Ubisoft DRM Fiasco: Allows Any Website To Take Control Of Your Computer

from the punishing-your-paying-customers dept

It's been nearly seven years since the great Sony rootkit fiasco, when it was discovered that Sony Music was using some DRM on its CDs that self-installed a rootkit (without letting users know) that had all sorts of security problems and vulnerabilities. The company took a massive hit for this, and you would think that others would be a lot more careful with their own DRM. You would think. But, then you don't know Ubisoft. The vast majority of times we've ever discussed Ubisoft in these pages, it's been because the company was doing something ridiculous with DRM. The company loves its DRM and seems to refuse to recognize that pissing off legitimate customers isn't such a good idea.

So would it come as any surprise that it may now be facing a "rootkit moment" of its own?

As a whole bunch of folks have been submitting, some hackers have figured out that Ubisoft's Uplay DRM appears to install an unsecure browser plugin. The details came out over the weekend, first on a security mailing list, and were then followed up with some test exploit code posted to Hacker News.

Basically, it appears that Ubisoft's DRM is installing an accidental backdoor that makes it possible for any website to effectively take control over your computer. That's... uh... pretty bad.

From the details, the real problem sounds to be one of exceptionally poor coding, rather than maliciousness. Basically, they wanted to let you launch the game via a website, but failed to limit it to just the game -- meaning that a site can make use of the plugin to basically do a whole bunch of stuff on your computer (including things you don't want it to do). The browser plugin is easy to remove (and you should, um, immediately, if you've installed any Ubisoft games), so it's not quite as messy as Sony's rootkit, which was pretty deeply buried. But it's still really bad.

Yet another case of DRM really making life difficult for legitimate customers who paid money for your product. When will companies figure out that DRM does nothing to stop piracy, but makes life really difficult for the people who actually give you money?

Filed Under: browser plugin, control, drm, rootkit, security, uplay
Companies: ubisoft

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Tim Griffiths (profile), 31 Jul 2012 @ 1:32am

    Re: Re: Re: Re: Re: Re: Re: Re: Not DRM...

    No DRM is or ever can be fully effective at stopping piracy. Most people understand that. Hell even the MPAA understands that, they've made it illegal to break DRM locks even if you are going to do something you are other wise legally allowed to do. This exists purely because it gives them a veto on new products... if they don't like a product they stick a lock on their content that stops it working and the new product becomes illegal.

    Most DRM is put in place these days by people who either don't understand that DRM can't be fully effective or are having to answer to backers who don't understand that. Like I was trying to point out steam wouldn't have ever gotten off the ground if it had built in DRM.

    Most anti piracy measures as a whole are aimed at making it harder to do for most people. Take the resent take down of the youtube to mp3 site. Any one who's posting here likely has the knowledge to still easily to get a MP3 of a youtube video and hell a lot of people know enough to use a browser extension to do so. But taking down that site is not aimed at them, it's aimed at people who are being enabled by the site.

    I know it can be hard to understand for those of us who are technically minded but downloading and cracking a game is actually a relatively high bar to have to pass. It's of course meaningless in the long term as not only is most of the target market perfectly technically minded but people are getting more competent on the whole and things are getting easier and easier to do.

    The point is that you are insisting that DRM is simply there to stop piracy. It's not. As you point out DRM is utterly ineffective so you have to ask WHY it's used in products like steam and in context of the market steams DRM does exactly what it is meant to do. Stop early leaking of steamworks games and assure publishers (more the shareholders of those publishers) that steam does something to try and stop piracy so that those publishers can justify to their shareholders why it's ok to use the service.

    DRM is at this point about far more than actually trying to stop piracy and "stopping" piracy has been downgrading to "doing something to try and limit it".

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.