Ubisoft DRM Fiasco: Allows Any Website To Take Control Of Your Computer
from the punishing-your-paying-customers dept
It's been nearly seven years since the great Sony rootkit fiasco, when it was discovered that Sony Music was using some DRM on its CDs that self-installed a rootkit (without letting users know) that had all sorts of security problems and vulnerabilities. The company took a massive hit for this, and you would think that others would be a lot more careful with their own DRM. You would think. But, then you don't know Ubisoft. The vast majority of times we've ever discussed Ubisoft in these pages, it's been because the company was doing something ridiculous with DRM. The company loves its DRM and seems to refuse to recognize that pissing off legitimate customers isn't such a good idea.So would it come as any surprise that it may now be facing a "rootkit moment" of its own?
As a whole bunch of folks have been submitting, some hackers have figured out that Ubisoft's Uplay DRM appears to install an unsecure browser plugin. The details came out over the weekend, first on a security mailing list, and were then followed up with some test exploit code posted to Hacker News.
Basically, it appears that Ubisoft's DRM is installing an accidental backdoor that makes it possible for any website to effectively take control over your computer. That's... uh... pretty bad.
From the details, the real problem sounds to be one of exceptionally poor coding, rather than maliciousness. Basically, they wanted to let you launch the game via a website, but failed to limit it to just the game -- meaning that a site can make use of the plugin to basically do a whole bunch of stuff on your computer (including things you don't want it to do). The browser plugin is easy to remove (and you should, um, immediately, if you've installed any Ubisoft games), so it's not quite as messy as Sony's rootkit, which was pretty deeply buried. But it's still really bad.
Yet another case of DRM really making life difficult for legitimate customers who paid money for your product. When will companies figure out that DRM does nothing to stop piracy, but makes life really difficult for the people who actually give you money?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: browser plugin, control, drm, rootkit, security, uplay
Companies: ubisoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Not DRM...
[ link to this | view in chronology ]
Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Not DRM...
In any other context we call that malware.
[ link to this | view in chronology ]
Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
But then there are a billion more secure ways of doing this that dont involve ubisoft's fail methods
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Not DRM...
Ding, ding. Mike "Yellow Man" Masnick strikes again! DRM is scary! And it totally, absolutely, 100% doesn't work! He knows this with absolute certainty and there is absolutely no debate on that point.
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Not DRM...
But I can think of at least one version of DRM that has worked. Steam. It is essentially DRM. But it's good DRM and is accepted as such by those who are aware of it. The trade-offs are few and the benefits actually surpass any of the usual DRM problems/critiques.
In fact, I avidly avoid anything that has DRM, with the exception of Steam. But that's just me.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Not DRM...
https://support.steampowered.com/kb_article.php?ref=3160-agcb-2555
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Not DRM...
I've had mixed success. On my game machine, Steam just works, offline or not. But since it is always connected to the internet except when the ISP is borked, it should work. On my laptop (until I got rid of Windows,) I followed the exact procedure several different times and it never seemed to work right (sometimes I could play the games, but most of the time it just didn't work.) Getting it working on the laptop was kinda important, because that was the one machine which would go places where there wasn't reliable internet.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Not DRM...
Yet for the most part users view it as "fair" and any pain the DRM is causing is off set by the features and value that the client adds. Valve understands it's user base and does not have to answer to panicy share holders over "OMG PIRACY" while ubisoft have largely shown they have no idea what they where doing. It's only been through user back lash that we've seen any improvement from them lately.
Anyway, DRM is always a bad thing for the end user. Always. Yet so long as it's not awful and the DRM also comes with features we like then it's a trade off people can be willing to make.
[ link to this | view in chronology ]
Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Not DRM...
Once a game is available on steam it will most likely be cracked with in a day but at that point steam as done it's main job, to stop pirates getting their hands on a game before it's out. Which is actually a major thing in a world where not only can people get a game for free but they could be playing it before any one willing to pay would be able to do so.
DRM is not so much about actually stopping pirates but about the fact that publishers often have to ensure their shareholders that they are doing something about them there evil pirate types. Valve would never ever have gotten steam off of the ground if it hadn't come with a set of DRM. With out steam getting off the ground DRM free services like good old games wouldn't have had a look in and even then GOG is doing well more out of a the fact that the industry is very slowly being brought around to the idea that it's better to see pirate copies of the game then turn away consumers who might buy it.
The fact that people calling steams DRM one that works even when it's crackable is reflective of the fact that DRM is an issue of degrees. How much protection does it offer vs how much restriction does it impose and steam has struck a balance that works for most publishers and most gamers mainly by seeking to offset the problems of DRM through adding other value via the use of steam.
I actually think that valve would happily and effectively DRM free if they could but in the current clement it wouldn't go down well with a lot of publishers. Even if valve only went DRM on their own games it would require the ground work for such a system be put in place in steam and publishers would see that as a move by valve to pushing this issue in the market they currently dominate. Which would have publishers fighting back hugely and could easily sink steam.
Steam is proof that DRM that offers some effectiveness in publishers eyes can be accepted by a user base because it adds value. In fact people value steam as a service so much they are often willing to rebuy games on steam they already own in another format just to have them on the service.
It's not ideal but I firmly believe that if some one other than valve had pushed the DD market first we'd all be far worse off.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Not DRM...
That's it. There are issues (such as regional pricing bullshit) around the price points, but nothing is perfect.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Not DRM...
While you are correct in saying that steam does not stop piracy, which i think is simply impossible. I believe it has been rather effective in reducing it. Of course when publishers decide to layer their own DRM on top of steam... i'm not sure i'm convinced steam can make up for stupid
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Not DRM...
Most DRM is put in place these days by people who either don't understand that DRM can't be fully effective or are having to answer to backers who don't understand that. Like I was trying to point out steam wouldn't have ever gotten off the ground if it had built in DRM.
Most anti piracy measures as a whole are aimed at making it harder to do for most people. Take the resent take down of the youtube to mp3 site. Any one who's posting here likely has the knowledge to still easily to get a MP3 of a youtube video and hell a lot of people know enough to use a browser extension to do so. But taking down that site is not aimed at them, it's aimed at people who are being enabled by the site.
I know it can be hard to understand for those of us who are technically minded but downloading and cracking a game is actually a relatively high bar to have to pass. It's of course meaningless in the long term as not only is most of the target market perfectly technically minded but people are getting more competent on the whole and things are getting easier and easier to do.
The point is that you are insisting that DRM is simply there to stop piracy. It's not. As you point out DRM is utterly ineffective so you have to ask WHY it's used in products like steam and in context of the market steams DRM does exactly what it is meant to do. Stop early leaking of steamworks games and assure publishers (more the shareholders of those publishers) that steam does something to try and stop piracy so that those publishers can justify to their shareholders why it's ok to use the service.
DRM is at this point about far more than actually trying to stop piracy and "stopping" piracy has been downgrading to "doing something to try and limit it".
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Not DRM...
Fixed that for you, Tim Griffiths.
BTW, it's possible that YouTube to MP3 has simply been blocked in certain areas, because I've just tried to access it and it's still there.
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
I've had security risks becuase of DRM
I've had payed for games not launch the singleplaer because the DRM determined that I didn't start the game while online.
I've had paid-for games not intalled because the DRM maker wrongly assume the only use for them is to copy commecial disks.
So yes, DRM is malware and Mike is right on the money on this issue.
[ link to this | view in chronology ]
Re: Re: Re: Re: Not DRM...
the dumbshits made their own DRM that was only sposta crash "pirates" but it randomly effected legit copies as well :P
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
I've had security risks becuase of DRM
I've had payed for games not launch the singleplaer because the DRM determined that I didn't start the game while online.
I've had paid-for games not intall when a dvd burner was detected because the DRM maker wrongly assume the only use for them is to copy commecial disks.
So yes, DRM is malware and Mike is right on the money on this issue.
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
I've had security risks becuase of DRM
I've had payed for games not launch the singleplaer because the DRM determined that I didn't start the game while online.
I've had paid-for games not intall when a dvd burner was detected because the DRM maker wrongly assume the only use for them is to copy commecial disks.
So yes, DRM is malware and Mike is right on the money on this issue.
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
There have been STUDIES, by legitimate companies, everywhere that have, and do state right up that DRM does NOTHING to deter piracy rates. NOTHING. They have done nothing, they continue to do nothing. The reason DRM even exists is just because the companies stop potential product leaks before the game's released. That's literally all DRM is for now.
DRM is pointless, essentially, except for not leaking your product one day ahead or so. Hackers get past it no problem. The only 'problem' is online-only DRM, and we've already seen the backlash from that with Diablo 3 and Ubisoft.
DRM is, by definition, evil. You're literally punishing your legitimate customers for paying for a product, because you think they're all just thieves or pirates or infringers and treat them as such.
CD Projekt Red said something along the lines of DRM, in fact, that point out how stupid and useless it is; did they use it? Sure. But then they sent a patch removing it. It's that simple.
The only way to combat piracy is by providing a superior service. If you ignore that, you're ignoring reality. So go ahead and ignore reality, it's not like logic's stopped you before.
[ link to this | view in chronology ]
Re: Re: Not DRM...
You've got a valid point on this one. I love any chance to bash ubisoft, if you look at my post history I spent a while the other week trashing blizzard for the whole Diablo 3 always online mess and it's something I take very seriously. Yet the fact is this plug in could have been a feature of completely DRM free ubisoft store/social system. It's mind numbing that they let it happen and it calls in to question my willingness to have anything from them installed on my system, especially if it's something as intrusive as DRM can be.... but ya... not an case for "DRM IS EVIL" this time I feel.
[ link to this | view in chronology ]
Re: Re: Re: Not DRM...
If this was not part of a DRM system then you wouldn't have been forced to install it. And while a lot of people may have installed it anyway for what ever reason the only reason every one who owns a ubisoft PC game has it installed is because of the systems role, as a whole, as acting as DRM.
The plugin and the hole it creates is not directly related to the DRM but it is a required feature of it.... take that as you will.
[ link to this | view in chronology ]
Re: Re: Not DRM...
You are REQUIRED to login to uplay (which is done through a browser) to launch the game.
Perhaps, you should understand what you're talking about *BEFORE* spouting off about it.
[ link to this | view in chronology ]
Re: Re: Not DRM...
[ link to this | view in chronology ]
Re: Not DRM...
But to my understanding, this plugin is not specific of any game but rather from Ubisoft's Uplay (which is a DRM in itself). So the plugin actually comes from a half assed DRM tool. So in the end the article point still stands.
[ link to this | view in chronology ]
This ain't DRM!
And now we know the truth!
Ubisoft is nothing more than a company that produces nothing but spyware and is knee deep in phising scams.
They want all your data!
[ link to this | view in chronology ]
Re: This ain't DRM!
[ link to this | view in chronology ]
Re: This ain't DRM!
[ link to this | view in chronology ]
Re: This ain't DRM!
[ link to this | view in chronology ]
Piracy incentive
[ link to this | view in chronology ]
Re: Piracy incentive
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
IP publishers don't really understand the concept of customers voting with their wallets. The publishers assume that they will have sales growth year after year, no matter how crappy the music/movies/games are. Any shortfall in that expected growth is assumed to be piracy.
[ link to this | view in chronology ]
Re:
The publishers just assume that if they are not making money hand over fist that people are pirating it instead of buying it (they don't need or even want proof, they just want to blame piracy for their latest craptastic game with it's craptastic DRM, not selling), and that means they need more DRM... and so the cycle continues.
[ link to this | view in chronology ]
Sony was subjected to a massive (verbal) hit in the media and blogs, but afaik was not prosecuted for their egregious behavior nor did they suffer much financially. A few people refuse to knowingly purchase anything from Sony, but the majority remain unaware or do not care. Can you imagine the uproar and righteous indignation resulting from an individual secretly installing a rootkit on millions of personal and business computers? Certainly we would be in need of a rootkit czar to coordinate the efforts of the war on rootkits.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Skype is suddenly more tappable.
All internet traffic seems to be going through black boxes, but I shouldn't worry if I am "good people" (tm).
They keep pushing to have a copy of my use of the internet for 2 years, again saying if I am "good people" (tm) I shouldn't be worried.
I have an agency blocked by law from spying on US citizens, harvesting massive amounts of data on citizens to make sure we all are "good people" (tm).
The pundits are screaming how hackers could set the earths core to detonate with a browser, but the response to corporations and agencies hacking peoples machines/connections is to ask for the rights for them to do even more.
[ link to this | view in chronology ]
STOP BUYING
[ link to this | view in chronology ]
Re: STOP BUYING
While you say "Sucks to be them", we all have to suffer for their ignorance.
I have a hard time blaming those who are ignorant, so I would rather blame Ubisoft.
[ link to this | view in chronology ]
Re: Re: STOP BUYING
I'm pretty sure you wouldn't hesitate to blame the man who drove you over with his car, if you found out not only has he no driver's licence, but also never bothered to learn basic traffic regulations??
[ link to this | view in chronology ]
Re: Re: Re: STOP BUYING
[ link to this | view in chronology ]
Re: Re: Re: STOP BUYING
[ link to this | view in chronology ]
Re: Re: Re: STOP BUYING
How does that equate to ignorance? Your analogy is piss poor. I am sure you can do better.
[ link to this | view in chronology ]
Re: Re: Re: Re: STOP BUYING
I agree it may not happen very often these days, because by now it's pretty much too ignorant (and quite suicidal) for almost anyone to risk driving without basic knowledge how to avoid other "obstacles" on the road :-). But as an analogy (or hyperbole perhaps?) I believe it still stands. You solely would be to blame if you caused damage/harm by driving against regulations even if you didn't know which ones you were breaking, and this doesn't only go for driving. I think the legal principle is called "Ignorantia juris non excusat". This, as well, should not only go for law.
Bottom line - you should always know what you're buying. You can complain about any "features" of the product as much as you like, but as long as the manufacturer/author doesn't try to hide them, it was only your decision to buy the product without getting relevant information. And if he does try to hide them (see sony and their rootkit), well, personally that would be the last thing I ever bought from this company/person, ever.
[ link to this | view in chronology ]
Re: STOP BUYING
But yeah, I don't buy Ubisoft products or anything else that includes DRM malware.
[ link to this | view in chronology ]
Re: STOP BUYING
[ link to this | view in chronology ]
Re: STOP BUYING
[ link to this | view in chronology ]
Re: STOP BUYING
I do, but then the idiots in control of these things assume that the downfall in sales is due to piracy and double down on their idiot DRM tactics.
There's a 2 pronged approached required here. One step is to not buy DRM-infected crap. The other is to make sure the company knows that it's DRM, not another more convenient scapegoat, that's the cause of their dropping sales.
[ link to this | view in chronology ]
Re: STOP BUYING
I was really enjoying the game too and now the first thing I have to do when I get home is uninstall it. On the bright side it will let me go on to play one of the stack of other games I also brought in the steam sale!
[ link to this | view in chronology ]
Re: STOP BUYING
[ link to this | view in chronology ]
Re: STOP BUYING
I was playing this.
xenowar.net
Which is an Android version of the UFO: Alien Invasion.
http://ufoai.org/wiki/index.php/News
[ link to this | view in chronology ]
Ubisoft may be punished hard by this
[ link to this | view in chronology ]
Re: Ubisoft may be punished hard by this
[ link to this | view in chronology ]
It's like you can just see companies digging there on graves sometimes...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Privacy and security should not be an option, it should be a god damn right, with no exceptions to that fact.
Theses are the concerns that cyberbills should tackle, without having to do the very same thing (or worse) that the "cyberbill" is trying to prevent
[ link to this | view in chronology ]
Re:
The government should only get involved in clarifying things like conducting research on security and how to develop things securely so they can open their mouth when things are fragrantly wrong.
Those same regulations over time will evolve into insurmountable barriers to entry into the market.
So no, no regulations.
Research into best practices and awareness campaigns are all good but actually trying to govern how things are done specially in a field where there is no way to guarantee the final product will be bug free is out of the question.
[ link to this | view in chronology ]
Mandate that all companies adhere to a strict privacy and update security regime, and if it is found that they have willfully ignored it, fine their ass.
Enough that it hurts, not to ruin, unless they consistently abuse, off course the amount would have to take the company into account, if you fine a company 10million, who clears 25million, more then likely they'll lift their socks. If you fine 10million to a company who clear 10billion, oh yeah, im sure that be enough incentive
[ link to this | view in chronology ]
Re:
It will be used as a barrier to the market and to exclude lesser players in fact galvanizing bigger players into the market which will have the ears of judges and government officials while the rest scramble.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Kill bit
In case of broken plugins like this one, both browsers have an automatically-updated blacklist to disable the plugin. It is often used when a badly written plugin is crashing the browser a lot in the wild.
For Mozilla, here it is: Blocklist npuplaypc.dll (uplaypc/Ubisoft Uplay) plugin.
[ link to this | view in chronology ]
UBISOFT ONLINE PRIVACY STATEMENT
“The security and confidentiality of your personal information is extremely important to us.”
“To prevent unauthorized electronic access to personal information, we . . . limit access to only those employees performing a legitimate business function”
“The security and confidentiality of your personal information is extremely important to us.”
[ link to this | view in chronology ]
Re: UBISOFT ONLINE PRIVACY STATEMENT
[ link to this | view in chronology ]
This is not a rootkit
Specifically, an important part of what makes something a "rootkit" is that it uses privileged access to the machine to actively hide its presence from the OS itself.
This is a browser plugin that not only is plainly visible but can be disabled.
[ link to this | view in chronology ]
Re: This is not a rootkit
[ link to this | view in chronology ]
Re: Re: This is not a rootkit
What this is, is a crapily made program and exposes customers to huge risks.
And while he points out you can disable it, that would involve people knowing it was installed by the game, that the addon is a complete flaming failure that opens up a security hole all so this company could launch the game from your browser.
Ubisoft isn't the company breaking this story, it is security researchers. Ubisoft quietly updated the program and let everyone else take the lead on informing consumers about this.
[ link to this | view in chronology ]
Re: Re: Re: This is not a rootkit
I do think comparing the two is incorrect, though. They are disasters of different flavors.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
However developers have the luxury of making online servers required for play(wow, d3, tor) which still allows them to charge for the software.
I'm wondering if Mike is also against that.
[ link to this | view in chronology ]
sony rootkit
[ link to this | view in chronology ]
Not DRM nor Rootkit
Well no, this is nowhere near a Rootkit. Rootkits modify the operating system's Kernel in order to hide locations from the user, such as a folder or file sitting at the root of your disk (C:\)
In fact, this isn't even DRM... Digital Rights Management enforces licenses and copyright restrictions.. This was just some terribly planned (Not even so much bad code, but an awful plan from the very get-go to remotely-launch random programs.)
For argument's sake, what I mean by bad plan, not bad code: If anything, when you click a link in a webpage it *could* trigger an already-installed launcher to run. Same way Steam and many other things work. You simply have the launcher register itself as a handler of some protocol.. Like the UBI:// protocol. Then whenever a link beginning with that protocol is clicked, your browser launches the UBI launcher and passes the address along to it... That way the enforcement is in the launcher and it's not just a random request to run *anything* on your machine.
[ link to this | view in chronology ]