Ubisoft DRM Fiasco: Allows Any Website To Take Control Of Your Computer

from the punishing-your-paying-customers dept

It's been nearly seven years since the great Sony rootkit fiasco, when it was discovered that Sony Music was using some DRM on its CDs that self-installed a rootkit (without letting users know) that had all sorts of security problems and vulnerabilities. The company took a massive hit for this, and you would think that others would be a lot more careful with their own DRM. You would think. But, then you don't know Ubisoft. The vast majority of times we've ever discussed Ubisoft in these pages, it's been because the company was doing something ridiculous with DRM. The company loves its DRM and seems to refuse to recognize that pissing off legitimate customers isn't such a good idea.

So would it come as any surprise that it may now be facing a "rootkit moment" of its own?

As a whole bunch of folks have been submitting, some hackers have figured out that Ubisoft's Uplay DRM appears to install an unsecure browser plugin. The details came out over the weekend, first on a security mailing list, and were then followed up with some test exploit code posted to Hacker News.

Basically, it appears that Ubisoft's DRM is installing an accidental backdoor that makes it possible for any website to effectively take control over your computer. That's... uh... pretty bad.

From the details, the real problem sounds to be one of exceptionally poor coding, rather than maliciousness. Basically, they wanted to let you launch the game via a website, but failed to limit it to just the game -- meaning that a site can make use of the plugin to basically do a whole bunch of stuff on your computer (including things you don't want it to do). The browser plugin is easy to remove (and you should, um, immediately, if you've installed any Ubisoft games), so it's not quite as messy as Sony's rootkit, which was pretty deeply buried. But it's still really bad.

Yet another case of DRM really making life difficult for legitimate customers who paid money for your product. When will companies figure out that DRM does nothing to stop piracy, but makes life really difficult for the people who actually give you money?

Filed Under: browser plugin, control, drm, rootkit, security, uplay
Companies: ubisoft

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Coyote (profile), 31 Jul 2012 @ 6:33am

    Re: Re: Re: Not DRM...

    Ding, ding ding! We have a winner for the least informed comment of the day!

    There have been STUDIES, by legitimate companies, everywhere that have, and do state right up that DRM does NOTHING to deter piracy rates. NOTHING. They have done nothing, they continue to do nothing. The reason DRM even exists is just because the companies stop potential product leaks before the game's released. That's literally all DRM is for now.

    DRM is pointless, essentially, except for not leaking your product one day ahead or so. Hackers get past it no problem. The only 'problem' is online-only DRM, and we've already seen the backlash from that with Diablo 3 and Ubisoft.

    DRM is, by definition, evil. You're literally punishing your legitimate customers for paying for a product, because you think they're all just thieves or pirates or infringers and treat them as such.

    CD Projekt Red said something along the lines of DRM, in fact, that point out how stupid and useless it is; did they use it? Sure. But then they sent a patch removing it. It's that simple.

    The only way to combat piracy is by providing a superior service. If you ignore that, you're ignoring reality. So go ahead and ignore reality, it's not like logic's stopped you before.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.