Ubisoft Uplay browser plugin security concerns

[Makena]

http://www.rockpapershotgun.com/2012/07 ... -pc-games/

http://www.vg247.com/2012/07/30/ubisoft ... -pc-files/

I imagine this is just a bit of a (Large) screw up, but it's pretty easy to disable the plugin (chrome://plugins/ in Chrome, Tools, addons, plugins in Firefox.).

Just a heads up for anyone playing Ubisoft games, which might be a few people due to the recent Steam sales.

Here is the full list of potential ‘at-risk’ titles:

Assassin’s Creed II
Assassin’s Creed: Brotherhood
Assassin’s Creed: Project Legacy
Assassin’s Creed Revelations
Assassin’s Creed III
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Pure Football
R.U.S.E.
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy’s H.A.W.X. 2
Tom Clancy’s Ghost Recon: Future Soldier
Tom Clancy’s Splinter Cell: Conviction
Your Shape: Fitness Evolved

EDIT: More intelligent thread title.

[Mythor]

Went ahead and disabled the plugins in Firefox, just in case. I think describing it as a rootkit is unfair, since it seems like it wasn't intentional.

But wow. As if we needed even more reason to dislike their UPlay system.

[Matty]

Well, time to get rid of the ubisoft DRM on my games.

[Makena]

Updates on the story via RPS, the key bit is you can just disable the plugins, and:

Contrary to what some parts of the web are currently screaming, this is not a rookit – it’s an exploit in a browser extension.

[MunchY]

I have uPlay for HOMM. But I can't see any plugins in my Firefox for it? Should I be freaking out or continue to not really care?

[Makena]

I have uPlay for HOMM. But I can't see any plugins in my Firefox for it? Should I be freaking out or continue to not really care?

If under Tools -> addons -> plugins, you have neither Uplay PC or the Uplay PC Hub plugins, then continue to not care.

If you have them, disable them, and go back to not caring

[MunchY]

I have uPlay for HOMM. But I can't see any plugins in my Firefox for it? Should I be freaking out or continue to not really care?

If under Tools -> addons -> plugins, you have neither Uplay PC or the Uplay PC Hub plugins, then continue to not care.

If you have them, disable them, and go back to not caring

Yeah not there at all! Thanks a lot anyway Makena!

[PalZer0]

Wow. Just when I think Ubisoft can't be any more stupid, they pull this out of their arse.

[Makena]

Via RPS:

Update – Ubisoft may have plugged the hole, but it’s difficult to know for sure as they don’t appear to be discussing the issue. There are reports on the Ubi forums (thanks, Imperial Dane) that Uplay has been updated to version 2.04, which if the commenter is accurate bears the note “‘Fix addressing browser plugin. Plugin now only able to open uPlay application.” If your Uplay hasn’t/won’t update to version 2.04, I’d get rid of it and its plugin for now. To be honest I’d get rid of the plugin regardless, until we’re sure the problem’s been resolved.

[Kinky__]

The first comment in the second link sums up my thoughts pretty well.

“potential” “theoretically” “could” “could” “theoretically” “potential” “could”

Hm

[Makena]

The first comment in the second link sums up my thoughts pretty well.

“potential” “theoretically” “could” “could” “theoretically” “potential” “could”

Hm

At the time that article was written, it wasn't confirmed, they can't outright say "This is happening", when it may not have been actually true.

Anyway, Uplay should auto update itself next time you run it, meant to fix this exploit. But no harm in leaving them disabled if you don't care about the website/social stuff Ubisoft have with Uplay.

[PirateEggs]

Shouldn't Anno 2070 be in that list? It uses UPlay too.

They used this to make their plugin, their actual site seems to be down at this present time. I wonder why?

[Makena]

Shouldn't Anno 2070 be in that list? It uses UPlay too.

They used this to make their plugin, their actual site seems to be down at this present time. I wonder why?

No idea, I pulled the list from RPS, but as it has been updated, I don't think it really matters anymore