Ubisoft Patches Uplay Vulnerability

Gaming company Ubisoft has moved to patch a security flaw in its Uplay application, following complaints of a rootkit that emerged yesterday.

Google security researcher Tavis Ormandy found the flaw, after buying the game ‘Assassin’s Creed Revelations’. He discovered that during the installation procedure, the Uplay browser add-on was granting Ormandy “unexpectedly (at least to me) wide access to websites”.

It was determined that specially-crafted websites could force the computers with the plug-in running to open certain programs. A researcher proved this by making a calculator launch when a person running Uplay visited such a site.

The methodology could be used for far more malicious actions. But it will no longer work, thanks to sharp work from the Ubisoft security team, which said reports of a rootkit in the Digital Rights Management (DRM) part of its software were incorrect.

Ubisoft responds

“We have just released a new patch for Uplay PC, which will update your client to version 2.0.4. This patch corrects a flaw in the browser plug-in that was brought to our attention earlier today,” the games maker said on Facebook yesterday.

“We recommend that you update your Uplay PC application without a web browser open, as this will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch is also available from Uplay.com.

“Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”

Are you a security nerd? Try our quiz!