Industry News

Security Hole Shipped With Ubisoft Games Spotted, Fixed

Attackers can reportedly use a bug in the Uplay browser plugin from game publisher Ubisoft to run arbitrary code on the gamer’s PC.

Image credit: Ubisoft

The exploit was discovered by programmer Tavis Ormandy, a Google employee who successfully leveraged the bug in the browser plugin shipped with UPlay (a component that installs along with Ubisoft’s most recent gaming titles).

By simply pointing the browser equipped with the Uplay plugin to a special web page, an attacker can run malware on the user’s PC without any further notification or interaction. This is the exploitation of a feature designed to launch games from an embedded browser control used in a way game creators did not anticipate.

While on vacation recently I bought a video game called Assassin’s Creed Revelations. I didn’t have much of a chance to play it, but it seems fun so far,” wrote Ormandy on a security-related mailing list, as quoted by the BBC. “However, I noticed the installation procedure creates a browser plug-in for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites.

Uninstalling the browser add-on will mitigate the issue, but will result in the loss of achievement and trophies. The game maker has already issued an emergency update for UPlay that also prevents the bug.

“We have just released a new patch for Uplay PC, which will update your client to version 2.0.4. This patch corrects a flaw in the browser plug-in that was brought to our attention earlier today,” wrote Ubisoft on the official forum.

The bug affects extremely popular gaming titles such as the Assassin’s Creed series, Brothers In Arms, Call of Juarez, Driver: San Francisco, or Heroes of Might and Magic VI, among others.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

1 Comment

Click here to post a comment
  • […] The bug affects extremely popular gaming titles such as the Assassin’s Creed series, Brothers In Arms, Call of Juarez, Driver: San Francisco, or Heroes of Might and Magic VI, it said. “By simply pointing the browser equipped with the Uplay plugin to a special web page, an attacker can run malware on the user’s PC without any further notification or interaction. This is the exploitation of a feature designed to launch games from an embedded browser control used in a way game creators did not anticipate,” BitDefender said. […]