backtop


Print 28 comment(s) - last by EricMartello.. on Aug 1 at 12:56 AM


  (Source: IGN)
But Ubisoft admits its code allows remotely controllable arbitrary executable launches

Wikipedia defines a "rootkit" as "a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer."

We just heard back from a spokesperson from Ubisoft Entertainment S.A. (EPA:UBI) regarding claims that dozens of its most popular titles contained a browser plugin that acted as a rootkit.  

There was some skepticism among readers regarding whether this was a true "rootkit".  Writes ForceCredit, "The described behavior of the DRM package doesn't define a rootkit at all. It may be an evil nonetheless, but let's be accurate here instead of using the R-word to inflame people by misdirection."

But it appears as more details have become available that the software was acting relatively close to the aforementioned definition of a rootkit, though it's likely closer to an unintentional Trojan by definition.

According to the Ubisoft spokesperson:

The Situation:
The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they're being made. This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.

uPlay
Pre-patch the uPlay browser plug-in could allow remotely controlled arbitrary executable launch.
[Image Source: Geek.com] 
 
Now Ubisoft denies that this is a rootkit, writing, "The Uplay application has never included a rootkit."

Technically this appears to be correct in that the plugin was not intended to be malicious, and has not yet been exploited in the wild.

That said consider the following:
  1. The browser plugin is intended to launch game related software, but due to apparent coding error is allowed unrestricted executable access, meaning its advertised purpose does not match its capabilities.  This makes it, in effect, an accidental Trojan.
  2. The plugin allows privileged access to the host machine.
  3. The plugin runs in the background and is largely invisible.
  4. The plugin accepts remote control signals to control the host machine.

Thus even if Ubisoft is correct -- that Uplay is not acting as a rootkit at present -- if the control channel were to be hijacked by a third party, it would become one.  Channel hijacking would fulfill the sole missing criteria -- malicious behavior.

In other words, Ubisoft is arguing semantics, but based on a purely technical standpoint its plugin is very close to being capable of offering similar capabilities to a rootkit if hijacked by a malicious party.  That, ostensibly, is where various media reports labelling the plugin as a "rootkit" arose.

Semantics aside, Ubisoft appears to realize this is a dangerous capability to leave lying around.  It writes:

Corrective Measures:
The issue was brought to our attention early Monday morning and we had a fix into our QC department an hour and a half later. An automatic patch was launched that fixes the browser plugin so that it will only open the Uplay application. Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.

Patching:

To update your Uplay client and apply the patch:
-Close any open web browsers (Internet Explorer, Firefox, Chrome, Opera, etc.) If the web browser is open during the patch it will require restarting the browser.
-Launch the Uplay PC client. The Uplay PC client update will start automatically.
-An updated version of the Uplay PC installer is also available to download from Uplay.com.

It remains to be seen if this is enough to wash Ubisoft's hands of liability for allowing arbitrary code execution on victim machines.

Source: Ubisoft



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By EricMartello on 7/30/2012 5:30:16 PM , Rating: 2
Rootkits are often used for malicious purposes but that doesn't mean they MUST be used for said purposes to be considered a rootkit.

If you "root" a device, just as the term implies, you gain access to full control over said device. Any software that allows a user to execute arbitrary code on a device where they are supposed to have limited privileges does count as "rooting" the system.

No legitimate software company should be installing crap like this in the background, secretly, or even in the foreground with the users' consent. Bottom line here is that if the plugin installed by ubisoft allows full arbitrary code execution, it is for all intents and purposes a rootkit.

My recommendation is simple - if you like a game and it includes a this type of "DRM", don't buy it - go download a cracked version from your file sharing site of preference.




By kingmotley on 7/30/2012 5:47:40 PM , Rating: 2
It's still not a rootkit. Yes, it allowed for arbitrary execution of code. No, it doesn't have elevated privileges, nor does it try to hide it's (or any other) process. You can call it a remote exploit, or a trojan depending if you believe it was intentional, but not a rootkit.


By ClownPuncher on 7/30/2012 5:54:35 PM , Rating: 2
Meh, I'd suggest avoiding it altogether rather than finding a cracked exe.


By Master Kenobi (blog) on 7/30/2012 6:45:48 PM , Rating: 3
I get that you are using the symantics of the word and attempting to formulate a reasonable understanding based on the word "root". However, rooting a device is another matter entirely. Keying on a generic word like root is a mistake, given the ubiquity of the word in the computer world.

Still, I will attempt to educate the lot of you. Rootkits are designed to bypass the operating system and intercept kernel calls. The file itself is typically hidden from the OS, and any attempt to utilize the operating systems kernel calls to read the disk or volume will always return a negative result. This also allows the rootkit itself to hide processes or threads from the operating system. Dealing with root kits requires software that does not trust the OS, and will interface directly with the file system and memory stack. Kernel level debuggers(Microsoft has an excellent one), user level debuggers(ollydbg), and decompilers(IDA) are typically used when analyzing this type of malware due to the nature of the threat. Since a rootkit can intercept any calls to information by the OS, it is free to alter the results as it sees fit in order to cloak itself or other software.

Don't make the mistake of thinking rootkits are silly little browser plugins that are plainly visible. By the watered down half-assed definitions here one can conclude that ActiveX, Java, and Flash are also rootkits. The reality is they are nothing more than BHO's, and the UPlay plugin is also simply another BHO.

Let's get the facts straight.
UPlay - Hides itself from the OS? NO.
UPlay - Hides other files or processes from the OS? No.
UPlay - Allows execution of files or services on the system? Yes.
Is UPlay a rootkit? No.
Is it a plugin? Yes.
Should you trust it? Never trust a plugin, given all the exploit vectors with ActiveX, Java, Flash (and PDF since it allows flash to be embedded), one should NEVER trust a plugin unless you know exactly what you are allowing to execute.


By EricMartello on 7/31/2012 1:33:32 AM , Rating: 1
You're obfuscating the fundamental element of a rootkit - that is to gain unrestricted access to a system where you normally have restricted security privileges or none at all.

Explaining how you would make a rootkit work does not mean that your definition is valid, making all others invalid. A rootkit does not need to be hidden if the user believes it is part of a legitimate program. Hidden in plain sight works just as well.

The key point - the ability to execute arbitrary code - is exactly what makes it a rootkit. You can, in fact, install a reverse proxy or turn the system into a zombie using the functionality provided by said plugin...or rootkit.

Bottom line is at the end of the day, if you have a piece of software on your system running in the background that allows a 3rd party to execute code on your system without your consent or control, you're on a compromised system and it is no different than being rooted by some script kiddie.


By Master Kenobi (blog) on 7/31/2012 6:36:18 AM , Rating: 2
quote:
You're obfuscating the fundamental element of a rootkit - that is to gain unrestricted access to a system where you normally have restricted security privileges or none at all.

I will have to disagree here. UPlay would have to be hiding something (it isn't), and would need to escalate priviledges (it doesn't). I think you need to lay off the kool-aid.

quote:
The key point - the ability to execute arbitrary code - is exactly what makes it a rootkit.

I don't know where you got this load of bullshit, but it's not even close. I'm not a big fan of Wikipedia but this actually links back to a McAfee paper I read a while back.
http://en.wikipedia.org/wiki/Rootkit
quote:
A rootkit is a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.

Again, we are back to the capabilities and characteristics of the software being used to define what it is. This is how all malware is categorized, based on how it does what it does. The ability to execute arbitrary code is a characteristic of all malware and applies to none specifically.


By EricMartello on 8/1/2012 12:56:19 AM , Rating: 1
quote:
I will have to disagree here. UPlay would have to be hiding something (it isn't), and would need to escalate priviledges (it doesn't). I think you need to lay off the kool-aid.


So they've been entirely forthcoming in their need to install a plugin like that in the first place? It's not me who's drinking the kool-aid, bro. You seem to be wearing your false-sense-of-security blanket quite comfortably.

quote:
I don't know where you got this load of bullshit, but it's not even close. I'm not a big fan of Wikipedia but this actually links back to a McAfee paper I read a while back.


By not even close you mean almost exactly the same? I'd recommend reading the link you posted before using it to disagree with me when you were wrong in the first place.

FYI the section of interest is "uses" and it generally echoes what I've been saying.

Installing this plugin allows ubisoft to execute arbitrary code. Once it's there, they can do what they want and uplay is deemed "safe" because it's "not a rootkit" because that's not what wikipedia says.

quote:
Again, we are back to the capabilities and characteristics of the software being used to define what it is. This is how all malware is categorized, based on how it does what it does. The ability to execute arbitrary code is a characteristic of all malware and applies to none specifically.


You're missing the point. The explanation here is not outlining what software must contain to be considered a rootkit; it is simply explaining common characteristics of known rootkits that have already been discovered.

Social engineering is a perfectly valid form of "hacking" and getting people to trust your software and install it willingly to allow you to gain unrestricted access to the computer is just as effective as doing a drive-by download.

Not all malware is designed to allow someone to execute arbitrary code...in fact, most malware is purposeful in its task, normally performing a specific function. The simpler the malware the easier it is to conceal and deliver.


By bhmInOhio on 7/31/2012 7:36:08 AM , Rating: 2
Seems to me that the July 30th patch of the plugin should take care of the security issues if only UPlay apps can now be launched. Prior to the 30th I agree it was an issue, but not now.


"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine." -- Bill Gates














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki