Ubisoft Uplay plugin has nasty security hole
by Alice O'Connor, shacknews.com, Jul 30, 2012 8:15AM PDT
Update: Ubisoft's statement included below.
A nasty security hole discovered in Ubisoft's Uplay browser plugin could let naughty people run commands and programs on your PC simply with a few lines of code stuck into a webpage. "But I'm fine," you may think, "because why would I ever choose to install a uPlay plugin?" Well, Ubisoft may have kindly done it for you.
Yes, games which use Uplay--ie most of Ubisoft's PC games from the past few years--may have installed the plugin, which you should disable double quick. Head into the addons or plugins section of your browser's options, and disable that nonsense before ne'er-do-wells exploit it.
The hole (via Rock, Paper, Shotgun) lets a webpage execute commands on your PC. The proof of concept, which you can use to test if you've been vulnerable, launches the Windows Calculator program, but it could also do any number of naughty and dangerous things.
Ubisoft has since issued a statement on the issue, via Rock Paper Shotgun:
"We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.
"Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues."