Capcom has immediately rolled back the latest Street Fighter V PC update after it installed invasive files to the user’s System32 directory, possibly compromising system security.
Read more: Best Street Fighter V Characters.
The file “Capcom.sys” was installed as a driver within Windows’ most sacred of directories purportedly as a security feature to prevent players from hacking the executable.
Capcom claimed the files, which users discovered had kernel access, would act as a non-DRM anti-crack solution which did not require internet access.
“The anti-crack solution does not require online connectivity in order to play the game in offline mode; however, players will be required to click-confirm each time they boot up the game,” theupdate notesstate. “This step allows ‘handshake’ to take place between the executable and the dependent driver prior to launch.”
By running the file through analysis tools,players on Redditfound that the kernel-level driver disabled Supervisor-Mode Execution Protection in order to run any instructions handed to it by the executable before then re-enabling SMEP.
SMEP is a feature of x86 processors which prevents, among other things, malicious code execution from sources outside of authorised memory pages. With it down, instructions no longer have to come from trusted locations in the system hierarchy and could easily be smuggled in by someone with knowledge of the virtual memory pages apps make use of.
The rollback to the PC version of SFV prior to the security measure update is now live. The new September content is included.
— Street Fighter (@StreetFighter) September 24, 2016
Needless to say, that’s a giant hole in your entire system’s security, which a lot of players weren’t happy about. As a result, Capcom issued a notice they would begin immediately rolling back the update. The new, driver-less, update is now live so if you were holding off getting that sweet new Urien skin and the rest of the September content, feel free to not get a rootkit installed on your machine now.
The situation was reminiscent of the 2005 Sony/BMG rootkit scandal which saw the music industry giant deceptively installing malware which prevented CD piracy, as well as collecting private information even if the EULA was declined. Sony was subject to several class-action lawsuits and state-mandated compensation payouts. So I guess 24 hours of irate gamers is a small price to pay.