Capcom promises Street Fighter 5 rollback after "rootkit" discovered in the latest update

A furor has erupted over a new “anti-crack solution” in Street Fighter 5, which actually installed hidden, unsecured "rootkit" in Windows. Its presence came to light when players noticed that the most recent update was seeking “kernel level” access to Windows for no apparent reason; worse, according to this thread, the Capcom.sys driver at the heart of the problem “doesn't specify any security, so any user at any privilege level can attempt to open and control the device.”

“It sets up custom handlers for opening the device object, closing the device object, and performing ioctls on the device object. This is pretty normal, although a driver that didn't set up basic security when creating its device should perform security checks when opening the device. This driver does not,” redditor extrwi explained. “The ioctl handler is where everything 'interesting' happens. It checks for control codes 0xAA012044 and 0xAA013044, does some buffer size checks, disables supervisor-mode execution protection and then runs the arbitrary code passed in through the ioctl buffer with kernel permissions. In short, this driver creates a back door which can allow a non-privileged user to run code with permissions of the kernel.”

The offending file came into play as part of a client-side security update Capcom released earlier this week. “As a part of the new content and system update releasing later today, we’re also rolling out an updated anti-crack solution (note: not DRM) that prevents certain users from hacking the executable. The solution also prevents memory address hack that are commonly used for cheating and illicitly obtaining in-game currency and other entitlements that haven’t been purchased yet,” Capcom said at the time. “The anti-crack solution does not require online connectivity in order to play the game in offline mode; however, players will be required to click-confirm each time they boot up the game. This step allows ‘handshake’ to take place between the executable and the dependent driver prior to launch.”

A number of users on Steam are reporting that Street Fighter 5 refuses to run since the update, but the bigger problem is the security risk the unsecured driver creates. The Register has a technical breakdown of what's going on if that's your bag, but the summary hits the bottom-line nail pretty squarely on the head. “This means any malicious software on the system can poke a dodgy driver installed by SFV to completely take over the Windows machine,” the site says. “Capcom claims it uses the driver to stop players from hacking the game to cheat. Unfortunately, the code is so badly designed, it opens up a full-blown local backdoor.”

In response to the uproar, Capcom said on Twitter that it is now “in the process of rolling back the security measures added to the PC version of Street Fighter V,” a time-frame for which would be announced soon. In the meantime, according to multiple posts on Reddit, uninstalling the game will not make the Capcom.sys file go away: Until the rollback takes place, the only way to ditch it is to uninstall, reboot, and then manually delete the file from your System32 folder.

See more
Andy Chalk

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.