A bit of holiday fun for Google security researcher Travis Ormandy left Ubisoft scrambling to fix a gaping flaw in its Uplay gaming application on Monday morning. "While on vacation recently I bought a video game called 'Assassin's Creed Revelations,' he posted on the Full Disclosure mailing list. "I noticed the installation …
"The issue is not a rootkit. The Uplay application has never included a rootkit. The issue was from a browser plug-in that Uplay PC utilizes which suffered from a coding error that allowed systems usually used by Ubisoft PC game developers to make their games," it said.
What a terrible coding error -- Ubisoft PC game developers should never be allowed to make games.
So why exactly does a GAME need a BROWSER plug in?
Because gamers are bitches in the eyes of Ubisoft execs?
>While this is an effective form of DRM<
Really? Which game hasn't been cracked?
> an effective form of DRM
Yep by pwning your computer they could decide what you get to run or not.
had a patch out within 90 minutes...
... obviously after the same level of comprehensive testing as the original plug-in.
Re: had a patch out within 90 minutes...
Another possible interpretation is that they knew they had done something dodgy and kept this in reserve in case someone found out..
Re: had a patch out within 90 minutes...
obviously after the same level of comprehensive testing as the original plug-in.
Depends upon whether they have an automated test suite. If they do, then it's very likely that both versions of the plugins passed exactly the same set of tests.
How about just not installing the plug-in in the first place or removing it after installing the game. Easy enough in Firefox.
not sure but probably means you can't play game if you remove the plugin. lame.
@ASDF : "not sure but probably means you can't play game if you remove the plugin. lame."
Actually, I'm just going to patch, disable the plugin, and then try playing ACR ....
Just disabled the plugin and fired up ACR . . . game works fine without the plugin. Happy stabbing!
Wow typical DRM then all it does is piss off the paying customers who don't always have a high level of geek tech ability to get rid of the annoyance. FAIL like all DRM eventually (hows that DRM working out for ya Sony now you are 1/5 the size of your heyday).
And yes I know Xbox has DRM also but Sony is directly and indirectly responsible for funding and creating most of the DRM schemes out there. They are also the biggest proponent of it by far. Their media studio first f__k the customer attitude is much of the reason they have been in the red for over five years straight.
This is precisely why I haven't bought any Ubisoft games for years. They don't deserve customers the way they constantly pull these ridiculous stunts.
I'm totally with you on this. I've never bought a Ubisoft game, and until they remove their DRM I never will, even if it means missing the occasional great game. I'm a pretty prolific game buyer, to boot.
I would even take this further by emailing a photo to Ubisoft of the money I would have spent on one of their games, followed by another showing exactly how else it was spent. (Most likely in the pub, but I leave this up to your imagination)
less and less control over my pc
I was forced to install this Uplay thing to play my new steam game "from dust". I wasn't told what I was installing - I didn't realise it was a whole environment - I thought it was just going to be a registration for them to grab my email address and spam me with email - something I've finally got grudgingly used to. And I was most surprised when Firefox reported it was disabling a 'Uplay plugin' due to a security risk. That's a plugin that won't be getting turned back on (unless it turns out my game doesn't play without it...in which case I'll have to decide if my face needs my nose or not). Thanks for this article, it filled in the gaps.
A brief search suggests that the DRM has already been hacked around, and such solutions are easily available for those that choose to look for them, once again proving that the only ones inconvenienced by such things on the medium to long term (or however long such takes to patch around), are those that don't try to pirate them. Also notable is the fact that several of them say 'crack only', which naturally implies that it's only for folks that bought the game. No-CD crack, meet No-Net crack. Here comes the new boss, same as the old boss.
Please note, not espousing not paying for product, just that the benefit/drawback ratio for this sort of DRM is likely a fractional term.
It's about time
To make all DRMs illegal because for all intents and purposes every such system can be classified as malware.
DRM vs DRM-free
Is there any advantage to be had by including (or forcing) DRM with your software? You do need to pay for DRM development etc, and to counter any bugs/hacks/cracks as they appear.
Or do you rely on people's goodwill not to copy/pirate your stuff and leave DRM out? No need to pay any extra for DRM development etc...
Re: DRM vs DRM-free
I would also add that you don't put off your potential customers and don't encourage them to seek better alternatives to your DRM-crippled products...
Perhaps Ubisoft could just use steam? Its effective, most of the people I know use it and it protects their game but no Ubisoft seem hellbent on penalizing their paying customers rather than the pirates.
What the game industry needs to do is agree on a common DRM system which is created for the benefit of both customers and companis. Perhaps then they could spend dev time on 'small' things such as customer security and being able to play an offline game whilst on an unstable broadband connection...
Benefit of customers ?
Are you insane ?
To paraphrase the article
Don't buy Ubisoft software. Their games will bugger up your machine, and in the event that they don't, you'll be lucky if the games don't implode and stop working anyway.
"had a patch out within 90 minutes"
Which suggests to me anyway ,that they already knew about the issue and had the patch sat in the wings.
Too bloody right
Alas I can only upvote you once for this suggestion. You hit the nail bang on the head
There's no lack of games on the market. I have plenty more choice in games than time to play them. There is no hardship for me whatsoever to avoid Ubisoft and other companies taking the DRM cool aid. Realistically, it's quicker & easier for me to pay for games that don't include ridiculous DRM than to take the time to crack games I have purchased. It's also much more personally gratifying.
Ubisoft & others - really, why do you keep insisting on this model that does nothing to prevent piracy and only punishes people who want to give you money for what you produce?
"The issue is not a rootkit. The Uplay application has never included a rootkit."
Noted the above part of the statement, and that it was not "We/Ubisoft don't use rootkits"
Given that rootkits, installed without the expressed informed consent of the computer owner, would be a criminal offence (CMA90)
So Ubisoft goes out of business, and all the games you paid cold hard cash for, are now junk.
(so where the goods they sold fit for purpose?)
Given the lack of an ongoing revenue stream, their sales/drm model does look remarkably like a Pyramid scheme
(there are rules about Pyramid schemes)
If Ubisoft's internet connection/servers go down, how much compensation do they have to pay their customers? (given any EULA "you cant sue" contract terms are covered by the Unfair Contracts Terms directive)
Currently waiting for Ubisofts DRM to upset a bored and/or pissed off barister, will then book tickets for the court case.