Ubisoft calls yesterday's story about a rootkit being found in Uplay false and blames "a coding error" for the security hole. Ubisoft denied the whole "rootkit" angle altogether. After quickly patching the Uplay software yesterday, the company issued a statement saying that a coding error was the cause of the software being able to launch any executable on a remote computer – a fact hackers demonstrated as a proof of concept this week.
"The Uplay application has never included a rootkit," a spokesperson told Kotaku. "The issue was from a browser plug-in that Uplay PC utilizes which suffered from a coding error that allowed unintended access to systems usually used by Ubisoft PC game developers to make their games."
"The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they’re being made," the spokesperson continued. "This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine."
One thing the company did not say in its statement is that it was sorry to consumers who would have been vulnerable to such an exploit, nor did they thank whitehat hackers who uncovered the vulnerability. To its credit, Ubisoft had the security hole plugged in less than eight hours after news of the exploit broke.