Players who use the online Uplay client, published by Ubisoft, are invited to update the software since the versions previously distributed suffered a security breach to obtain code execution remotely from a single Web page.
Tavis Ormandy, a security researcher at Google, has recently discovered the existence of a major security flaw in the browser extension system participant Uplay, published by Ubisoft and associated with many of its flagship titles.
Uplay is as a software client that serves as an entry point for accessing the user's Ubisoft games. The platform allows the publisher to include valuing the purchase of new games by distributing, via codes, or access to exclusive content. During installation, the executable will also invite uplay.exe within the user's browser via an extension (plugin), allowing the launch of a game directly from a Web page.
Problem that was discovered by Ormandy was, 2.0.3 and earlier versions of the Uplay installer were not limited to permit the execution of a game from the browser. Insufficiently secure, the plugin opened the way for remote code execution without verification.
The case was soon to hit the mainstream on the Web, not without causing its share of harsh criticism. Ubisoft has responded quickly, on Monday, by proposing an update of the Uplay client, now available in version 2.0.4. The players involved have a vested interest to uninstall the version installed on their system prior to updating. They can also disable the plugin automatically associated with their browser via the Extensions menu of the latter.