Exploitable code has been discovered in a browser-plugin installed by some Ubisoft games as part of the Uplay service. The exploit allows malicious websites to remotely install software on a compromised PC without the user’s knowledge.

The exploit is accomplished by tricking the Uplay browser plugin into thinking that a given link contains legitimate Uplay code. In theory, this backdoor could be used to infect a computer with any malware desired. There’s no sign of a patch yet, so users need to look out!

Worse still, users who are vulnerable to this exploit may not even know a browser plug-in is installed. I personally fall into this category. Several days ago I installed a copy of Ghost Recon: Future Soldier. Ubisoft did not inform me that it had added a plug-in to my browser, so I was surprised to find that the vulnerable plug-in was installed.

The plug-in appears to install in all major browsers including Opera. You’ll need to go into your browser’s options to find and delete it. It always includes “Uplay” in its title, so it’s at least easy to find. Only Ubisoft games that require the Uplay service have this problem.

So far, there have not been any reported instances of the exploit being used in the wild. The discovery was publicized on Hacker News and has since been widely reported, so attempts to utilize it seem likely. Ubisoft has made an official announcement that informs players how they can fix the exploit.

Source: Rock, Paper, Shotgun