Ubisoft DRM Lets In Remote Attackers, Google Engineer Reports

enigmax
July 30, 2012
100
DRM,
ubisoft
Print

Hacker Tavis Ormandy has discovered a serious vulnerability in a well-known PC game DRM system. The Google engineer said that after buying a game from Ubisoft he became aware that its “Uplay” browser plug-in might prove problematic. In the early hours of this morning Ormandy confirmed that the add-on allows remote and “wide access” to machines running the DRM, potentially giving malicious attackers free reign to wreak havoc.

Digital Rights Management (DRM) software is seen as an essential part of life for many games developers. It allows them to control who and who cannot copy, install and otherwise operate their software, usually for the purposes of piracy control.

But all too often DRM hits the headlines when it either fails to do its job or generates unintended side-effects that cause headaches for legitimate users. Today could be the start of a very big headache indeed for Ubisoft and people who have purchased the company’s games.

According to hacker/researcher Tavis Ormandy, the Uplay DRM system designed and operated by Ubisoft could be opening up the company’s customers’ machines to a whole world of hurt.

“While on vacation recently I bought a video game called ‘Assassin’s Creed Revelations’. I didn’t have much of a chance to play it, but it seems fun so far,” Ormandy wrote on the Full Disclosure mailing list yesterday.

“However, I noticed the installation procedure creates a browser plugin for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites. I don’t know if it’s by design, but I thought I’d mention it here in case someone else wants to look into it.”

Just 24 hours later Ormandy was back with a worrying update.

“I got it working,” he wrote. “I submitted it to Ubisoft via the online form.”

What Ormandy appears to be suggesting is that once hackers understand how this vulnerability works, websites could incorporate an exploit into their designs which could then allow them to gain access to a Ubisoft game-player’s PC. The sky’s the limit with this kind of opening – software installs, keyloggers, bots or other malware all become possible.

A list of games running Uplay DRM can be found here – they include some huge names such as the Assassins Creed series, Call of Juarez: The Cartel, Driver: San Francisco, Silent Hunter 5: Battle of the Atlantic, and all the Tom Clancy games.

TorrentFreak contacted Ormandy for comment and we will update this article with his comments when they come in.

Previous Post | Next Post

Follow @torrentfreak

Danny

DRM Only ever hurts paying customers.
- Scary_Devil_Monastery
  
  Indeed. Does anyone spot the irony that it’s specifically “Assassin’s Creed” which again shows a massive DRM flaw?
  
  In case you’d forgotten, a predecessor in that series got famous by the way it’s DRM required online validation – and the way every legal customer got it’s game completely bricked by the certification servers going off line while all the pirates happily kept playing…
  - Guest
    
    My reaction to uplay:
    
    http://www.youtube.com/watch?v=B5fvIJuXers
    - FakeElections
      
      Lol it had to be ubisoft.. I downloaded one of their games the other day and it has UPLAY built in. I cant be bothered to sign up for account so i just removed the game… And i will certainly never buy a Ubisoft game.. Or an EA game… The list gets bigger…
  - FreeBSD
    
    business as usual.
    - mars
      
      welcome to the future if u think u can find a stand alone game that is worth playing good luck and let me know, I hate it but thats the way the gaming buisness is moving with pay to play and pay to win games and DLC’s
    - http://gene-poole.tumblr.com Gene Poole
      
      @a7cabcd7fe07177a08b602e8c80ebc60:disqus I’ve found that pretty much everything on the humble bundles has been well worth the money. Admittedly they’re not part of series, most of them, but that doesn’t make them shit.
      
      Hell, VVVVVV looks and sounds like it’s emulated from an Apple ][e, and I still spent a good week playing the shit out of it.
- Eric
  
  ”“However, I noticed the installation procedure creates a browser
  plugin for its accompanying Uplay launcher, which grants unexpectedly
  (at least to me) wide access to websites. I don’t know if it’s by
  design, but I thought I’d mention it here in case someone else wants to
  look into it.”
  
  Just 24 hours later Ormandy was back with a worrying update.
  
  “I got it working,” he wrote. “I submitted it to Ubisoft via the online form.”
  
  What Ormandy appears to be suggesting is that once hackers understand
  how this vulnerability works, websites could incorporate an exploit
  into their designs which could then allow them to gain access to a
  Ubisoft game-player’s PC. The sky’s the limit with this kind of opening –
  software installs, keyloggers, bots or other malware all become
  possible.”
  
  Many already knew this and do not trust most things that are downloaded that have to connect to internet to work and if the company says “we didn’t know””’, they clearly have not been doing their job and unfortunately this is the way society is working right now, the ones that have the money do not know sht most of the time and the ones that are poor do, at least in my case. Also you are not supposed to molest every girl that you date and are not supposed to use deception to get to her. I am tired of male whores who fuck all the girls therefor limiting the selection for those that can not ever stand the fact that someones dick has been inside the girl that they are interested in. Dating a chick who has had another penis inside her is like jumping into a swamp, its gross.
  - Eric
    
    also once you have had 4 or more sex partners, you will never be right, although research shows the number is as low as 3.
    - Guest
      
      Cite it. You claim that research shows that people aren’t “right” (whatever that incredibly subjective word may mean to you), so cite it. Operationally define “right”, explain why your operational definition has any validity, then show the research that proves that 4 sexual partners causes you to not meet the standards of your operational definition.
      
      You can do this, right? I won’t just be left hanging, waiting for a citation that won’t come because it doesn’t exist, right?
  - John
    
    Male whore here! You’re a fucking idiot :)
    
    Enjoy the limited selection!
    - Kamisha
      
      I hope you die of aids or some other disease you deceptive, molesting fucker, however a car wreck would be much faster or an overdose. Men are responsible for protecting the women/girls, and by your behavior you shall be judged. Hope you enjoy getting rammed up the ass in hell while burning in flames for your actions.
    - Guest
      
      @fc5864ddd89d27caca47f238c2a3ed66:disqus
      
      What has John said to make you think that he is “deceptive” or that he molests women? All he’s claimed is that he enjoys having sex with them. Why do you assume that the sex was non-consensual? Women do enjoy sex. There is no reason to believe that they wouldn’t enjoy having sex with this particular individual.
      
      More to the point, are you the same person as Eric above? You seem to use the same rhetoric (deceptive and molesting), and you show the same assumption that any man who has sex with women is doing so against their will.
  - Guest
    
    The last part of your post is just so hilariously random and unrelated to the post as a whole. that I just can’t help but respond to it.
    
    “Also you are not supposed to molest every girl that you date and are not supposed to use deception to get to her.”
    
    This is technically true, but your tone and the rest of your post suggest that your definition of molest includes a high percentage of normal dating activity. Do you consider sex to be molestation?
    
    “I am tired of male whores who fuck all the girls therefor limiting the
    selection for those that can not ever stand the fact that someones dick
    has been inside the girl that they are interested in.”
    
    Technically, they aren’t limiting the selection. You are. You are the one who has chosen to impose a standard for dating that is not based upon the intellectual, moral or personality characteristics of your mates. Can you explain the reasoning for limiting your standard? Oh, yes, you do in the next sentence. Speaking of…
    
    “Dating a chick who has had another penis inside her is like jumping into a swamp, its gross.”
    
    Why? There isn’t a trace of another man inside there when you have sex with her. The vagina, like all orifices in the human body, possesses a system to clean itself. Sperm generally don’t live more than a week, and they tend to be flushed out of the vagina far before that. Can you point to one physical difference in the non-virginal vagina that would make it swamp-like? If you can’t, then can you admit that you hold an irrational and judgmental belief?
    
    I wouldn’t normally be so harsh, but if you’re going to blame others for a standard you place on yourself and treat an irrational belief (the “grossness” of a non-virginal vagina) as having perfect validity, then I’m not going to feel bad about calling you out on your dickishness.
    - Eric
      
      the vagina is meant to be married to 1 man, therefor, dating aka “I fuck her to be w/ her” the question is then “What gives you the right to violate her then u2 split up and someone else gets 2nds, thirds, etc? If you can see a female w/ a male and they are “together 9/10 they r fucking”. Why would any1 say then if they break up as tons of ppl fuck m & leave m, I’ll take next? In the proper judgement to this is to check into the individual be4 intercourse as to their partners they have had and ask “do you want to have sex and discuss your history truthful be4 sexual activity, not just do it. The bible speaks about this.
    - Guest
      
      “the vagina is meant to be married to 1 man,”
      
      You haven’t defended your claim here, you’ve just repeated it. You’re taking it as a granted that your version of morality is correct and unquestionable. It isn’t. Does women and men having sex harm or disrespect the rights of anyone? If not, I can’t see how it’s an immoral actions.
      
      “What gives you the right to violate her ”
      
      Who violated her? There was completely consensual sex involved, where both man and woman enjoyed and voluntarily participated in the sex. Do you dispute that women can have voluntary sex before marriage? If you do, I can point you to psychological science that proves you wrong.
      
      “someone else gets 2nds, thirds, etc? ”
      
      Why do you care? I ask again, what is actually physically different about a post-virginal vagina that should lead you to care about this?
      
      “If you can see a female w/ a male and they are “together 9/10 they r fucking”. ”
      
      I see no reason why I should care what they are doing. It’s not my business.
      
      “In the proper judgement to this is to check into the individual be4
      intercourse as to their partners they have had and ask “do you want to
      have sex and discuss your history truthful be4 sexual activity, not just
      do it. ”
      
      Again, you’re just assuming that someone having sex before marriage makes them gross. You haven’t actually defended that claim. You’ve just repeated it. Your actions are based off of an irrational and unjustified premise, and you aren’t able to defend it.
      
      “The bible speaks about this.”
      
      This means nothing to me. You need empirical evidence, not sanctimonious moralizing.
      
      Please actually give an answer to my questions instead of just repeating yourself next time.
    - Eric
      
      Does women and men having sex harm or disrespect the rights of anyone? If not, I can’t see how it’s an immoral actions.
      yes it does… see christian family radio
      
      There was completely consensual sex involved, where both man and woman enjoyed and voluntarily participated in the sex
      
      Was there a consent form? Did you ask instead of just doing? Did that person have the intelligence to weigh the benefits/drawbacks of their actions or were they under the influence? Having sex under the influence of any drugs is considered rape. There are articles about this on the internet which discuss this. Alcohol is a drug.
      
      “In the proper judgement to this is to check into the individual be4
      intercourse as to their partners they have had and ask “do you want to
      have sex and discuss your history truthful be4 sexual activity, not just
      do it. ”
      
      Again, you’re just assuming that someone having sex before marriage
      makes them gross. You haven’t actually defended that claim. You’ve just
      repeated it. Your actions are based off of an irrational and unjustified
      premise, and you aren’t able to defend it.
      
      Its considered unpure and compared to a a grass thats fell by the wayside. (see bible) See christian family radio for more answers
    - Eric
      
      I have decided to elaborate on this
      
      Does women and men having sex harm or disrespect the rights of anyone? If not, I can’t see how it’s an immoral actions.
      yes it does… see christian family radio
      
      You are cheating on your lifetime partner. Refer to Christian Family Radio for more info. This is what they have discussed and the above is the answer.
    - Guest
      
      ”yes it does… see christian family radio’
      
      I’ve listened to Christian radio before on multiple occasions and on multiple channels. None of them have convinced me. If you want to convince anyone, you’re going to need to be able to articulate your reasons yourself. If you really can’t, then at least provide a link to an article explaining the reasoning.
      
      (I see that you made another post giving a basic reason).
      “You are cheating on your lifetime partner.”
      
      You can’t cheat on someone you aren’t in a relationship with. This point only works if you assume that cheating can occur based on a predestination of who you will be with in the future. There is no empirical evidence to support the idea of predestination, so I’m going to stick with the traditional definition of infidelity, which is “The action or state of being unfaithful to a spouse or other sexual partner.” You can’t be unfaithful to a spouse you don’t have.
      
      I will use my own personal experiences having dated four women for extended periods of time to answer your next queries.
      
      “Was there a consent form?”
      
      No, but consent can be given without signing a contract. Consent given by words is still consent. I know that all of the women I have had sex with cosented because they initiated sex with me multiple times over the average of 6 months that I dated each one of them. If they initiate sex, they consent to the sex, and they want the sex. They’ve told me that they enjoy sex.
      
      “Did you ask instead of just doing?”
      
      Yes, for each relationship.
      
      “Did that
      person have the intelligence to weigh the benefits/drawbacks of their
      actions or were they under the influence?”.
      
      I have never had sex with anyone under the influence of alcohol or any drugs. It’s also important to note that under the law, consent can be given before the ingestion of alcohol, and the consent holds if the individual does not completely lose judgement. I advise that you look up what constitutes sexual assualt vs rape vs normal sex when alcohol is involved. Given your views, I’m skeptical that you understand the nuances of the law here.
      
      Knowing all that I have said to you, do you accept that women can and usually do have and enjoy premarital sex that is not rape or molestation? If you don’t, then will you believe it if I provide scientific evidence that this is true (because scientific evidence does say that it is true, and I can show you the studies to prove it)? If not, then why not?
      
      “(see bible)”
      
      As before stated, I do not consider the bible to be of use for judging morality. I will not expand on why here, because that would be taking this too far off topic. To make it short, you’re going to have to tell me why it should be viewed as immoral, not just point to an authority and claim that it’s immoral because the authority said so.
      
      I don’t think I’ll respond to your next post. This is going very far off topic for torrentfreak. Feel free to respond. If you expand more, I may respond. If not, have a good day, and I hope you change your views to become more moral in the future.
    - Eric
      
      Straight Men, Are You Worried?
      
      http://www.davidicke.com/forum/showthread.php?t=207733&page=2
      
      ever did any drugs of them then had sex, well u raped them etc. If there is any alchol consumption or drug consumption by the other party, http://forums.mtgsalvation.com/showthread.php?t=315007
      In general, since date rape usually includes the use of drugs as the main substance, this will be the definition of date rape we will be using for the sake of this discussion.
      
      So lets see, most men are rapist
    - Guest
      
      “ever did any drugs of them then had sex, well u raped them etc. If there
      is any alchol consumption or drug consumption by the other party, ”
      
      Wrong. Simply wrong. Alcohol and/or drug consumption does not automatically make sex into rape. It crosses the line when the woman’s judgement is so fundamentally impaired that she can’t make a decision for herself.
      
      “So lets see, most men are rapist”
      
      Where do you get this conclusion? You’ve just given an operational definition, you haven’t done anything else? You haven’t shown that men do this.
      
      I’m concluding that you’re just a troll. Your poor grammar, lack of efficient communication, and unwillingness to address my questions leave it unquestionable. I apologize to the torrentfreak community for having a discussion that wasted so much screen space.
    - Eric
      
      ” “ever did any drugs of them then had sex, well u raped them etc. If there
      is any alchol consumption or drug consumption by the other party, ”
      
      Wrong. Simply wrong. Alcohol and/or drug consumption does not
      automatically make sex into rape. It crosses the line when the woman’s
      judgement is so fundamentally impaired that she can’t make a decision
      for herself.
      
      “So lets see, most men are rapist”
      
      Where do you get this conclusion? You’ve just given an operational
      definition, you haven’t done anything else? You haven’t shown that men
      do this.
      
      I’m concluding that you’re just a troll. Your poor grammar, lack of
      efficient communication, and unwillingness to address my questions leave
      it unquestionable. I apologize to the torrentfreak community for having
      a discussion that wasted so much screen space.”sorry you ask for citations and I provide links then you are too lazy to see the court cases themselves in the aritlces linked then say that it is different than what the court has concluded.
    - Eric
      
      ”At which point does it count to be consent?
      In particular, I know that consent must be given prior to sexual activity of any sort and prior to alcohol consumption. Does that simply mean that few college parties and the like actually fit these descriptions?
      http://forums.mtgsalvation.com/showthread.php?t=315007
    - Lolk
      
      @982953c7dd1b5d37a8e4b09bb0000f8c:disqus
      
      Hi, I’m gonna take up Guest’s mantle.
      
      Are you aware that most sex happens outside of college parties? Are you aware that even on college campuses, sex happens most often between two dating individuals who aren’t at a party? Are you aware that the vast majority of men never have sex at a college party or anything similar to one? No, of course you aren’t, because you’re letting your biases and sexism get in the way of whatever pitiful logical faculties you might have.
      
      You love strawman arguments.
      
      “In particular, I know that consent must be given prior to sexual activity of any sort and prior to alcohol consumption.”
      
      First, you’re right that consent must be given, but consent doesn’t mean that someone has to sign a form saying “I agree to sex”. If a woman starts pulling a man’s pants down, it’s pretty clear she consents. Second, consent does not have to be given prior to alcohol consumption. You’re just wrong, and if you read the law, you’d know this. Consent has to be given while the woman is capable of making a decision. She can still make a decision under alcohol. She can’t make a decision if she’s black-out drunk, but you have to drink a lot to get from sober/lightly buzzed to black-out drunk. Read the law.
      
      Look, if you want to be taken seriously, answer these questions; If a woman and a man date and then have sex, like the vast majority of men and women do, is it rape/molestation? If yes, then how can you call it rape when the woman gives consent to have sex with a man she’s dating? If you can’t answer that question, then you concede that you are a troll. So, Eric, are you a troll? Can you prove that you can actually think, or will you just go back to the strawman arguments?
    - Scary_Devil_Monastery
      
      @982953c7dd1b5d37a8e4b09bb0000f8c:disqus
      
      Regarding your Bible references I feel it necessary to point out that it also advocates incest, selling your offspring into slavery, ethnic cleansing and mass rape of infidels.
      Etc.
      Conveniently located in the same old testament where your views on marriage comes from.
      
      Similarly if you want to look at the untranslated version of the bible it quite clearly doesn’t state “virgin” anywhere. It uses the word for “Young woman”.
      Indeed, the original bible never mentions the word “virgin” or takes up the concept of virginity in ANY passage.
      
      Indeed, the way you express yourself quite clearly suggests that the majority of your argumentation is based entirely out of decidedly selective misrepresentations from bible passages. When your own body of reference cannot back up your statements it’s definitely time to take a step back and reevaluate your position.
    - Guest
      
      @982953c7dd1b5d37a8e4b09bb0000f8c:disqus
      
      ”sorry you ask for citations and I provide links then you are too lazy to
      see the court cases themselves in the aritlces linked then say that it
      is different than what the court has concluded.”
      
      You didn’t link to anything with any authority. You linked to forums. Forums are simply a bunch of internet users spouting off. There is no reason to believe that any of them know anything. You didn’t link to relevant court cases, you didn’t link to psychological or sociological research studies, you only linked to a bunch of internet users who have no more authority than you or I.
      
      When someone asks for a citation, they are asking for a link that proves something. If you had linked to a scientific study that shows that the vast majority of sex on college campuses is rape, then you would have done something smart, but you didn’t (and you couldn’t, because it’s not true, and I CAN provide a scientific study proving that). If you had shown me a court case or a law (from a large area) that defined rape as being any sex that does not involve a consent form or involving any amount of alcohol, then I would have had to change my views… But you didn’t (and again, you couldn’t, because they don’t exist). All you did was link to the opinions of anonymous internet users. That proves nothing. Literally nothing. There was no value in your citations. I appreciate that you tried, but you don’t seem to understand what actually constitutes scientific or legal proof. If you think you have links that are VALID AND USEFUL, then please present them, and prove what you’re saying.
  - Dafrog
    
    What the hell does this have to do with the subject of the article? Take your stupid christian crap and pound salt.
Anonymous

as one of the most prolific users of DRM, Ubisoft will not learn that the detrimental affects on customers will also affect their business unless customers do the only thing they can. stop buying their games! hurt Ubisoft in the pocket and maybe, jusy maybe, a more customer oriented attitude will be forthcoming. if nothing is done, the DRM infestation and screw ups will continue. the opportunity is there to at least try to make a difference. do nothing and you deserve what you get!
- FinalApokylypse
  
  Unfortunately they have a different perspective on things.. Take the Assassins Creed games for example. AC1 sold around 1 million PC units, however AC2 sold around 100 thousand PC units. To them this showed how prominent piracy had become. But of course we all know the primary reason behind it being the DRM made it much more beneficial to pirate the game then buy it.. Hence the extremely poor PC sales..
  - Guest
    
    Did it ever cross your mind that people might not have liked the first one?
    
    I played about 6 levels of the game. The graphics were stunning, fighting style and ability to climb many objects fun, but after not so very long it all got a bit boring.
    
    Didn’t play the second. Didn’t even ‘pirate’ it to try.
    - Guest
      
      That seems unlikely, given the increased review scores and heightened public awareness and excitement for the second game. I have to acknowledge the possibility that your experience is typical and that gamers decided to avoid the second title, but it does not seem like the most parsimonious answer.
    - Scary_Devil_Monastery
      
      People may not have ‘liked’ the second one but hype is used because it works, and the title received raving reviews before the server crash happened. Dropping to 1/10th of the expected sales indicates something is very wrong.
      
      I’m with FinalApokalypse on this one. On the first game, every legal customer had to put up with their pirating neighbors and friends playing the game happily while their own legitimate version was bricked and unplayable.
      
      I doubt any of the people who bought the first game were keen on purchasing the second one given their past experience. No wonder.
    - Daniel
      
      Sure. But they’ll never admit that. They’ll never admit that piracy doesn’t have a (measurable) negative effect on sales, because that would be admitting that it was their own failure: that people didn’t want to pay for the game because they’re tired of the DRM or because they think the game isn’t good enough. Both of that would be very bad to tell the shareholders, so they put the blame externally. Which will ensure that shareholders continue demanding that they put DRM in their games.
      
      It’s a downwards spiral. It will implose soon enough.
  - FakeElections
    
    Exactly. They forget that we want to pay for games… I will pay for the next GTA and ARMA 3 (The only game games i care about anymore) But if they have DRM built in, i will give up being a gamer. I’m sick and tried of being ripped off, they have ruined the gaming experience on PC (And on console but i don’t play them…)
    - Anyone
      
      GTA has the “Rockstar Social Club”, which is quite annoying and caused me to pirate the games instead
  - Camanon7
    
    There’s an interesting parallel here. They blame loss of sales on piracy but are too blind to see that their current business model doesn’t work for the average customer. Apply that sentence to the MPAA/RIAA and it still fits.
    - http://gene-poole.tumblr.com Gene Poole
      
      It works all around. TV Networks like NBC are cancelling popular shows like Community because the Nielsen ratings don’t a significant crowd watching it. Their Nielsen boxes fail to catch the tens of thousands of people time shifting by downloading torrent files to watch them on their own schedule.
      
      It’s the same theory behind natural selection. Just give them enough time and they’ll drive themselves into extinction.
- Guest
  
  Begs the question why should I buy a game if I have to deal with DRM infestation when I can download DRM free pirated copy? DRM is only driving away legit customers and it certainly won’t convert a pirate to a paying customer.
Anyone

I will continue to play Ubisoft games without DRM and without paying

maybe one day they’ll learn
- Daniel
  
  They won’t. They’ll use it as an excuse to put even more restrictive DRM in their next games, because they’ll think they have to fight piracy even harder.
  
  There’s no way in convincing them that they are hurting themselves, because they will never admit that they have made a mistake. The only way I see is to bombard them with millions of complaints, or launch massive lawsuits that will make any publisher shy back from DRM forever.
Guesty McGuest

Game developers don’t like DRM, its the publishers that like DRM.
- Nick
  
  true dat
- Guest
  
  Developers still agree to it when they let companies like EA or Ubisoft publish their games.
  And Ubisoft is developer and publisher.
  - Guest
    
    Do the devs have a choice?
    - Anyone
      
      rarely
      there are only so many publishers, and most are happy once they finally find one that will publish their game, even if they infect their game with DRM
      
      it’s similar to the music industry, but luckily there the studios are steadily losing ground
      
      once more kickstarted games are successful it will happen in the game industry as well
    - http://gene-poole.tumblr.com Gene Poole
      
      They will as soon as the guys behind the humble bundle get their act together and form an official software studio.
    - Guest
      
      @Gene_P00le:disqus
      
      Humble Bundle Inc. have announced in the past that they have no plans to become a publisher or developer of games. Their sole purpose is to organize bundles. It should be noted that Wolfire games, the creators of the first humble bundle, have shown skepticism about how well the model could be applied to larger games. They note that while the humble bundle has done well, it has done so through two major factors; containing games that have already had commercial and critical success, and releasing to massive fanfare and publicity. Other bundles, such as the indie or royale bundles, have had less luck. The model will be beneficial in the future, but it is not a golden solution to the industry’s problems.
      
      @f05af58b8c10e93b3595bb996aad4e5d:disqus
      
      Two things. First, most developers are not happy to have a publisher that uses DRM. This tends to be true primarily among larger, already-established developers, who can hold the same economic views as the publishers. Smaller devs are much more likely to switch publishers over DRM issues.
      
      Second, kickstarter helps, but it is held back by the fact that many devs don’t understand business, which is traditionally a role that the publishers help with. Don’t expect it to be a magic solution, because you can throw money at developers, but it means nothing if they can’t budget it. Aside from that small complaint, yay for kickstarter for being innovative.
    - Scary_Devil_Monastery
      
      Only occasionally. If the devs are lucky, savvy, or insistent enough they may get their games on Steam instead.
      
      Steam is the DRM solution even a few of my hard-nosed colleagues grudgingly acknowledge to actually work with a minimum of fuss and glitches, so the answer isn’t as simple as just “no DRM”.
      
      We’re talking about a trust issue here. No one is likely to trust EA as far as they can toss a pyramid, for instance…
    - jdpo
      
      I suggest Kim come up with MegaGames
Pingback: Ubisoft DRM Lets In Remote Attackers, Google Engineer Reports | The Illuminati
Mwhahaha

“What Ormandy appears to be suggesting is that once hackers understand how this vulnerability works, websites could incorporate an exploit into their designs which could then allow them to gain access to a Ubisoft game-player’s PC. ”

Well, they’re a damn sight closer to understanding it now he’s told the world about it.

Why didn’t he just drop ubisoft a mail and let them deal with it quietly as possible before all those havoc wreakers could take advantage?
Still, it’s good to know how shitty DRM is.
- Annoyasaurus
  
  Cause if he were to just inform Ubisoft, most probably Ubisoft would do some cosmetic fixes and nothing would change. This way, at least the public would be informed there’s a risk in playing Ubisoft games that you’ve registered on Uplay
- FinalApokylypse
  
  This actually happens more often than you think, even with companies like Microsoft and many others. You get people who try to find vulnerabilities in systems and tell the companies responsible so they can patch/fix them. It’s happened many times in the past that they don’t bother to fix the problem so they make the vulnerability known so they have no choice but to fix the problem.
- FreeBSD
  
  nothing would change if he did that.
- Guest
  
  He told the world so that the legit customers know how shitty DRM is and uninstall Ubisoft Uplay Launcher immediately.
- Rekrul
  
  Why didn’t he just drop ubisoft a mail and let them deal with it quietly
  as possible before all those havoc wreakers could take advantage?
  
  Because history has shown that most companies would rather sweep problems under the rug than actually fix them.
  - jesuschrist
    
    Also because taviso is an attention whore.
- Full Disclosure
  
  It’s called Full Disclosure (do a quick search for the term and you will understand the philosophy behind it). Now there’s no alternative but to fix the problem, lest those nasty evil hacker dudes start having lots of fun…
- Guest
  
  Ask yourself, Mwhahaha. Does Ubisoft DESERVE to have this resolved as quietly as possible?
  Or do they deserve to have this become a scandal that trashes the image of their company and maybe, just maybe, might shame them into rethinking their usage of DRM?
https://openid.org/lulaladrao LulaLadrao

If a game has DRM don’t buy it….
wanderingbear

Looking at the actual code that has the potential to be malacious, these seems like it could be pretty serious and also appears to be a really bad design flaw.

var x = document.createElement(‘OBJECT’);x.setAttribute(“type”, “application/x-uplaypc”);document.body.appendChild(x);x.open(“-orbit_product_id 1 -orbit_exe_path QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play”)
- Camanon7
  
  So for all us non-programmers, why don’t you point out the flaw, rather than a snippet of cryptic looking code?
  - Guest
    
    the short version: that javascript creates a html object tag,
    
    this part:
    QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ==
    
    is the string:
    C:WINDOWSSYSTEM32CALC.EXE
    
    base64 encoded.
    - Guest
      
      ” that javascript creates a html object tag,”
      
      … Can you maybe be a little longer and more descriptive than that.
      
      Let me see if I get the gist of it though; they had some fail that allows hackers access to system 32? Is that roughly right?
Pingback: Torrent News » Ubisoft DRM Lets In Remote Attackers, Google Engineer Reports
Pingback: Ubisoft DRM Lets In Remote Attackers, Google Engineer Reports | Best Seedbox
Alan89

It has already been patched, according to their changelog in Uplay
Pingback: In the News.. | TorGuard.net Blog - Anonymous VPN Services
chronoss chiron

last pc game i ever bought was diablo 2
rest of you are suckers
http://twitter.com/Anime4PSP Anime 4 PSP

Really not great idea to release such info into the wild
- Anyone
  
  it is an excellent idea
  
  it punishes those supporting DRM
- FakeElections
  
  Its a great idea if you want people to take notice to DRM
- Scary_Devil_Monastery
  
  ?
  
  You know, releasing such information into the wild is tantamount to a citizen journalist discovering that a bank has shoddy security, and making that information public. the bank then has no choice other than to ramp up it’s security and everyone profits.
  
  Because if you do not publish this information the only people who know of it will be the criminals – and a company which may not consider this to be a problem until it is first exploited.
Guest

Not surprised.
Ubisoft is a horrible company as far a customer relationships go, they treat players awfully.Not long ago they locked all the players that had payed for their games officially out of playing them, even single player modes.
Buying from them even on Steam is a true pain.
And their DRM mechanics are amongst the worst. I personally never intend to buy a game that is even related to them somehow after I lost access to two games because I paid for because I forgot some key.Here’s an articule on the game lockout. http://pc.gamespy.com/articles/121/1218211p1.htmlIt’s like I’ve got to do a background check on each game before buying it now to make sure it has no random codes or GFWL or Origin or Uplay shit, I’ve already decided to give up on any Ubisoft or EA game that forces anything like that.
Would really wish to see Steam add some sort of big warning label to know which games are buy-download-play and which games are buy-shit doesn’t work-pirate-play.
- FakeElections
  
  Give up on EA simply for they’re Pay a $1 to Reload comments…
  
  http://www.youtube.com/watch?v=ZR6-u8OIJTE
- http://gene-poole.tumblr.com Gene Poole
  
  And once again, just to throw it out there, torrented games have none of those issues. The vast majority of the time they just work, with no DRM (obviously) and no problems. Occasionally you’ll get one where the crack has a trojan within it, but these seem to be the exception rather than the rule and may even be a false positive.
  
  Interesting how the shared versions of media are often better than the official versions.
  
  If ubisoft games are a problem, just wait for the tpb version. problem solved.
  - Daniel
    
    Point. They give you two choices:
    
    • Technically broken, low-quality, annoying-to-use but LEGAL version for $60.
    • Cracked, install-and-play high-quality version for free.
    
    The question is not whether the second option is moral or immoral, legal or illegal. The important point is that it won’t change, that they can’t prevent people from giving themselves that option.
    
    So as an end-user interested in playing a game, how exactly does their reasoning work? What incentive do they give me to go for the expensive low-quality version?
    
    Basic economics: you sell something by giving people what they feel is worth the money they pay for it. Software companies are, currently, doing it all backwards, using every method under the sun to lower the quality of their product. How do they think this will help them generate sales?
GUEST

I see hungry lawyers opening up websites now for people who may have been vulnerable to this, to launch a class-action lawsuit and rape the f*ck sh*t out of Ubisoft.

Fuck you Ubisoft.
cakecakecakeisnotgood

Good thing I have pretty much stopped playing video games…
http://darkchaplain-anotherstory.blogspot.com/ DarkChaplain

It has already been fixed. Scareville can be evacuated.

And you see, Ubisoft has been learning quite a bit as of late. Their older Uplay titles have been patched to be fully working without an internet connection, Offline mode is working just fine and they’ve been releasing a few DRM-free titles lately.

But alas, it is easier to justify our pirating efforts by naming the old, original UbiDRM as a cause.
- Happyartist
  
  I think it’s the next one that people are worried about. The old DRM problems are just a reminder that there will be new problems coming.
  - Anyone
    
    exactly
    DRM by definition has to break the computer, so of course there will be problems and bugs
- Guest
  
  Gee, they are learning how to do the wrong thing a little bit better by committing less atrocities to their players every so often.
  
  Maybe in 5 years they’ll appear on the news for making their games unplayable to paid players or letting hackers ruin their customers PC’s only once in a while.
  
  Players rejoice, Ubisoft might not be the worst company when it comes to treating their customers someday. They might only fuck you occasionally.
  - http://darkchaplain-anotherstory.blogspot.com/ DarkChaplain
    
    I can’t remember ever getting “fucked” by Ubisoft in all my years of gaming. Well, maybe the decision of making the Prince of Persia 2008 Epilogue a console-exclusive DLC, but other than that, I have been very pleased with Ubisoft’s products. Uplay in its current shape and form has never affected me negatively.
    I feel sorry for you if you’ve personally had to endure buttpain due to Ubisoft, though.
- StevO
  
  Well “once bitten, twice shy” rule does apply here. If you have been ripped off for $60 or $120 or maybe even 3 ubisoft games then you would have reason to complain for a few good years. I still am not over GTA4 yet! Even though I waited until it was $20 and I still felt ripped off. You sir, either have a lot of money, or just never actually buy games. I got tired of having to mess around loading and signing in over and over again to play games, most of the time I dont want to wait 15 minutes logging in to play for 20 minutes. Its all gotten out of hand and I have simply stopped playing.
  - http://darkchaplain-anotherstory.blogspot.com/ DarkChaplain
    
    I currently own a bunch of Ubisoft titles on PC, namely the whole of Assassin’s Creed, the whole Prince of Persia series including Forgotten Sands, From Dust and recently added Rayman Origins to my library.
    
    The only title I felt cheated about was From Dust, which they outright lied about regarding the used DRM scheme. However, they’ve since corrected this issue, and I did not bother pursuing a refund after they’ve taken that action.
    
    I usually wait til the prices of Ubisoft games fall below the 50% mark, not because of DRM, but because I spend too much money on games as it is. Hell, I even went out of my way to pirate Revelations after seeing how the european pricing was handled. In no way, shape or form did that even conflict with playing my legally purchased Ubisoft titles either.
    
    Yes, I do dislike having Activation Limits, Games for Windows Live or Tages/Securom and the likes, but Uplay is not restricting me in the way of installation limits, doesn’t bring up endless update loops or has atrocious matchmaking systems coming with it and in general has been simple and quick to use.
    They even allow me to connect via Proxy or stick to offline mode after activating/launching a game once. Back in the beginning, Uplay was an atrocity best purged with fire, but it has since become less than an annoyance.
    
    Now, not that I disagree with being careful and making informed decisions based on experience and careful consideration, but blind panic and making a scarecrow out of something that doesn’t actually look frightening won’t serve anybody.
    I personally think that bad PC ports are worse than a game with DRM, much worse if the port has been delayed for months (see: Prototype 2, Arkham City (which had horrible DirectX11 issues)). Uplay is the least of the issues PC Gaming is having right now.
    - Guest
      
      Someone accessing your PC is blind panic?
      Sure GFWL in general is still worse but this is pretty bad too.
      
      Even if they fix that they are still following a path of DRM, DRM only brings trouble. It has to be opposed at any chance if there’s any hope that more publishers will drop it.
      
      With bad ports at least the developer tried his best but budget or technical issues got in the way, next game might be a better port.
      And at worse the game won’t work until a fix is released.
      
      DRM can put your information at risk, your system at risk, it can lead to long term loss of access to games and many other unpredictable things.
      DRM is an illogical decision to make products for the paying customers worse, which will lower sales, and kill franchises.Wouldn’t lower sales also lead to less budget, and worse ports?
      It is a pointless practice that works on flawed principles and it can only fought with unified opposition against all forms of it.That is the responsible thing to do.
      Otherwise DRM just keeps getting more and more intrusive, more common and more dangerous, if the men in suits see they can get way with it then they will push it further and further. They seem to love this fake sense of security DRM brings.
      DRM is spreading to all digital industries right now, anyone can be hurt by it. You, someone you know, or a random guy.
      Being ok with it because it is not so bad is a form of apathy that’s going to let bad practices keep happening, it is short sighted and irresponsible to be ok with something so potentially bad because it hasn’t harmed you enough yet and it is unsympathetic towards those that have already been victims of it.
    - Anyone
      
      you dislike DRM, yet you still support them?
      why? just why?
    - http://darkchaplain-anotherstory.blogspot.com/ DarkChaplain
      
      @ac772b48d6728242138b1df18c9716e5:disqus
      Nobody accessed my PC aside from myself. I don’t even have those Uplay Plugins on my browsers. None of them.
      This is all just an exploit that could have been taken advantage of – there is absolutely NO evidence that it happened ever before it was made public.
      
      I half-agree with you on the matter of DLC. Half, not fully. Depending on the way the DRM is executed and handled, it can be pain- and headacheless and even give the customer something in return.
      Activation Limits, Always-Online and Regional Restrictions are to be opposed. Uplay does neither of these at this point, hence I don’t mind it in any way.
      
      Well, Ubisoft’s Assassin’s Creed ports have been lacking features like Windowed Mode ever since the 2nd title, and still come with texture pop-ins (although it has been better in Revelations). Considering every single AC game has been delayed by at least a month after the Console release and all three games having used the same engine, I’d certainly wish for a better port.
      Now Prototype 2… people can be happy if there’s gonna be a sufficient fix at all, as the developers got shut down.
      Arkham City got patched after months of being stuck due to Microsoft’s GfWL procedures.
      
      It CAN in some cases. It has never happened to me in any way, my system is safe.
      I do agree that DRM as a concept is ineffective and cannot stand against piracy, and that the only ones feeling its effects are paying customers. However, that is no valid excuse for me to go and pirate those games instead. Not buying at launch, sure, waiting for a discount, yes indeed, but not to pirate the game.
      
      However, Ubisoft’s DRM is getting less intrusive, and they’ve been dropping it from some releases already. Instead of giving them the EA-treatment, why not acknowledge that? Instead of threatening with piracy, why not show them that the dropping of DRM helps them and makes people appreciate their products more?
      
      I do not disagree with fighting blatant DRM, but I do disagree on the methods used to do so. Encouraging them to do the better thing instead of punishing them for not changing fast enough and completely all of a sudden would be a better solution.
    - Guest
      
      @darkchaplain:disqus
      Taking the higher moral ground is useless when the other side:
      - Has vastly more money and influencing power in the courts and lawmaking
      - Has a history of ignoring feedback
      - Will assume that any losses as a result of boycotts and negative feedback are a result of piracy
      - Use the above to justify further DRM
      
      We’ve seen it happen with music. Whatever money they make is incomparable to the amount of money that could have been made if someone bought music regardless of whether they access it through “illegitimate” means (or whether they even want to).
      
      When life gives you shit you don’t make a shit sandwich. You give it back.
  - Goosmoo
    
    yes!! What the hell is with companies making you sign into a service to play an OFFLINE game? Just let me play the damn OFFLINE game I bought already!
    
    Stupid crap like that makes me enjoy iPad games even more.
Pingback: Ubisoft’s Uplay leaves PCs open to malicious attacks (Update: quickly patched, but still disturbing)
Pingback: Ubisoft DRM Lets In Remote Attackers, Google Engineer Reports | Zombie Torrents - Ultimate Torrents Downloads
Pingback: Ubisoft DRM Lets Remote Attackers In
http://twitter.com/rmspostcomments Richard M Stallman

Whatever companies think of Digital Restrictions Management, usersshould reject it every time. Please don’t call it “Digital RightsManagement” because that’s repeating the spin of the people who wantto impose it on you.Visit DefectiveByDesign.org and help put an end to DRM.
Pingback: MakinMo's Tech Blog
Pingback: The Technology Blog: Ubisoft DRM Lets In Remote Attackers Google Engineer Reports
Pingback: makin257 - Ubisoft DRM Lets In Remote Attackers, Google Engineer Reports
xiaoxin471

tinyurl.com/cyk9xz2
http://www.maniladarlings.com/ Nicolle

In the early hours of this morning Ormandy confirmed that the add-on
allows remote and “wide access” to machines running the DRM, potentially
giving malicious attackers free reign to wreak havoc.

TorrentFreak

The place where breaking news, BitTorrent and copyright collide

Ubisoft DRM Lets In Remote Attackers, Google Engineer Reports

Related Posts

Previous Post | Next Post

NewsBits

404 Fail: Six Strikes’ Piracy Alternatives Go Missing

Google Doesn’t Believe Kim Dotcom is Real

Nintendo’s Miyamoto: Piracy More Concerning Than Used Games Market

Monitoring BitTorrent Activity on a Network Using WireShark

The Pirate Bay Suffers Downtime

MostDiscussed

Movie2K Disappears Without Warning

UK Police Launch Campaign to Shut Down Torrent Sites

Three Strikes For File-Sharing Fails to Halt Music Sales Decline

87 Months in Prison for Copyright Infringement: Fair Sentence or Utter Madness?

ARM Launches Hollywood Approved Anti-Piracy Processor

CopyQuote

PopularArticles

VPN Services That Take Your Anonymity Seriously, 2013 Edition

Top 10 Most Popular Torrent Sites of 2013

Which VPN Service Providers Really Take Anonymity Seriously?

What’s The Best VPN / Proxy for BitTorrent?

BTGuard Review: How Does it Work?

Optimize Your BitTorrent Download Speed