Yesterday it came to light that Uplay, Ubisoft’s mandatory online “service” for their PC customers, had been hacked. The hack, however, exposed a serious security vulnerability that could have been used by less savoury types to gain control of Uplay users’ PC applications and files. It was also alleged that this vulnerability was an intentional rootkit hidden by Ubisoft in all copies of Uplay.
Ubisoft has since responded to the debacle and has issued a forced patch for their software. The patch, according to Rock, Paper, Shotgun, was released about nine hours after the vulnerability was discovered.
Ubisoft’s statement is interesting. There’s no apology to speak to of and no counter argument to or dismissal of the accusation that the vulnerability was in fact an intentional rootkit. Secretly installing a means to access customer PCs is nothing new but it also isn’t accepted, as the Sony BMG scandal revealed. Hit the jump for Ubisoft’s response and how to fix the gaping hole in your PC’s security.
“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.
Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”
We’ll likely never know whether or not this vulnerability was just that or an intentional rootkit. It was probably the former; any software publisher would be committing corporate suicide by including malicious code like that in today’s market. Right?
UPDATE: Ubisoft has denied that this was an intentional rootkit embedded in the Uplay service and has explained the origins of this vulnerability:
“The Uplay application has never included a rootkit. The issue was from a browser plug-in that Uplay PC utilizes which suffered from a coding error that allowed unintended access to systems usually used by Ubisoft PC game developers to make their games.”
Source: Rock, Paper, Shotgun
Update Source: Kotaku