Major security vulnerability discovered in Ubisoft UPlay DRM

It's already pretty easy to hate Ubisoft's UPlay DRM, which requires PC gamers to remain connected to the Internet at all times while playing, but today hating it got a whole lot easier. As it turns out, the UPlay client has a pretty major security vulnerability that could allow malicious websites to take control of your computer. The problem stems from the browser plugin that is installed by the UPlay launcher – instead of only granting access to UPlay, the plugin could potentially give a wide range of websites privileged access to your computer.

That's according to Google information security engineer Tavis Ormandy, who explains on Seclists.org that he discovered the vulnerability as he was installing Assassin's Creed Revelations. "While on vacation recently I bought a video game called 'Assassin's Creed Revelations'. I didn't have much of a chance to play it, but it seems fun so far. However, I noticed the installation procedure creates a browser plugin for it's accompanying uplay launcher, which grants unexpectedly (at least to me) wide access to websites."

Obviously, this is a major problem. The vulnerability affects all of the games that use Ubisoft's UPlay DRM (Geek.com counts 21 in total), ranging from all of the Assassin's Creed games since AC2, a handful of Tom Clancy games, and more recent titles like Driver: San Francisco. Thankfully, Ubisoft has since fixed the vulnerability, updating UPlay so that the browser plugin can only access the UPlay application.

Still, despite Ubisoft's quick delivery of a patch, this is an extremely scary development. We're willing to give Ubisoft the benefit of the doubt and assume that it didn't leave that backdoor in on purpose, but whether it was intentional or not, that doesn't change the fact that UPlay housed a potentially devastating security vulnerability in the first place. The publisher catches enough flak for its use of always-on DRM, and we're sure that already-disgruntled gamers aren't going to let Ubisoft forget about this oversight anytime soon. Stay tuned, because we have a feeling that the vitriol hasn't even begun to fly yet.