Ubisoft issues patch to fix major Uplay browser plug-in backdoor exploit

Ubisoft Uplay

If you’ve purchased any recent Ubisoft PC titles over the last few years, make sure that your Uplay client (Ubisoft’s controversial DRM system) is updated to the latest patch 2.0.4 as soon as possible. This is because the previous versions of Uplay will install a browser plug-in backdoor that allows any website to take over your computer.

The full list of affected Ubisoft PC titles are as follows:

Assassin’s Creed II
Assassin’s Creed: Brotherhood
Assassin’s Creed: Project Legacy
Assassin’s Creed Revelations
Assassin’s Creed III (Tentative)
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
From Dust
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Pure Football
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy’s H.A.W.X. 2
Tom Clancy’s Ghost Recon: Future Soldier
Tom Clancy’s Splinter Cell: Conviction
Your Shape: Fitness Evolved

To perform the Uplay update correctly, just follow these instructions (taken from this Rock Paper Shotgun post):

“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.”

Be sure to check your browser extensions (Firefox/Chrome/Opera) and ensure that any installations of the errant Uplay plug-in are removed. Mozilla has since blocked the plugin from being installed, but it never hurts to double check. Here’s how:

Tools – Add-ons – Plugins – Disable the Uplay and Uplay PC Hub plugins

Visit about:plugins and disable

Settings – Preferences – Advanced – Downloads – Search “Uplay”, delete

The exploit was originally discovered by Google security engineer, Tavis Ormandy, and posted on the Full Disclosure mailing list on Sunday. The news has since been reported by Hacker News, Rock Paper Shotgun, and many other technology and gaming sites.

According to Rock Paper Shotgun, Ubisoft has stopped short of issuing a public apology for the issue, and no explanation was given as to why Uplay needs to install a silent browser plug-in to monitor the PCs of its customers.

Ubisoft has received a lot of flak in the past for their controversial “always-online” Uplay DRM for its PC games. This latest debacle will do very little to appease Ubisoft’s critics, and is probably the strongest case PC gamers have to continue boycotting all of their PC games.

Have your say. Add your comments: