Why does Tavis Ormandy (http://seclists.org/fulldisclosure/2012/Jul/375) keep putting fully usable proof of concept exploits out for widely deployed software without giving a vendor time to prepare a patch, or in this case, even notifying them? Off the top of my head, I remember he did this for the windows help center exploit and the java web start exploit. I can't understand why you would do this. You could at least give the vendor a couple weeks, and then if you're super worried, release the details as soon as an exploit is found in the wild.
As-is, he just seems like a raging hacker who loves attention and doesn't care if thousands of unsuspecting users get their credit card details stolen by malware authors. I must be misunderstanding something, yeah?
What makes you believe they put it there on purpose? It appears to have a genuine (if insecure) purpose. Even the researcher's message on seclists implies he thought of it as a bug.
Protocol handlers are a pretty shitty way of interfacing with desktop apps. There's no two-way communication and no error handling. Lots of potential screw-ups and incompatibility issues will/can happen. Sure, they don't require a browser plugin but that's about the only advantage.
If they are going to install low level software on my computer they better be very sure it's properly coded.
Companies are often incompetant with security code. If you are expecting high quality secure code with consumer level software, you will often be disappointed.
Which is why going the full disclosure route prevents them from being insulated from their mistakes - otherwise, it becomes a moral hazard to keep playing nice with the approach to disclosure.
I don't subscribe to "never attribute to malice that which is adequately explained by stupidity". I'm not citing sources - hence it's just my opinion. Reminds me of google wifi slurping and hundreds of other cases where everyone plays dumb and swears it was all a misunderstanding. It never is. Until you get caught. And if not that it's a rogue trader, rogue reporter, rogue programmer, rogue scapegoat.
I'm not going to do any kind of full disclosure here (I know this is lame) but I work in video games so I know what it looks like from the other side. We're not all idiots here, we just do as we're told.
As a Vancouverite, I've seen enough layoffs to believe this entirely (you're fungible and replaceable). Still, I don't think that Ubisoft intentionally created a security issue, just that they didn't care about one that happened and deadlines were coming.
I didn't mean to imply that video game programmers were stupid... :)
I was saying it seems more likely to me that any random developer making a stupid mistake like this seems more likely than a company having real motivation to create this kind of security hole.
I suppose, alternatively, this could have been an individual developer's intent. An exploit like this would get a pretty penny on the exploit market, I'd think.
It's not a "feeling" when all evidence points to the fact that, like every security vulnerability ever, a feature was added that had unintended consequences. There's no way it's malicious: Ubisoft can't do anything with this that they can't do everywhere else in the actual applications themselves!
Who says it was malicious on Ubisoft's part? It could easily have been a rogue developer that saw an opportunity to install a backdoor on a ton of machines.
It could also have been the Russians, who planted a mole in Ubisoft's quality assurance division and, over time, laying low in a foreign country gaining the respect of his peers and bosses, slowly worked his way to the top of the food chain...
...where at last he installed his Russian Rootkit.
Or maybe some programmer added a feature that was insecure and they moved on to work on some bug that was crashing level three?
Usually both. (Note that with the internet you also have to be dumb, too, to believe you are not eventually going to be caught, no matter how malicious you are.)
What would "they" have to gain from this ability? Ubi has already capability to execute arbitrary code on your machine via it's uplay software, they don't need a hole in browser plugin for that.
A web-based portal. List all the games you have registered and click on the link to launch it, whether it's a game installed on your PC or a link to a facebook game.
Giving a browser plugin the ability to run any program on the user machine without any kind of validation or prompting is so stupid/evil that they deserve the worst PR backlash they can get.
Also, that's probably the quickest way to get them to release a fix.
I asked a question. If you're going to downvote me for having a wrong opinion, you should at least respond and tell me me the answer to my question, like 'this is proper behavior for a security researcher because X'.
Those games are pretty mainstream, I can't imagine how many gamers are getting rooted as we speak. I'm glad ubisoft are getting their asses kicked over this (especially with their history of aggressive DRM'ing) but for the users that's terrible. So no, I don't think that's very responsible.
That being said, installing a "sudo" plugin in everybody's browser without any security validation (if I understand correctly what this is about) would be hilarious if it wasn't that tragic. But gamers are gamers, they forgave sony, they'll forgive ubisoft too, and they'll never learn.
If you could install a sudo plugin to my browser when I install your game would imply that I could have also installed a sudo plugin. If I (a non-root) user can do that, you already have a problem. (I am assuming you mean a sudo plugin that does not need a password to root)
You asked a very laden question. You have no doubt encountered discussions about full-disclosure to know the arguments against it; giving a one-sided rehash of that topic is a provocative way to invoke an old and tired discussion.
This appears to be an exploit one can mitigate simply by removing that plug-in from one's browser. As such, exposing it to all is a good thing. It needs to be patched ASAP, not hidden.
The question is whether it's easier for the security researcher or the users. I don't think it's easier for the users if they end up being exploited for weeks while the vendor rushes to fix it.
If the vendor tries to delay you for months or ignores you, sure. But it doesn't even seem like he tested the exploit here to understand whether it was a serious threat.
They're not his users, and the company- who allowed these vulns. in the first place- isn't trying to pay him for his work; see Google, CCBill, Mozilla, ect.
As-is, he just seems like a raging hacker who loves attention and doesn't care if thousands of unsuspecting users get their credit card details stolen by malware authors. I must be misunderstanding something, yeah?