Is Ubisoft’s DRM browser plugin a rootkit?

An offhand remark made by Google engineer Tavis Ormandy to a post on the Full Disclosure mailing list has sparked anger in the harts of Ubisoft users, as he shared his discovery of what seems to be a rootkit in the DRM system used by the company.

“(-¦) while on vacation recently I bought a video game called ‘Assassin’s Creed Revelations’. I didn’t have much of a chance to play it, but it seems fun so far. However, I noticed the installation procedure creates a browser plugin for it’s accompanying uplay launcher, which grants unexpectedly (at least to me) wide access to websites,” he wrote.

“I don’t know if it’s by design, but I thought I’d mention it here in case someone else wants to look into it (I’m not really interested in video game security, I air-gap the machine I use to play games). A few minutes in IDA suggests this might work.”

DRM systems such as Uplay are used by game companies to check whether the game in question has been legally bought, and to offer additional content. So far, it seems that the opening of the backdoor (some even define it as a rootkit) into the customers’ machines was not intentional, but due to a bug.

According to The Sixth Axis, Ubisoft has reacted pretty fast and has patched the hole by issuing a new version of the uPlay software. But, according to some reports, the patch might not be as effective as expected.

Mozilla has blocked the plugin temporarily in Firefox until the bug is fixed, but Internet Explorer and Chrome users are still at risk, and should consider blocking the plugin themselves for the time being.

UPDATE:
“The issue is not a rootkit. The Uplay application has never included a rootkit. The issue was from a browser plug-in that Uplay PC utilizes which suffered from a coding error that allowed systems usually used by Ubisoft PC game developers to make their games,” Ubisoft stated to The Register, and advised its users to download and run the Uplay update in order to keep safe.

Don't miss