backtop


Print 28 comment(s) - last by EricMartello.. on Aug 1 at 12:56 AM


  (Source: IGN)
But Ubisoft admits its code allows remotely controllable arbitrary executable launches

Wikipedia defines a "rootkit" as "a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer."

We just heard back from a spokesperson from Ubisoft Entertainment S.A. (EPA:UBI) regarding claims that dozens of its most popular titles contained a browser plugin that acted as a rootkit.  

There was some skepticism among readers regarding whether this was a true "rootkit".  Writes ForceCredit, "The described behavior of the DRM package doesn't define a rootkit at all. It may be an evil nonetheless, but let's be accurate here instead of using the R-word to inflame people by misdirection."

But it appears as more details have become available that the software was acting relatively close to the aforementioned definition of a rootkit, though it's likely closer to an unintentional Trojan by definition.

According to the Ubisoft spokesperson:

The Situation:
The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they're being made. This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.

uPlay
Pre-patch the uPlay browser plug-in could allow remotely controlled arbitrary executable launch.
[Image Source: Geek.com] 
 
Now Ubisoft denies that this is a rootkit, writing, "The Uplay application has never included a rootkit."

Technically this appears to be correct in that the plugin was not intended to be malicious, and has not yet been exploited in the wild.

That said consider the following:
  1. The browser plugin is intended to launch game related software, but due to apparent coding error is allowed unrestricted executable access, meaning its advertised purpose does not match its capabilities.  This makes it, in effect, an accidental Trojan.
  2. The plugin allows privileged access to the host machine.
  3. The plugin runs in the background and is largely invisible.
  4. The plugin accepts remote control signals to control the host machine.

Thus even if Ubisoft is correct -- that Uplay is not acting as a rootkit at present -- if the control channel were to be hijacked by a third party, it would become one.  Channel hijacking would fulfill the sole missing criteria -- malicious behavior.

In other words, Ubisoft is arguing semantics, but based on a purely technical standpoint its plugin is very close to being capable of offering similar capabilities to a rootkit if hijacked by a malicious party.  That, ostensibly, is where various media reports labelling the plugin as a "rootkit" arose.

Semantics aside, Ubisoft appears to realize this is a dangerous capability to leave lying around.  It writes:

Corrective Measures:
The issue was brought to our attention early Monday morning and we had a fix into our QC department an hour and a half later. An automatic patch was launched that fixes the browser plugin so that it will only open the Uplay application. Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.

Patching:

To update your Uplay client and apply the patch:
-Close any open web browsers (Internet Explorer, Firefox, Chrome, Opera, etc.) If the web browser is open during the patch it will require restarting the browser.
-Launch the Uplay PC client. The Uplay PC client update will start automatically.
-An updated version of the Uplay PC installer is also available to download from Uplay.com.

It remains to be seen if this is enough to wash Ubisoft's hands of liability for allowing arbitrary code execution on victim machines.

Source: Ubisoft



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Still not a Rootkit
By IS81 on 7/30/2012 5:18:41 PM , Rating: 2
"The plugin runs in the background and is largely invisible."

Still isn't quite what "designed to hide the existence of certain processes or programs from normal methods of detection" refers to.

True "rootkits" generally modify system files (e.g. DLLs) to intentionally prevent normal disk, memory, registy and/or other OS access functions from detecting the presence of the associated code. A BHO or a process that doesn't show up in Windows task manager, but is visible in all the other places one would expect, is not really a rootkit.




RE: Still not a Rootkit
By andrewaggb on 7/30/2012 5:34:43 PM , Rating: 5
I agree. This is not a rootkit at all. It is a plugin-based browser exploit.

These are actually very common. quicktime, java, flash etc seem to be full of them.

That's a part of why ios, soon android, and windows 8 metro are ditching plugins. It's unfortunate in that html5 can't do everything a plugin can, but from a security and stability point of view it makes some sense.


RE: Still not a Rootkit
By BladeVenom on 7/30/2012 6:42:06 PM , Rating: 5
So it's a trojan, not a rootkit. That makes me feel so much better.


RE: Still not a Rootkit
By JasonMick (blog) on 7/30/2012 6:46:03 PM , Rating: 5
quote:
So it's a trojan, not a rootkit. That makes me feel so much better.
Feel the love!

(Up) Yours,
DRM


RE: Still not a Rootkit
By Samus on 7/30/2012 7:22:45 PM , Rating: 4
Right, it's just a BHO. Many companies, such as EA, use Origin client in addition to BHO's (like Battlefield 3, for example) to interface with their games.

Like anything, it can be exploited if someone really wants to target them, but this is completely blown out of proportion as these aren't "unwanted" BHO's like the Shop Online or OoVoO toolbars, or Coupon Printer BHO.


RE: Still not a Rootkit
By someguy123 on 7/30/2012 8:58:20 PM , Rating: 3
Nobody wants this. Ubisoft's online DRM is one of the reasons why their PC assassin's creed ended up tanking, though they spun it as "reduction in piracy". you MUST go through this DRM in order to play ubisoft games, so it's more like buying some software and being forced to install OoVoO.


RE: Still not a Rootkit
By althaz on 7/30/2012 11:40:25 PM , Rating: 4
Actually, you can just pirate the games and not have to deal with any of Ubisoft's crap. I'm not advocating piracy, but I know for a fact that pirated versions of some of the Assassin's Creed games worked better than the bought versions.

I bought a couple of the games and my buddies pirated them all and they all had a lot less trouble. I ended up applying all the cracks to my version and everything worked just fine after that.


RE: Still not a Rootkit
By StevoLincolnite on 7/31/2012 9:02:44 AM , Rating: 2
I also remember CDProjekt stating that when they removed the DRM from the Witcher 2; the game magically gained a higher framerate. :)


RE: Still not a Rootkit
By NellyFromMA on 7/31/2012 12:43:32 PM , Rating: 2
What what what!?!?!? Someone replied with common sense? I'm floored.


RE: Still not a Rootkit
By bah12 on 7/30/12, Rating: -1
RE: Still not a Rootkit
By maugrimtr on 7/31/2012 10:50:29 AM , Rating: 2
Ubisoft has no liability as the article insists on suggesting as it closes. This is not a rootkit, just an unintentional vulnerability that they rapidly fixed once it was reported to them. Where's the liability or class action suit in that? Someone planning to sue Microsoft, Google, Apple, Oracle, Adobe and everyone else for similar vulnerabilities too? Even browsers?


RE: Still not a Rootkit
By Flunk on 7/30/2012 6:14:44 PM , Rating: 2
You're right, it's not a rootkit.

When it comes to plugins able to launch arbitrary code, there are a quite a lot Java, Flash, any ActiveX control and that's just naming the ones you have installed right now (just guessing).


RE: Still not a Rootkit
By JasonMick (blog) on 7/30/2012 6:25:29 PM , Rating: 3
quote:
You're right, it's not a rootkit.

When it comes to plugins able to launch arbitrary code, there are a quite a lot Java, Flash, any ActiveX control and that's just naming the ones you have installed right now (just guessing).
I agree with you in that:

1. It's not masking its installation
2. You can remove it via your browser interface
3. It's not a stand-alone series of scripts/executables.

That said, it's still pretty bad, though a bit easier to remove.

I was working this morning off the two initial reports -- one from Ycombinator, the other from a Google engineer. The Ycombinator report referred to it as a "rootkit", but as more information emerged, I agree it was an exploitable plug-in.

While you are correct Java, Flash, etc. have similar capabilities, that's also why they have extensive security to make sure code execution privileges aren't abused.

This plugin is clearly exploitable. The fact that Ubisoft delivered an emergency patch since the initial coverage illustrates there are most definitely serious risks here, as with the Sony DRM app which was closer to a textbook "rootkit".


By EricMartello on 7/30/2012 5:30:16 PM , Rating: 2
Rootkits are often used for malicious purposes but that doesn't mean they MUST be used for said purposes to be considered a rootkit.

If you "root" a device, just as the term implies, you gain access to full control over said device. Any software that allows a user to execute arbitrary code on a device where they are supposed to have limited privileges does count as "rooting" the system.

No legitimate software company should be installing crap like this in the background, secretly, or even in the foreground with the users' consent. Bottom line here is that if the plugin installed by ubisoft allows full arbitrary code execution, it is for all intents and purposes a rootkit.

My recommendation is simple - if you like a game and it includes a this type of "DRM", don't buy it - go download a cracked version from your file sharing site of preference.




By kingmotley on 7/30/2012 5:47:40 PM , Rating: 2
It's still not a rootkit. Yes, it allowed for arbitrary execution of code. No, it doesn't have elevated privileges, nor does it try to hide it's (or any other) process. You can call it a remote exploit, or a trojan depending if you believe it was intentional, but not a rootkit.


By ClownPuncher on 7/30/2012 5:54:35 PM , Rating: 2
Meh, I'd suggest avoiding it altogether rather than finding a cracked exe.


By Master Kenobi (blog) on 7/30/2012 6:45:48 PM , Rating: 3
I get that you are using the symantics of the word and attempting to formulate a reasonable understanding based on the word "root". However, rooting a device is another matter entirely. Keying on a generic word like root is a mistake, given the ubiquity of the word in the computer world.

Still, I will attempt to educate the lot of you. Rootkits are designed to bypass the operating system and intercept kernel calls. The file itself is typically hidden from the OS, and any attempt to utilize the operating systems kernel calls to read the disk or volume will always return a negative result. This also allows the rootkit itself to hide processes or threads from the operating system. Dealing with root kits requires software that does not trust the OS, and will interface directly with the file system and memory stack. Kernel level debuggers(Microsoft has an excellent one), user level debuggers(ollydbg), and decompilers(IDA) are typically used when analyzing this type of malware due to the nature of the threat. Since a rootkit can intercept any calls to information by the OS, it is free to alter the results as it sees fit in order to cloak itself or other software.

Don't make the mistake of thinking rootkits are silly little browser plugins that are plainly visible. By the watered down half-assed definitions here one can conclude that ActiveX, Java, and Flash are also rootkits. The reality is they are nothing more than BHO's, and the UPlay plugin is also simply another BHO.

Let's get the facts straight.
UPlay - Hides itself from the OS? NO.
UPlay - Hides other files or processes from the OS? No.
UPlay - Allows execution of files or services on the system? Yes.
Is UPlay a rootkit? No.
Is it a plugin? Yes.
Should you trust it? Never trust a plugin, given all the exploit vectors with ActiveX, Java, Flash (and PDF since it allows flash to be embedded), one should NEVER trust a plugin unless you know exactly what you are allowing to execute.


By EricMartello on 7/31/2012 1:33:32 AM , Rating: 1
You're obfuscating the fundamental element of a rootkit - that is to gain unrestricted access to a system where you normally have restricted security privileges or none at all.

Explaining how you would make a rootkit work does not mean that your definition is valid, making all others invalid. A rootkit does not need to be hidden if the user believes it is part of a legitimate program. Hidden in plain sight works just as well.

The key point - the ability to execute arbitrary code - is exactly what makes it a rootkit. You can, in fact, install a reverse proxy or turn the system into a zombie using the functionality provided by said plugin...or rootkit.

Bottom line is at the end of the day, if you have a piece of software on your system running in the background that allows a 3rd party to execute code on your system without your consent or control, you're on a compromised system and it is no different than being rooted by some script kiddie.


By Master Kenobi (blog) on 7/31/2012 6:36:18 AM , Rating: 2
quote:
You're obfuscating the fundamental element of a rootkit - that is to gain unrestricted access to a system where you normally have restricted security privileges or none at all.

I will have to disagree here. UPlay would have to be hiding something (it isn't), and would need to escalate priviledges (it doesn't). I think you need to lay off the kool-aid.

quote:
The key point - the ability to execute arbitrary code - is exactly what makes it a rootkit.

I don't know where you got this load of bullshit, but it's not even close. I'm not a big fan of Wikipedia but this actually links back to a McAfee paper I read a while back.
http://en.wikipedia.org/wiki/Rootkit
quote:
A rootkit is a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.

Again, we are back to the capabilities and characteristics of the software being used to define what it is. This is how all malware is categorized, based on how it does what it does. The ability to execute arbitrary code is a characteristic of all malware and applies to none specifically.


By EricMartello on 8/1/2012 12:56:19 AM , Rating: 1
quote:
I will have to disagree here. UPlay would have to be hiding something (it isn't), and would need to escalate priviledges (it doesn't). I think you need to lay off the kool-aid.


So they've been entirely forthcoming in their need to install a plugin like that in the first place? It's not me who's drinking the kool-aid, bro. You seem to be wearing your false-sense-of-security blanket quite comfortably.

quote:
I don't know where you got this load of bullshit, but it's not even close. I'm not a big fan of Wikipedia but this actually links back to a McAfee paper I read a while back.


By not even close you mean almost exactly the same? I'd recommend reading the link you posted before using it to disagree with me when you were wrong in the first place.

FYI the section of interest is "uses" and it generally echoes what I've been saying.

Installing this plugin allows ubisoft to execute arbitrary code. Once it's there, they can do what they want and uplay is deemed "safe" because it's "not a rootkit" because that's not what wikipedia says.

quote:
Again, we are back to the capabilities and characteristics of the software being used to define what it is. This is how all malware is categorized, based on how it does what it does. The ability to execute arbitrary code is a characteristic of all malware and applies to none specifically.


You're missing the point. The explanation here is not outlining what software must contain to be considered a rootkit; it is simply explaining common characteristics of known rootkits that have already been discovered.

Social engineering is a perfectly valid form of "hacking" and getting people to trust your software and install it willingly to allow you to gain unrestricted access to the computer is just as effective as doing a drive-by download.

Not all malware is designed to allow someone to execute arbitrary code...in fact, most malware is purposeful in its task, normally performing a specific function. The simpler the malware the easier it is to conceal and deliver.


By bhmInOhio on 7/31/2012 7:36:08 AM , Rating: 2
Seems to me that the July 30th patch of the plugin should take care of the security issues if only UPlay apps can now be launched. Prior to the 30th I agree it was an issue, but not now.


Hmmm
By Argon18 on 7/30/2012 5:18:07 PM , Rating: 4
Sounds like buzzword media article. Ubi's intent was not malicious, it used the execution ability only for legit purposes (launching games), there is no malicious exploit in the wild for said execution code, and they released an update on their own which closed the hole.

If we call this a "rootkit", can we also say that Microsoft has installed rootkits on everyone's PC each time a new "flaw that allows a remote attacker to take control of the machine", is found? Because those kind of Windows security flaws are found nearly every month.




RE: Hmmm
By ritualm on 7/30/2012 6:54:14 PM , Rating: 2
The road to hell is paved with good intentions.


RE: Hmmm
By Rebel44 on 7/30/2012 8:00:55 PM , Rating: 2
Sure, in this case Ubi may not be malicious - they are incompetent.

In general, Ubi is malicious towards PC gamers so I didnt buy any of their game in last 3 years.


Not a rootkit
By jeepga on 7/30/2012 7:19:12 PM , Rating: 3
This is not a rootkit. Frankly, the definition on Wikipedia could use some work. This is just poor, sloppy programming resulting in a real, dangerous exploit.

But, as far as I'm concerned there's nothing to see here. They fixed it within a few hours. They took it seriously and fixed it. Carry on.




RE: Not a rootkit
By PokerGuy on 7/31/2012 10:32:58 AM , Rating: 2
I disagree about the "nothing to see here" part. I agree that it's not really a rootkit, but the important point to understand is that the company should not have exposed users to potential risks by installing this crap to begin with.

The fact that they hastily sent out a patch to fix the exploit shows that they care about PR damage control, but the bottom line remains that they install this crap on your machine and should be avoided by PC users.


RE: Not a rootkit
By Cannyone on 7/31/2012 3:24:10 PM , Rating: 2
quote:
...the bottom line remains that they install this crap on your machine and should be avoided by PC users.


That I agree with completely! And until Ubisoft gets the message I will continue to tell people NOT to buy their software.


"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki