Ubisoft stoppers Uplay plug-in hole

Games developer Ubisoft has patched a serious vulnerability in a plug-in for its Uplay DRM software that could have allowed a hacker to take remote control of a user's computer
Written by Tom Espiner, Contributor

Games company Ubisoft has patched a serious vulnerability that could have allowed a hacker to take over a victim's computer.

Ubisoft has patched a hole in its Uplay browser plug-in. Image credit: Ubisoft

The flaw lay in a browser plug-in for Uplay, Ubisoft's in-game rewards and connection system, and could have allowed a malicious website to take control of a victim's computer, the company said.

The hole, found by Google security researcher Tavis Ormandy, was patched on Monday.

"We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today," Ubisoft said in a statement. "We recommend that all Uplay users update their Uplay PC application without a web browser open. This will allow the plug-in to update correctly."

"The browser plug-in that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they're being made," the company added. "This weakness could allow the application to specify any executable to run, rather than just a game."

An updated version of the Uplay PC installer with the patch is also available from Uplay.com, the company said.

The patch will also update users' clients to Uplay version 2.0.4.

Ubisoft denied reports that Uplay contained a rootkit - a piece of software created to stealthily allow access to a computer.

"The issue is not a rootkit. The Uplay application has never included a rootkit. The issue was from a browser plug-in that Uplay PC utilises which suffered from a coding error that allowed systems usually used by Ubisoft PC game developers to make their games," said the company.

Companies are coming under increasing pressure to allow employees to use their own computing devices, a trend known as 'BYOD', or 'bring your own device'. BYOD brings vulnerabilities introduced into home devices, for example through gaming platforms, into the sphere of enterprise concerns.

Editorial standards