Ubisoft patches exploit in browser plugin

Published August 1, 2012 6:45pm

Game publisher Ubisoft managed to fix in time a bug in its "Uplay" browser plugin that could potentially allow an attacker to take control of a gamer's computer.

Ubisoft issued a security fix that will update the Ubisoft client to version 2.0.4, and correct the flaw in the browser plug-in.

"This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine," it said on the Ubisoft forum.

It said it learned of the issue Monday, and came up with the fix in less than two hours.

The automatic patch aims to fix the browser plug-in so that it will only open the Uplay application.

A separate article on the blog site of security vendor BitDefender said programmer Tavis Ormandy, a Google employee, discovered the exploit.

The bug affects extremely popular gaming titles such as the Assassin’s Creed series, Brothers In Arms, Call of Juarez, Driver: San Francisco, or Heroes of Might and Magic VI, it said.

"By simply pointing the browser equipped with the Uplay plugin to a special web page, an attacker can run malware on the user’s PC without any further notification or interaction. This is the exploitation of a feature designed to launch games from an embedded browser control used in a way game creators did not anticipate," BitDefender said.

It quoted Ormandy as saying he bought a video game called Assassin’s Creed Revelations, and noticed the installation procedure creates a browser plug-in for its accompanying Uplay launcher, "which grants unexpectedly (at least to me) wide access to websites.“

While uninstalling the browser add-on will address the issue, it will lead to the loss of achievement and trophies. — TJD, GMA News

Tags: ubisoft, gamers, gaming, uplay, webbrowser