use. For more information, please read this support article.

Blocked on July 30, 2012. View block request.
Avatar 56178
27.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 17:14
27.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 17:14
Jul 30, 2012, 17:14
 
SimplyMonk wrote on Jul 30, 2012, 13:53:
Actively pirate them? Make a bunch of of real looking "Assassin Creed: Brotherhood" CDs with pirated versions on them and leave them lying around at playgrounds, subways, internet cafes, Starbucks.

You could just leave blank CDs around with the labels printed on them - they'd work as well as the real Ubi games.
26.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 17:12
26.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 17:12
Jul 30, 2012, 17:12
 
jacobvandy wrote on Jul 30, 2012, 14:45:
Creston wrote on Jul 30, 2012, 14:36:
What's really baffling is that people apparently said "Yes, that sounds like a GREAT IDEA!" when uplay asked if it could install plugins in their browsers...

Users mindlessly clicking "yes" is the number one reason why PCs are so horribly infected with all kinds of shit.

Creston

Unfortunately, when Steam does the 'first time setup' installation of whatever various runtimes and add-on apps the publisher wants the player to have, it's almost always done in the background with no dialog windows at all...

Admittedly, the only game I ever had that installed Uplay was the latest Assassin's Creed, and I got that outside of Steam. And it simply asked me "Do you want to install our wonderful Uplay add-ins for your browser? It will let you do really awesome stuff, like... ehm... well... erm, really AMAZING STUFF!!!!"

I guess I didn't think about Steam just forcing that shit straight onto your computer. THANKS STEAM!

Creston
Avatar 15604
25.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 16:36
Bet
 
25.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 16:36
Jul 30, 2012, 16:36
 Bet
 
Unfairly, Anno is saddled with Ubi as publisher. I think you need a degree of OCD to enjoy those games though. Most of the world's population is gaining a degree of that yearly though, so it's up and up for the Anno series!

Again, aside from being saddled with Ubi...
Avatar 9253
24.
 
Re: Ubisoft uPlay Security Flaw
Jul 30, 2012, 16:10
24.
Re: Ubisoft uPlay Security Flaw Jul 30, 2012, 16:10
Jul 30, 2012, 16:10
 
SimplyMonk wrote on Jul 30, 2012, 13:53:
RailWizard wrote on Jul 30, 2012, 13:40:
Their games aren't even worth all this DRM.

I'm already boycotting them, feel like I need to escalate now, but how. lol

Actively pirate them? Make a bunch of of real looking "Assassin Creed: Brotherhood" CDs with pirated versions on them and leave them lying around at playgrounds, subways, internet cafes, Starbucks.

Yeah that's the thing. I've looked at their crap on a certain 'privateer' website and I don't even want their crap for free. Guess I'm just not that bored. heh

43 Replies. 3 pages. Viewing page 1.
Newer [  1  2  3  ] Older