Ubisoft patches dangerous plugin flaw

Powered by SC Magazine
 

Add-on allows attackers to execute applications on user machines.

Ubisoft has scrambled to fix a vulnerability discovered in its web browser plugin that allowed web sites to execute applications on user machines.

The flaw was reported on the Full Disclosure mailing list by Google security researcher Travis

Ormandy who stumbled across the flaw while installing the Ubisoft game title Assassin's Creed Revelations.

The vulnerable browser plugin was installed on customer machines as part of a game package and was used to take command line arguments while games were in under development.

But the function allowed the application to run any executable.

Ormanday created a brief proof of concept code that allowed a website to launch the Windows calculator via the vulnerable plugin.

Hours after the Monday post, Ubisoft issued a patch to close the vulnerability, blaming the gaffe on a "coding error".

Ubisoft denied claims by users it had installed rootkits on user machines to preserve its contentious digital rights management.

Copyright © SC Magazine, Australia


Ubisoft patches dangerous plugin flaw
 
 
 
Top Stories
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
Photos: AISA National Conference 2014
Highlight's from Australia's volunteer-run information security event.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  23%
 
End user computing (desktops, mobiles, apps)
  12%
 
Software development
  27%
TOTAL VOTES: 233

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  62%
 
No
  38%
TOTAL VOTES: 72

Vote