Ubisoft Uplay installs exploitable, rootkit-like plug-in on user PCs

esa making big announcement about e3 2013 soon ubisoft uplay exploit

Uplay isn’t the most beloved online service in the world. Ubisoft’s network does offer things that people enjoy—achievements, easy access to friends playing the same Ubisoft games—but Uplay is first and foremost a complex form of digital rights management (DRM). Ubisoft games on PC like Tom Clancy’s Ghost Recon: Future Soldier and the upcoming Assassin’s Creed III require a connection to Uplay so as to verify their authenticity.

On Monday, Uplay got Ubisoft into no small amount of trouble. Google security engineer Tavis Ormandy found that Uplay installs a browser plug-in on users’ PCs that can be exploited by malicious individuals to launch other applications on your machine. That is to say, if you have the Uplay plug-in installed, a less savory website or business could exploit it to launch apps like Microsoft Outlook that contain sensitive information. The plug-in was thought to be a rootkit, the kind of sneaky unwanted software typically used by spammers.

Ubisoft released a statement saying that the plug-in is not in fact a rootkit. Its exploitable nature was the result of a coding error. While Ubisoft was quick to point out that not technically associated with Uplay’s DRM processes—the plug-in was intended only to launch the Uplay client from a browser—Uplay’s nature as a DRM-centric service and software set automatically ties the plug-in to the company’s aggressive anti-piracy measures.

“The browser plug-in that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they’re being made,” reads the statement, “This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.”

The company has issued a patch for Uplay that fixes the problem.

This is the second major privacy violation issue to trouble Ubisoft this summer. At the end of June, an alternate reality game promoting the E3 2012 hit Watch Dogs accidentally leaked 500 customer emails to every player in on Ubisoft’s promotional email list. The company responded by removing affected customers from its marketing database.

Ubisoft’s blunders this summer demonstrate two things. One: When you trust monolithic corporations with personal information or agree to use their products when connected to the Internet, you are not guaranteed that that information is secure. No matter what. Two: Ubisoft really needs to get its act together.