Ubisoft Patches Browser Plug-In that Left Game-Players Open to Cyber-Attack

Video game maker Ubisoft Entertainment says it has patched a security vulnerability uncovered in a plug-in used by players that could have potentially exposed them to malware.

The issue apparently lies in the browser plug-in installed by Uplay, the digital-rights management (DRM) software that allows players to connect with other gamers. According to Ubisoft, the plug-in used to launch applications through Uplay was able to take command line arguments that developers used to launch their games while they were being made.

“This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine,” Ubisoft spokesman Michael Beadle told eWEEK.

The vulnerability affected all the games that used Uplay. That list includes more than 20 titles.

The situation was publicized Sunday by Google security engineer Tavis Ormandy on the Full Disclosure mailing list. Ormandy stated that he discovered the problem when he was installing a video game called “Assassin’s Creed: Revelations.”

“However, I noticed the installation procedure creates a browser plug-in for [its] accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to Websites,” he wrote.

According to Beadle, the problem was brought to the company’s attention early Monday morning, and work on the fix began soon after.

“An automatic patch was launched that fixes the browser plug-in so that it will only open the Uplay application,” he said. “Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”

The company took issue with reports describing the problem as a “rootkit.” The situation resulted from a coding error, Beadle said, adding that the issue is not related to DRM. During the past two years, Ubisoft has faced criticism over its handling of DRM issues.

“The browser plug-in can now only launch the Uplay application,” he said.

To update a Uplay client and apply the patch, users should close any open Web browsers and launch the Uplay PC client. The client will update automatically. It can also be downloaded from Uplay.com.