Ubisoft has scrambled to fix a vulnerability discovered in its web browser plugin that allowed web sites to execute applications on user machines.
The flaw was reported on the Full Disclosure mailing list by Google security researcher Travis
Ormandy who stumbled across the flaw while installing the Ubisoft game title Assassin's Creed Revelations.
The vulnerable browser plugin was installed on customer machines as part of a game package and was used to take command line arguments while games were in under development.
But the function allowed the application to run any executable.
Ormanday created a brief proof of concept code that allowed a website to launch the Windows calculator via the vulnerable plugin.
Hours after the Monday post, Ubisoft issued a patch to close the vulnerability, blaming the gaffe on a "coding error".
Ubisoft denied claims by users it had installed rootkits on user machines to preserve its contentious digital rights management.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.