Ubisoft Uplay plugin has nasty security hole
A nasty security hole discovered in Ubisoft's Uplay browser plugin could let naughty people run commands and programs on your PC simply with a few lines of code stuck into a webpage. And you may have the plugin installed without knowing it.
Update: Ubisoft's statement included below.
A nasty security hole discovered in Ubisoft's Uplay browser plugin could let naughty people run commands and programs on your PC simply with a few lines of code stuck into a webpage. "But I'm fine," you may think, "because why would I ever choose to install a uPlay plugin?" Well, Ubisoft may have kindly done it for you.
Yes, games which use Uplay--ie most of Ubisoft's PC games from the past few years--may have installed the plugin, which you should disable double quick. Head into the addons or plugins section of your browser's options, and disable that nonsense before ne'er-do-wells exploit it.
The hole (via Rock, Paper, Shotgun) lets a webpage execute commands on your PC. The proof of concept, which you can use to test if you've been vulnerable, launches the Windows Calculator program, but it could also do any number of naughty and dangerous things.
Ubisoft has since issued a statement on the issue, via Rock Paper Shotgun:
"We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.
"Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues."
-
Shacknews
replyAlice O'Connor posted a new article, Ubisoft Uplay plugin has nasty security hole.
A nasty security hole discovered in Ubisoft's Uplay browser plugin could let naughty people run commands and programs on your PC simply with a few lines of code stuck into a webpage. And you may have the plugin installed without knowing it.-
-
Huh pretty lame :(, still its not that hard to fix this security hole :
How to
Firefox = Tools -->Add-ons -->Plugins -->Disable the Uplay and Uplay PC Hub plugins
Chrome = Visit about --> plugins and disable
Opera = Settings --> Preferences -->Advanced -->Downloads -->Search "Uplay", delete
Internet Explorer = http://windows.microsoft.com/is-IS/windows7/How-to-manage-add-ons-in-Internet-Explorer-9
Problem solved, sigh if only we could have a DD environment that had no DRM :( -
-
once again, who pirates games gets more...
let the insults begin -
Between the DDoS outage on Assassin's Creed 2's launch, this remote execution exploit, and the many other problems, UPlay has proven to be a DRM suite built with lowest-bidder effort, with minimal regard for customer experience, and maximum attention on "100% protection" (even though UPlay has been disabled by pirates for no-net local play for many titles). Ubisoft will continue to call UPlay a resounding success; they're just going to attempt to evade responsibility for this security vulnerability. So far, no comment from Ubisoft, aside from a "looking into it" comment to PC Gamer.
-
