Ubisoft UPlay may accidentally contain web plugin exploit, Ezio would not approve (update: fixed)

If you've played Assassin's Creed 2 (or other Ubisoft games), you may have installed more stealthy infiltration than you bargained for. Some snooping by Tavis Ormandy around Ubisoft's UPlay looks to have have discovered that the service's browser plugin, meant to launch locally-stored games from the web, doesn't have a filter for what websites can use it -- in other words, it may well be open season for any maliciously-coded page that wants direct access to the computer. Closing the purported, accidental backdoor exploit is thankfully as easy as disabling the plugin, but it could be another knock against the internet integration from a company that doesn't have a great reputation for online security with its copy protection system. We've reached out to Ubisoft to confirm the flaw and learn what the solution may be, if it's needed. For now, we'd definitely turn that plugin off and continue the adventures of Ezio Auditore da Firenze through a desktop shortcut instead.

Update: That was fast. As caught by, the 2.0.4 update to UPlay limits the plugin to opening UPlay itself. Unless a would-be hacker can find a way to compromise the system just before you launch into Rayman Origins, it should be safe to play.