Time Warner Cable Is Ready For A 'Conversation' About Rising Costs, But Not The One You Want To Have
NBC: We Have No Clue Who Tim Berners-Lee Is, But Without Our Commentary, You Wouldn't Understand The Olympics

Ubisoft DRM Fiasco: Allows Any Website To Take Control Of Your Computer

(Mis)Uses of Technology

from the punishing-your-paying-customers dept

Mon, Jul 30th 2012 04:38am -

It’s been nearly seven years since the great Sony rootkit fiasco, when it was discovered that Sony Music was using some DRM on its CDs that self-installed a rootkit (without letting users know) that had all sorts of security problems and vulnerabilities. The company took a massive hit for this, and you would think that others would be a lot more careful with their own DRM. You would think. But, then you don’t know Ubisoft. The vast majority of times we’ve ever discussed Ubisoft in these pages, it’s been because the company was doing something ridiculous with DRM. The company loves its DRM and seems to refuse to recognize that pissing off legitimate customers isn’t such a good idea.

So would it come as any surprise that it may now be facing a “rootkit moment” of its own?

As a whole bunch of folks have been submitting, some hackers have figured out that Ubisoft’s Uplay DRM appears to install an unsecure browser plugin. The details came out over the weekend, first on a security mailing list, and were then followed up with some test exploit code posted to Hacker News.

Basically, it appears that Ubisoft’s DRM is installing an accidental backdoor that makes it possible for any website to effectively take control over your computer. That’s… uh… pretty bad.

From the details, the real problem sounds to be one of exceptionally poor coding, rather than maliciousness. Basically, they wanted to let you launch the game via a website, but failed to limit it to just the game — meaning that a site can make use of the plugin to basically do a whole bunch of stuff on your computer (including things you don’t want it to do). The browser plugin is easy to remove (and you should, um, immediately, if you’ve installed any Ubisoft games), so it’s not quite as messy as Sony’s rootkit, which was pretty deeply buried. But it’s still really bad.

Yet another case of DRM really making life difficult for legitimate customers who paid money for your product. When will companies figure out that DRM does nothing to stop piracy, but makes life really difficult for the people who actually give you money?

Filed Under: , , , , ,
Companies: ubisoft

92 CommentsLeave a Comment
If you liked this post, you may also be interested in...
Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Ubisoft DRM Fiasco: Allows Any Website To Take Control Of Your Computer”

Subscribe: RSS Leave a comment
92 Comments
Anonymous Coward says:

Not DRM...

Well technically not DRM since it was just used to launch the game from a website, the DRM is still written or integrated by similar development teams. This doesn’t put faith into the company’s development process. I mean if they couldn’t do a proper security review of a browser plugin, what about their DRM or other systems like their forums. I can understand that it is difficult and there are always deadlines and the such. This is more of a case of a company that loves its DRM to screw over legitimate customers, screwing over customers for wanting to play their games.

Anonymous Coward says:

Re: Re: Not DRM...

Yeah, but it’s a better story for Techdirt when it’s an evil DRM, rather than just a convenience tool. But that’s okay.

Ding, ding. Mike “Yellow Man” Masnick strikes again! DRM is scary! And it totally, absolutely, 100% doesn’t work! He knows this with absolute certainty and there is absolutely no debate on that point.

Anonymous Coward With A Unique Writing Style says:

Re: Re: Re:2 Not DRM...

Well, I’m not with the AC on this, he’s full of it as usual in an attempt to paint Mike in a bad light.

But I can think of at least one version of DRM that has worked. Steam. It is essentially DRM. But it’s good DRM and is accepted as such by those who are aware of it. The trade-offs are few and the benefits actually surpass any of the usual DRM problems/critiques.

In fact, I avidly avoid anything that has DRM, with the exception of Steam. But that’s just me.

varagix says:

Re: Re: Re:5 Not DRM...

I’m a Steam user myself, and while I’ve rarely had problems, I know people who either could not use Offline mode, or Offline mode didn’t work like it was suppose to. And as was said before, Steam games still get pirated, so the DRM still doesn’t ‘work’. All the value in Steam comes from its UI, user tools, and the plethora of sales they regularly host.

ltlw0lf (profile) says:

Re: Re: Re:7 Not DRM...

Offline mode is like Chaos: for some it works, for others, you have to sacrifice a goat on the eve of a BLue Moon whilst chanting the theme to Psychonauts backwards.

I’ve had mixed success. On my game machine, Steam just works, offline or not. But since it is always connected to the internet except when the ISP is borked, it should work. On my laptop (until I got rid of Windows,) I followed the exact procedure several different times and it never seemed to work right (sometimes I could play the games, but most of the time it just didn’t work.) Getting it working on the laptop was kinda important, because that was the one machine which would go places where there wasn’t reliable internet.

AzureSky (profile) says:

Re: Re: Re:3 Not DRM...

steam drm dosnt work to stop piracy, check out l4d/l4d2/portal2 and most other steam games are torrent-able soon after release……the steam versions of some games are easier to pirate then the rest…..so it dosnt work to stop piracy in the way DRM proponents insist, steam promotes purchase due to good prices and excellent service.

Tim Griffiths (profile) says:

Re: Re: Re:2 Not DRM...

Steam. Steam is actually a very restrictive DRM system and actually I think still needs lots of improvements. I shouldn’t for example still have issues with getting in to offline mode if I’m unexpectedly put offline.

Yet for the most part users view it as “fair” and any pain the DRM is causing is off set by the features and value that the client adds. Valve understands it’s user base and does not have to answer to panicy share holders over “OMG PIRACY” while ubisoft have largely shown they have no idea what they where doing. It’s only been through user back lash that we’ve seen any improvement from them lately.

Anyway, DRM is always a bad thing for the end user. Always. Yet so long as it’s not awful and the DRM also comes with features we like then it’s a trade off people can be willing to make.

Tim Griffiths (profile) says:

Re: Re: Re:4 Not DRM...

I’m pretty sure the steamworks makes it nearly imposable for a cracked version of a game to come out before it’s realised on steam as game files are encrypted and key content is missing from preloads and game disks. Proof that the only effective DRM is DRM that makes a product unusable. I would need to look this up to be sure but that is my current understanding.

Once a game is available on steam it will most likely be cracked with in a day but at that point steam as done it’s main job, to stop pirates getting their hands on a game before it’s out. Which is actually a major thing in a world where not only can people get a game for free but they could be playing it before any one willing to pay would be able to do so.

DRM is not so much about actually stopping pirates but about the fact that publishers often have to ensure their shareholders that they are doing something about them there evil pirate types. Valve would never ever have gotten steam off of the ground if it hadn’t come with a set of DRM. With out steam getting off the ground DRM free services like good old games wouldn’t have had a look in and even then GOG is doing well more out of a the fact that the industry is very slowly being brought around to the idea that it’s better to see pirate copies of the game then turn away consumers who might buy it.

The fact that people calling steams DRM one that works even when it’s crackable is reflective of the fact that DRM is an issue of degrees. How much protection does it offer vs how much restriction does it impose and steam has struck a balance that works for most publishers and most gamers mainly by seeking to offset the problems of DRM through adding other value via the use of steam.

I actually think that valve would happily and effectively DRM free if they could but in the current clement it wouldn’t go down well with a lot of publishers. Even if valve only went DRM on their own games it would require the ground work for such a system be put in place in steam and publishers would see that as a move by valve to pushing this issue in the market they currently dominate. Which would have publishers fighting back hugely and could easily sink steam.

Steam is proof that DRM that offers some effectiveness in publishers eyes can be accepted by a user base because it adds value. In fact people value steam as a service so much they are often willing to rebuy games on steam they already own in another format just to have them on the service.

It’s not ideal but I firmly believe that if some one other than valve had pushed the DD market first we’d all be far worse off.

Anonymous Coward says:

Re: Re: Re:6 Not DRM...

I think while the ideal would be stopping piracy, the real goal of DRM is to significantly reduce it.

While you are correct in saying that steam does not stop piracy, which i think is simply impossible. I believe it has been rather effective in reducing it. Of course when publishers decide to layer their own DRM on top of steam… i’m not sure i’m convinced steam can make up for stupid

Tim Griffiths (profile) says:

Re: Re: Re:6 Not DRM...

No DRM is or ever can be fully effective at stopping piracy. Most people understand that. Hell even the MPAA understands that, they’ve made it illegal to break DRM locks even if you are going to do something you are other wise legally allowed to do. This exists purely because it gives them a veto on new products… if they don’t like a product they stick a lock on their content that stops it working and the new product becomes illegal.

Most DRM is put in place these days by people who either don’t understand that DRM can’t be fully effective or are having to answer to backers who don’t understand that. Like I was trying to point out steam wouldn’t have ever gotten off the ground if it had built in DRM.

Most anti piracy measures as a whole are aimed at making it harder to do for most people. Take the resent take down of the youtube to mp3 site. Any one who’s posting here likely has the knowledge to still easily to get a MP3 of a youtube video and hell a lot of people know enough to use a browser extension to do so. But taking down that site is not aimed at them, it’s aimed at people who are being enabled by the site.

I know it can be hard to understand for those of us who are technically minded but downloading and cracking a game is actually a relatively high bar to have to pass. It’s of course meaningless in the long term as not only is most of the target market perfectly technically minded but people are getting more competent on the whole and things are getting easier and easier to do.

The point is that you are insisting that DRM is simply there to stop piracy. It’s not. As you point out DRM is utterly ineffective so you have to ask WHY it’s used in products like steam and in context of the market steams DRM does exactly what it is meant to do. Stop early leaking of steamworks games and assure publishers (more the shareholders of those publishers) that steam does something to try and stop piracy so that those publishers can justify to their shareholders why it’s ok to use the service.

DRM is at this point about far more than actually trying to stop piracy and “stopping” piracy has been downgrading to “doing something to try and limit it”.

Sheogorath (profile) says:

Re: Re: Re:7 Not DRM...

This exists purely because it gives them a veto on new products… if they don’t like a product they stick a lock on their content that stops it working and the new product becomes unusable.
Fixed that for you, Tim Griffiths.
BTW, it’s possible that YouTube to MP3 has simply been blocked in certain areas, because I’ve just tried to access it and it’s still there.

Anonymous Coward says:

Re: Re: Re: Not DRM...

I’ve never had a game that chrashed because of lack of DRM.

I’ve had security risks becuase of DRM

I’ve had payed for games not launch the singleplaer because the DRM determined that I didn’t start the game while online.

I’ve had paid-for games not intalled because the DRM maker wrongly assume the only use for them is to copy commecial disks.

So yes, DRM is malware and Mike is right on the money on this issue.

Anonymous Coward says:

Re: Re: Re: Not DRM...

I’ve never had a game that chrashed because of lack of DRM.

I’ve had security risks becuase of DRM

I’ve had payed for games not launch the singleplaer because the DRM determined that I didn’t start the game while online.

I’ve had paid-for games not intall when a dvd burner was detected because the DRM maker wrongly assume the only use for them is to copy commecial disks.

So yes, DRM is malware and Mike is right on the money on this issue.

Anonymous Coward says:

Re: Re: Re: Not DRM...

I’ve never had a game that chrashed because of lack of DRM.

I’ve had security risks becuase of DRM

I’ve had payed for games not launch the singleplaer because the DRM determined that I didn’t start the game while online.

I’ve had paid-for games not intall when a dvd burner was detected because the DRM maker wrongly assume the only use for them is to copy commecial disks.

So yes, DRM is malware and Mike is right on the money on this issue.

Coyote (profile) says:

Re: Re: Re: Not DRM...

Ding, ding ding! We have a winner for the least informed comment of the day!

There have been STUDIES, by legitimate companies, everywhere that have, and do state right up that DRM does NOTHING to deter piracy rates. NOTHING. They have done nothing, they continue to do nothing. The reason DRM even exists is just because the companies stop potential product leaks before the game’s released. That’s literally all DRM is for now.

DRM is pointless, essentially, except for not leaking your product one day ahead or so. Hackers get past it no problem. The only ‘problem’ is online-only DRM, and we’ve already seen the backlash from that with Diablo 3 and Ubisoft.

DRM is, by definition, evil. You’re literally punishing your legitimate customers for paying for a product, because you think they’re all just thieves or pirates or infringers and treat them as such.

CD Projekt Red said something along the lines of DRM, in fact, that point out how stupid and useless it is; did they use it? Sure. But then they sent a patch removing it. It’s that simple.

The only way to combat piracy is by providing a superior service. If you ignore that, you’re ignoring reality. So go ahead and ignore reality, it’s not like logic’s stopped you before.

Tim Griffiths (profile) says:

Re: Re: Not DRM...

In this case the plugin could exist with out the DRM and the DRM could exist with out the plug in but while it’s unlikely the plugin as is would have been created if the DRM hadn’t been it’s the result of ubisoft trying to provide a DRM neutral feature.

You’ve got a valid point on this one. I love any chance to bash ubisoft, if you look at my post history I spent a while the other week trashing blizzard for the whole Diablo 3 always online mess and it’s something I take very seriously. Yet the fact is this plug in could have been a feature of completely DRM free ubisoft store/social system. It’s mind numbing that they let it happen and it calls in to question my willingness to have anything from them installed on my system, especially if it’s something as intrusive as DRM can be…. but ya… not an case for “DRM IS EVIL” this time I feel.

Tim Griffiths (profile) says:

Re: Re: Re: Not DRM...

Actually I want to amend that a little bit.

If this was not part of a DRM system then you wouldn’t have been forced to install it. And while a lot of people may have installed it anyway for what ever reason the only reason every one who owns a ubisoft PC game has it installed is because of the systems role, as a whole, as acting as DRM.

The plugin and the hole it creates is not directly related to the DRM but it is a required feature of it…. take that as you will.

MRK says:

Re: Re:

When customers stop buying the games, the publishers decry “piracy” and come up with even more invasive DRM.

IP publishers don’t really understand the concept of customers voting with their wallets. The publishers assume that they will have sales growth year after year, no matter how crappy the music/movies/games are. Any shortfall in that expected growth is assumed to be piracy.

Anonymous Coward says:

Re: Re:

That doesn’t work.
The publishers just assume that if they are not making money hand over fist that people are pirating it instead of buying it (they don’t need or even want proof, they just want to blame piracy for their latest craptastic game with it’s craptastic DRM, not selling), and that means they need more DRM… and so the cycle continues.

abc gum says:

“The company took a massive hit for this”

Sony was subjected to a massive (verbal) hit in the media and blogs, but afaik was not prosecuted for their egregious behavior nor did they suffer much financially. A few people refuse to knowingly purchase anything from Sony, but the majority remain unaware or do not care. Can you imagine the uproar and righteous indignation resulting from an individual secretly installing a rootkit on millions of personal and business computers? Certainly we would be in need of a rootkit czar to coordinate the efforts of the war on rootkits.

That Anonymous Coward (profile) says:

Re: Re:

I don’t have to imagine that scenario, they have been pushing for that for the last few years.
Skype is suddenly more tappable.
All internet traffic seems to be going through black boxes, but I shouldn’t worry if I am “good people” ™.
They keep pushing to have a copy of my use of the internet for 2 years, again saying if I am “good people” ™ I shouldn’t be worried.
I have an agency blocked by law from spying on US citizens, harvesting massive amounts of data on citizens to make sure we all are “good people” ™.

The pundits are screaming how hackers could set the earths core to detonate with a browser, but the response to corporations and agencies hacking peoples machines/connections is to ask for the rights for them to do even more.

Bengie says:

Re: STOP BUYING

What about the uneducated end user who doesn’t know all of that stuff and when you even mention it, it goes over their head?

While you say “Sucks to be them”, we all have to suffer for their ignorance.

I have a hard time blaming those who are ignorant, so I would rather blame Ubisoft.

relghuar says:

Re: Re: STOP BUYING

I don’t have a hard time blaming ignorants. Actually I have a very easy time.
I’m pretty sure you wouldn’t hesitate to blame the man who drove you over with his car, if you found out not only has he no driver’s licence, but also never bothered to learn basic traffic regulations??

Anonymous Coward says:

Re: Re: Re: STOP BUYING

“I’m pretty sure you wouldn’t hesitate to blame the man who drove you over with his car, if you found out not only has he no driver’s licence, but also never bothered to learn basic traffic regulations??”

How does that equate to ignorance? Your analogy is piss poor. I am sure you can do better.

relghuar says:

Re: Re: Re:2 STOP BUYING

Whooops… if THAT is not ignorance, I really don’t know what is.
I agree it may not happen very often these days, because by now it’s pretty much too ignorant (and quite suicidal) for almost anyone to risk driving without basic knowledge how to avoid other “obstacles” on the road :-). But as an analogy (or hyperbole perhaps?) I believe it still stands. You solely would be to blame if you caused damage/harm by driving against regulations even if you didn’t know which ones you were breaking, and this doesn’t only go for driving. I think the legal principle is called “Ignorantia juris non excusat”. This, as well, should not only go for law.
Bottom line – you should always know what you’re buying. You can complain about any “features” of the product as much as you like, but as long as the manufacturer/author doesn’t try to hide them, it was only your decision to buy the product without getting relevant information. And if he does try to hide them (see sony and their rootkit), well, personally that would be the last thing I ever bought from this company/person, ever.

PaulT (profile) says:

Re: STOP BUYING

“I see so many people complaining about DRM. If you want it to stop, quit buying games that require internet connections, unsecure add-ons, etc”

I do, but then the idiots in control of these things assume that the downfall in sales is due to piracy and double down on their idiot DRM tactics.

There’s a 2 pronged approached required here. One step is to not buy DRM-infected crap. The other is to make sure the company knows that it’s DRM, not another more convenient scapegoat, that’s the cause of their dropping sales.

Tim Griffiths (profile) says:

Re: STOP BUYING

What’s funny is that I’ve avoided Uplay utterly until the steam sale the other week where I picked up an assassins creed game cheap enough that I was willing to write off the crappy DRM but only because it is no longer “always on” crap.

I was really enjoying the game too and now the first thing I have to do when I get home is uninstall it. On the bright side it will let me go on to play one of the stack of other games I also brought in the steam sale!

Anonymous Coward says:

These are the kind of things that need regulating, if you cant guarantee security and privacy to a high level, then you shouldn’t have the right to release it, not when your reputation as a company is on the line, for those who care that is, for those who don’t, well that’s just the equivalent of you saying a big fck y’all, internet etiquette man, internet etiquette.

Anonymous Coward says:

Re: Re:

And this is from a high profile company we assume takes these things into consideration, we still have to content with other companies who actively go out to be malicious, and those like ubisoft who supposedly do it through ignorance, because you see that the catch, we are all gonna automatically think, Was it ignorance?, if companies keep repeating them, or are they just completely incompetent when it comes to these issues, which for us, well those who care about it, is very important aspect to using the net

Privacy and security should not be an option, it should be a god damn right, with no exceptions to that fact.

Theses are the concerns that cyberbills should tackle, without having to do the very same thing (or worse) that the “cyberbill” is trying to prevent

Anonymous Coward says:

Re: Re:

No regulations for me please.

The government should only get involved in clarifying things like conducting research on security and how to develop things securely so they can open their mouth when things are fragrantly wrong.

Those same regulations over time will evolve into insurmountable barriers to entry into the market.

So no, no regulations.

Research into best practices and awareness campaigns are all good but actually trying to govern how things are done specially in a field where there is no way to guarantee the final product will be bug free is out of the question.

Anonymous Coward says:

i.e

Mandate that all companies adhere to a strict privacy and update security regime, and if it is found that they have willfully ignored it, fine their ass.

Enough that it hurts, not to ruin, unless they consistently abuse, off course the amount would have to take the company into account, if you fine a company 10million, who clears 25million, more then likely they’ll lift their socks. If you fine 10million to a company who clear 10billion, oh yeah, im sure that be enough incentive

Anonymous Coward says:

UBISOFT ONLINE PRIVACY STATEMENT

UBISOFT ONLINE PRIVACY STATEMENT

Q5 What kinds of security measures do we take to safeguard your personally identifiable information?

A5 The security and confidentiality of your personal information is extremely important to us. We have implemented technical, administrative, and physical security measures to protect your personal information from unauthorized access and improper use. To prevent unauthorized electronic access to personal information, we maintain information collected online behind a firewall-protected server; use SSL encryption for purchases made through our online store; limit access to only those employees performing a legitimate business function; store your personal information on servers separate from other corporate information and systems; verify your identity by asking you for information only known to you; and notify you by email and by posting a notice on our website if we learn that a breach has occurred. From time to time, we review our security procedures to consider appropriate new technology and methods. However, please understand that, despite our best efforts, no security measure is perfect or impenetrable.

?The security and confidentiality of your personal information is extremely important to us.?

?To prevent unauthorized electronic access to personal information, we .?.?. limit access to only those employees performing a legitimate business function?

?The security and confidentiality of your personal information is extremely important to us.?

John Fenderson (profile) says:

This is not a rootkit

I’m not saying that it isn’t a terrible thing, but “rootkit” has a specific technical meaning, and this doesn’t qualify.

Specifically, an important part of what makes something a “rootkit” is that it uses privileged access to the machine to actively hide its presence from the OS itself.

This is a browser plugin that not only is plainly visible but can be disabled.

That Anonymous Coward (profile) says:

Re: Re: This is not a rootkit

In his defense I do think I say a headline over on /. saying rootkit, and I am sure some people reported it that way.

What this is, is a crapily made program and exposes customers to huge risks.

And while he points out you can disable it, that would involve people knowing it was installed by the game, that the addon is a complete flaming failure that opens up a security hole all so this company could launch the game from your browser.
Ubisoft isn’t the company breaking this story, it is security researchers. Ubisoft quietly updated the program and let everyone else take the lead on informing consumers about this.

hopponit (profile) says:

sony rootkit

Sony got caught in a big flap about rootkits before but I never heard more about an earlier example. Back in the late ’90s on my first PC I purchased Beem, an emulator for playing Play-station games on PCs. I used it to play the games while my kids were hogging the consoles. It worked pretty well till Sony took them to court and caused them to go out of business. Older games would still play. But if you tryed a game launched after Sony started to go after them suddenly Beem wouldn’t work. Even games that had played stopped functioning until you re-installed your OS and then only with the older games. Run a newer game and you were back to re-installing the OS. I have boycotted all new Sony products since then. Before that I was pretty much a big fan-boy of Sony. May they get much sand in their swim trunks at the beach:) We just got our third new Xbox, never another Play-Station!

michealPW says:

Not DRM nor Rootkit

“facing a “rootkit moment” of its own?”

Well no, this is nowhere near a Rootkit. Rootkits modify the operating system’s Kernel in order to hide locations from the user, such as a folder or file sitting at the root of your disk (C:)

In fact, this isn’t even DRM… Digital Rights Management enforces licenses and copyright restrictions.. This was just some terribly planned (Not even so much bad code, but an awful plan from the very get-go to remotely-launch random programs.)

For argument’s sake, what I mean by bad plan, not bad code: If anything, when you click a link in a webpage it *could* trigger an already-installed launcher to run. Same way Steam and many other things work. You simply have the launcher register itself as a handler of some protocol.. Like the UBI:// protocol. Then whenever a link beginning with that protocol is clicked, your browser launches the UBI launcher and passes the address along to it… That way the enforcement is in the launcher and it’s not just a random request to run *anything* on your machine.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Time Warner Cable Is Ready For A 'Conversation' About Rising Costs, But Not The One You Want To Have
NBC: We Have No Clue Who Tim Berners-Lee Is, But Without Our Commentary, You Wouldn't Understand The Olympics
Follow Techdirt

Techdirt Daily Newsletter

Ctrl-Alt-Speech

A weekly news podcast from
Mike Masnick & Ben Whitelaw

Subscribe now to Ctrl-Alt-Speech »
Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...