Ubisoft DRM Fiasco: Allows Any Website To Take Control Of Your Computer

from the punishing-your-paying-customers dept

It's been nearly seven years since the great Sony rootkit fiasco, when it was discovered that Sony Music was using some DRM on its CDs that self-installed a rootkit (without letting users know) that had all sorts of security problems and vulnerabilities. The company took a massive hit for this, and you would think that others would be a lot more careful with their own DRM. You would think. But, then you don't know Ubisoft. The vast majority of times we've ever discussed Ubisoft in these pages, it's been because the company was doing something ridiculous with DRM. The company loves its DRM and seems to refuse to recognize that pissing off legitimate customers isn't such a good idea.

So would it come as any surprise that it may now be facing a "rootkit moment" of its own?

As a whole bunch of folks have been submitting, some hackers have figured out that Ubisoft's Uplay DRM appears to install an unsecure browser plugin. The details came out over the weekend, first on a security mailing list, and were then followed up with some test exploit code posted to Hacker News.

Basically, it appears that Ubisoft's DRM is installing an accidental backdoor that makes it possible for any website to effectively take control over your computer. That's... uh... pretty bad.

From the details, the real problem sounds to be one of exceptionally poor coding, rather than maliciousness. Basically, they wanted to let you launch the game via a website, but failed to limit it to just the game -- meaning that a site can make use of the plugin to basically do a whole bunch of stuff on your computer (including things you don't want it to do). The browser plugin is easy to remove (and you should, um, immediately, if you've installed any Ubisoft games), so it's not quite as messy as Sony's rootkit, which was pretty deeply buried. But it's still really bad.

Yet another case of DRM really making life difficult for legitimate customers who paid money for your product. When will companies figure out that DRM does nothing to stop piracy, but makes life really difficult for the people who actually give you money?

Filed Under: browser plugin, control, drm, rootkit, security, uplay
Companies: ubisoft

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Tim Griffiths (profile), 30 Jul 2012 @ 8:50am

    Re: Re: Re: Re: Re: Re: Not DRM...

    I'm pretty sure the steamworks makes it nearly imposable for a cracked version of a game to come out before it's realised on steam as game files are encrypted and key content is missing from preloads and game disks. Proof that the only effective DRM is DRM that makes a product unusable. I would need to look this up to be sure but that is my current understanding.

    Once a game is available on steam it will most likely be cracked with in a day but at that point steam as done it's main job, to stop pirates getting their hands on a game before it's out. Which is actually a major thing in a world where not only can people get a game for free but they could be playing it before any one willing to pay would be able to do so.

    DRM is not so much about actually stopping pirates but about the fact that publishers often have to ensure their shareholders that they are doing something about them there evil pirate types. Valve would never ever have gotten steam off of the ground if it hadn't come with a set of DRM. With out steam getting off the ground DRM free services like good old games wouldn't have had a look in and even then GOG is doing well more out of a the fact that the industry is very slowly being brought around to the idea that it's better to see pirate copies of the game then turn away consumers who might buy it.

    The fact that people calling steams DRM one that works even when it's crackable is reflective of the fact that DRM is an issue of degrees. How much protection does it offer vs how much restriction does it impose and steam has struck a balance that works for most publishers and most gamers mainly by seeking to offset the problems of DRM through adding other value via the use of steam.

    I actually think that valve would happily and effectively DRM free if they could but in the current clement it wouldn't go down well with a lot of publishers. Even if valve only went DRM on their own games it would require the ground work for such a system be put in place in steam and publishers would see that as a move by valve to pushing this issue in the market they currently dominate. Which would have publishers fighting back hugely and could easily sink steam.

    Steam is proof that DRM that offers some effectiveness in publishers eyes can be accepted by a user base because it adds value. In fact people value steam as a service so much they are often willing to rebuy games on steam they already own in another format just to have them on the service.

    It's not ideal but I firmly believe that if some one other than valve had pushed the DD market first we'd all be far worse off.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.