Print 28 comment(s) - last by EricMartello.. on Aug 1 at 12:56 AM

  (Source: IGN)
But Ubisoft admits its code allows remotely controllable arbitrary executable launches

Wikipedia defines a "rootkit" as "a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer."

We just heard back from a spokesperson from Ubisoft Entertainment S.A. (EPA:UBI) regarding claims that dozens of its most popular titles contained a browser plugin that acted as a rootkit.  

There was some skepticism among readers regarding whether this was a true "rootkit".  Writes ForceCredit, "The described behavior of the DRM package doesn't define a rootkit at all. It may be an evil nonetheless, but let's be accurate here instead of using the R-word to inflame people by misdirection."

But it appears as more details have become available that the software was acting relatively close to the aforementioned definition of a rootkit, though it's likely closer to an unintentional Trojan by definition.

According to the Ubisoft spokesperson:

The Situation:
The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they're being made. This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.

Pre-patch the uPlay browser plug-in could allow remotely controlled arbitrary executable launch.
[Image Source:] 
Now Ubisoft denies that this is a rootkit, writing, "The Uplay application has never included a rootkit."

Technically this appears to be correct in that the plugin was not intended to be malicious, and has not yet been exploited in the wild.

That said consider the following:
  1. The browser plugin is intended to launch game related software, but due to apparent coding error is allowed unrestricted executable access, meaning its advertised purpose does not match its capabilities.  This makes it, in effect, an accidental Trojan.
  2. The plugin allows privileged access to the host machine.
  3. The plugin runs in the background and is largely invisible.
  4. The plugin accepts remote control signals to control the host machine.

Thus even if Ubisoft is correct -- that Uplay is not acting as a rootkit at present -- if the control channel were to be hijacked by a third party, it would become one.  Channel hijacking would fulfill the sole missing criteria -- malicious behavior.

In other words, Ubisoft is arguing semantics, but based on a purely technical standpoint its plugin is very close to being capable of offering similar capabilities to a rootkit if hijacked by a malicious party.  That, ostensibly, is where various media reports labelling the plugin as a "rootkit" arose.

Semantics aside, Ubisoft appears to realize this is a dangerous capability to leave lying around.  It writes:

Corrective Measures:
The issue was brought to our attention early Monday morning and we had a fix into our QC department an hour and a half later. An automatic patch was launched that fixes the browser plugin so that it will only open the Uplay application. Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.


To update your Uplay client and apply the patch:
-Close any open web browsers (Internet Explorer, Firefox, Chrome, Opera, etc.) If the web browser is open during the patch it will require restarting the browser.
-Launch the Uplay PC client. The Uplay PC client update will start automatically.
-An updated version of the Uplay PC installer is also available to download from

It remains to be seen if this is enough to wash Ubisoft's hands of liability for allowing arbitrary code execution on victim machines.

Source: Ubisoft

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Still not a Rootkit
By IS81 on 7/30/2012 5:18:41 PM , Rating: 2
"The plugin runs in the background and is largely invisible."

Still isn't quite what "designed to hide the existence of certain processes or programs from normal methods of detection" refers to.

True "rootkits" generally modify system files (e.g. DLLs) to intentionally prevent normal disk, memory, registy and/or other OS access functions from detecting the presence of the associated code. A BHO or a process that doesn't show up in Windows task manager, but is visible in all the other places one would expect, is not really a rootkit.

RE: Still not a Rootkit
By andrewaggb on 7/30/2012 5:34:43 PM , Rating: 5
I agree. This is not a rootkit at all. It is a plugin-based browser exploit.

These are actually very common. quicktime, java, flash etc seem to be full of them.

That's a part of why ios, soon android, and windows 8 metro are ditching plugins. It's unfortunate in that html5 can't do everything a plugin can, but from a security and stability point of view it makes some sense.

RE: Still not a Rootkit
By BladeVenom on 7/30/2012 6:42:06 PM , Rating: 5
So it's a trojan, not a rootkit. That makes me feel so much better.

RE: Still not a Rootkit
By JasonMick on 7/30/2012 6:46:03 PM , Rating: 5
So it's a trojan, not a rootkit. That makes me feel so much better.
Feel the love!

(Up) Yours,

RE: Still not a Rootkit
By Samus on 7/30/2012 7:22:45 PM , Rating: 4
Right, it's just a BHO. Many companies, such as EA, use Origin client in addition to BHO's (like Battlefield 3, for example) to interface with their games.

Like anything, it can be exploited if someone really wants to target them, but this is completely blown out of proportion as these aren't "unwanted" BHO's like the Shop Online or OoVoO toolbars, or Coupon Printer BHO.

RE: Still not a Rootkit
By someguy123 on 7/30/2012 8:58:20 PM , Rating: 3
Nobody wants this. Ubisoft's online DRM is one of the reasons why their PC assassin's creed ended up tanking, though they spun it as "reduction in piracy". you MUST go through this DRM in order to play ubisoft games, so it's more like buying some software and being forced to install OoVoO.

RE: Still not a Rootkit
By althaz on 7/30/2012 11:40:25 PM , Rating: 4
Actually, you can just pirate the games and not have to deal with any of Ubisoft's crap. I'm not advocating piracy, but I know for a fact that pirated versions of some of the Assassin's Creed games worked better than the bought versions.

I bought a couple of the games and my buddies pirated them all and they all had a lot less trouble. I ended up applying all the cracks to my version and everything worked just fine after that.

RE: Still not a Rootkit
By StevoLincolnite on 7/31/2012 9:02:44 AM , Rating: 2
I also remember CDProjekt stating that when they removed the DRM from the Witcher 2; the game magically gained a higher framerate. :)

RE: Still not a Rootkit
By NellyFromMA on 7/31/2012 12:43:32 PM , Rating: 2
What what what!?!?!? Someone replied with common sense? I'm floored.

RE: Still not a Rootkit
By bah12 on 7/30/12, Rating: -1
RE: Still not a Rootkit
By maugrimtr on 7/31/2012 10:50:29 AM , Rating: 2
Ubisoft has no liability as the article insists on suggesting as it closes. This is not a rootkit, just an unintentional vulnerability that they rapidly fixed once it was reported to them. Where's the liability or class action suit in that? Someone planning to sue Microsoft, Google, Apple, Oracle, Adobe and everyone else for similar vulnerabilities too? Even browsers?

RE: Still not a Rootkit
By Flunk on 7/30/2012 6:14:44 PM , Rating: 2
You're right, it's not a rootkit.

When it comes to plugins able to launch arbitrary code, there are a quite a lot Java, Flash, any ActiveX control and that's just naming the ones you have installed right now (just guessing).

RE: Still not a Rootkit
By JasonMick on 7/30/2012 6:25:29 PM , Rating: 3
You're right, it's not a rootkit.

When it comes to plugins able to launch arbitrary code, there are a quite a lot Java, Flash, any ActiveX control and that's just naming the ones you have installed right now (just guessing).
I agree with you in that:

1. It's not masking its installation
2. You can remove it via your browser interface
3. It's not a stand-alone series of scripts/executables.

That said, it's still pretty bad, though a bit easier to remove.

I was working this morning off the two initial reports -- one from Ycombinator, the other from a Google engineer. The Ycombinator report referred to it as a "rootkit", but as more information emerged, I agree it was an exploitable plug-in.

While you are correct Java, Flash, etc. have similar capabilities, that's also why they have extensive security to make sure code execution privileges aren't abused.

This plugin is clearly exploitable. The fact that Ubisoft delivered an emergency patch since the initial coverage illustrates there are most definitely serious risks here, as with the Sony DRM app which was closer to a textbook "rootkit".

"My sex life is pretty good" -- Steve Jobs' random musings during the 2010 D8 conference

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki