backtop


Print 28 comment(s) - last by EricMartello.. on Aug 1 at 12:56 AM


  (Source: IGN)
But Ubisoft admits its code allows remotely controllable arbitrary executable launches

Wikipedia defines a "rootkit" as "a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer."

We just heard back from a spokesperson from Ubisoft Entertainment S.A. (EPA:UBI) regarding claims that dozens of its most popular titles contained a browser plugin that acted as a rootkit.  

There was some skepticism among readers regarding whether this was a true "rootkit".  Writes ForceCredit, "The described behavior of the DRM package doesn't define a rootkit at all. It may be an evil nonetheless, but let's be accurate here instead of using the R-word to inflame people by misdirection."

But it appears as more details have become available that the software was acting relatively close to the aforementioned definition of a rootkit, though it's likely closer to an unintentional Trojan by definition.

According to the Ubisoft spokesperson:

The Situation:
The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they're being made. This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.

uPlay
Pre-patch the uPlay browser plug-in could allow remotely controlled arbitrary executable launch.
[Image Source: Geek.com] 
 
Now Ubisoft denies that this is a rootkit, writing, "The Uplay application has never included a rootkit."

Technically this appears to be correct in that the plugin was not intended to be malicious, and has not yet been exploited in the wild.

That said consider the following:
  1. The browser plugin is intended to launch game related software, but due to apparent coding error is allowed unrestricted executable access, meaning its advertised purpose does not match its capabilities.  This makes it, in effect, an accidental Trojan.
  2. The plugin allows privileged access to the host machine.
  3. The plugin runs in the background and is largely invisible.
  4. The plugin accepts remote control signals to control the host machine.

Thus even if Ubisoft is correct -- that Uplay is not acting as a rootkit at present -- if the control channel were to be hijacked by a third party, it would become one.  Channel hijacking would fulfill the sole missing criteria -- malicious behavior.

In other words, Ubisoft is arguing semantics, but based on a purely technical standpoint its plugin is very close to being capable of offering similar capabilities to a rootkit if hijacked by a malicious party.  That, ostensibly, is where various media reports labelling the plugin as a "rootkit" arose.

Semantics aside, Ubisoft appears to realize this is a dangerous capability to leave lying around.  It writes:

Corrective Measures:
The issue was brought to our attention early Monday morning and we had a fix into our QC department an hour and a half later. An automatic patch was launched that fixes the browser plugin so that it will only open the Uplay application. Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.

Patching:

To update your Uplay client and apply the patch:
-Close any open web browsers (Internet Explorer, Firefox, Chrome, Opera, etc.) If the web browser is open during the patch it will require restarting the browser.
-Launch the Uplay PC client. The Uplay PC client update will start automatically.
-An updated version of the Uplay PC installer is also available to download from Uplay.com.

It remains to be seen if this is enough to wash Ubisoft's hands of liability for allowing arbitrary code execution on victim machines.

Source: Ubisoft



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Not a rootkit
By jeepga on 7/30/2012 7:19:12 PM , Rating: 3
This is not a rootkit. Frankly, the definition on Wikipedia could use some work. This is just poor, sloppy programming resulting in a real, dangerous exploit.

But, as far as I'm concerned there's nothing to see here. They fixed it within a few hours. They took it seriously and fixed it. Carry on.




RE: Not a rootkit
By PokerGuy on 7/31/2012 10:32:58 AM , Rating: 2
I disagree about the "nothing to see here" part. I agree that it's not really a rootkit, but the important point to understand is that the company should not have exposed users to potential risks by installing this crap to begin with.

The fact that they hastily sent out a patch to fix the exploit shows that they care about PR damage control, but the bottom line remains that they install this crap on your machine and should be avoided by PC users.


RE: Not a rootkit
By Cannyone on 7/31/2012 3:24:10 PM , Rating: 2
quote:
...the bottom line remains that they install this crap on your machine and should be avoided by PC users.


That I agree with completely! And until Ubisoft gets the message I will continue to tell people NOT to buy their software.


"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki