Ubisoft rush to fix security hole exposed by plug-in

  • Published
Art from Assassin's Creed
Image caption,

Games affected include the massively popular Assassin's Creed series

Games maker Ubisoft has been forced to release an emergency patch to fix a security hole discovered in its Uplay application.

A web browser add-on reportedly left users open to outside attackers gaining control of their computer.

The Uplay software is bundled with major titles like Assassin's Creed.

"We recommend that all Uplay users update their Uplay PC application without a Web browser open," Ubisoft said.

"This will allow the plug-in to update correctly.

"An updated version of the Uplay PC installer with the patch also is available from Uplay.com."

Uplay is a system that allows gamers to earn points and rewards for performance which are logged online.

As well as the multi-million-selling Assassin's Creed series, Uplay is also used with games such as Call of Juarez: San Francisco, Just Dance 3 and several titles in the Tom Clancy series.

Vacation discovery

The spokesman added: "Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues."

The flaw was discovered by Tavis Ormandy, a Google employee.

On a mailing list for information security experts and hobbyists, he wrote: "While on vacation recently I bought a video game called Assassin's Creed Revelations. I didn't have much of a chance to play it, but it seems fun so far.

"However, I noticed the installation procedure creates a browser plug-in for it's accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites."

It was discovered that any website could force users with the plug-in to open any program on their PC.

To demonstrate this, one security researcher created a website proving the exploits' existence. When a person visited the website, the calculator program would launch.

While the calculator is harmless, experts warned that the technique could be used to launch a potentially malicious program.