Update: The BBC is reporting that Ubisoft has rushed to patch the exploit unearthed by a Google engineer in its Uplay DRM. The company also issued instructions for Uplay users:
"We recommend that all Uplay users update their Uplay PC application without a Web browser open," Ubisoft said. "This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com."
Original Story: Ubisoft finds itself in the midst of another controversy over its DRM scheme this morning. According to Seclists.org, a security hole has been found by a Google Security engineer in Ubisoft's Uplay digital rights management (DRM) software. Discussing what could be a possible rootkit in the DRM, Google security engineer Tavis Ormandy told Seclists about some unexpected behavior in Uplay after installing a copy of Assassin's Creed Revelations on his PC.
"I don't know if it's by design, but I thought I'd mention it here in case someone else wants to look into it," says Ormandy.
Commenters over at Hacker News have also published a "proof of concept URL" that allows someone to exploit a vulnerability in a browser plugin installed by Uplay. They were able to use this launch the Windows calculator.
"Ubisoft installs a backdoor that allows any website to take over your computer," says one commenter.
Ubisoft hasn't publicly commented on the story yet. The Uplay DRM scheme is supposed to stop piracy, but that doesn't explain why it includes a rootkit in the mix. We'll have more on this story as it develops.