“I noticed the installation procedure creates a browser plugin for its accompanying uplay launcher, which grants unexpectedly (at least to me) wide access to websites,” wrote Tavis.
The Uplay software, which is bundled with major titles like Assassin’s Creed, Call of Juarez: San Francisco, Just Dance 3 and several titles in the Tom Clancy series, allows gamers to earn points and rewards for performance which are logged online.
Since the disclosure Ubisoft has released Uplay 2.0.4 to fix the problem. “We have just released a new patch for Uplay PC, which will update your client to version 2.0.4. This patch corrects a flaw in the browser plug-in that was brought to our attention earlier today. We recommend that you update your Uplay PC application without a web browser open, as this will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch is also available from Uplay.com,” wrote Korchaa, a Uplay Community Developer for Ubisoft. “Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”
Some web sites are going as far to call the flaw in the plug-in a “rootkit”. “The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user’s consent. If this was limited just to the Uplay service with regard to checking games are legal it would still be a major concern, but the fact any website could potentially use the plugin escalates the seriousness of what is happening here,” wrote Matthew Humphries.