Tom Senior at 12:49pm July 30 2012
There’s troubling news on RPS regarding a potential security risk associated with Ubisoft’s Uplay plugin software that could allow hackers to remotely install programs onto your PC. The problem seems to centre around the Uplay browser plugin, which is easily disabled. In Chrome, search for about:plugins and disable Uplay. In Firefox, head to tools – add ons – plugins and then disable Uplay and the UPlay PC Hub. To be safe, you might want to consider deleting Uplay and related programs from your PC.
The problem is detailed on Hacker News, which exposes a backdoor thread that allows a website to install and run programs remotely. We’ve contacted Ubisoft for comment and they’re “looking into” the problem. We’ll update with any further statements. Meanwhile, here’s a list of Uplay associated games that you might want to steer clear of until we know exactly how serious the problem is.
Assassin’s Creed II
Assassin’s Creed: Brotherhood
Assassin’s Creed: Project Legacy
Assassin’s Creed Revelations
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy’s H.A.W.X. 2
Tom Clancy’s Ghost Recon: Future Soldier
Tom Clancy’s Splinter Cell: Conviction
Your Shape: Fitness Evolved
Well, we knew about the patch already thanks to watchful forum-folk, but Ubisoft have finally offered a public acknowledgement of the Uplay security flaw that in theory meant nasty folk could gain remote access to gamers’ PCs. Here’s their statement and instructions on how to update Uplay – they’re not recommending that anyone disable Uplay, and sound convinced the patch has fixed the exploit.
“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.
Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”
No apology and no addressing of quite why Uplay needs a silently-installed browser plugin that allows the firm to monitor its customers’ PCs in addition the UPlay app itself, but right now the fix is the most important thing. The patch was pretty rapid (landing about nine hours after the exploit became public knowledge) and that’s very much to their credit, but I am personally of the opinion that all firms have a duty to warn their customers of such dangers just as soon as as they know the nature of the threat themselves.
Fortunately, no-one of dark intent seems to have exploited the exploit as yet – let’s hope everyone affected is able to safely patch their Uplay before anything nasty gets into the wild.