Hackers exploiting bug in DRM shipped with Windows

Microsoft promises to patch third-party anti-piracy software in XP, Server 2003

Microsoft Monday said it would patch a vulnerability in third-party anti-piracy software bundled with Windows after it acknowledged that hackers are already exploiting the bug.

According to the researcher who first reported the flaw, Microsoft has known of the vulnerability for at least three weeks.

In a security advisory issued late Monday, Microsoft said it would issue a fix for a vulnerability in an older edition of "secdrv.sys" -- a file also also known as Macrovision Security Driver -- that's part of the SafeDisc copy-protection scheme that Macrovision licenses to game publishers.

"The driver, secdrv.sys, is a dispatch driver developed by Macrovision and shipped on supported editions of Windows Server 2003, Windows XP, and Windows Vista," Microsoft said in the advisory. "This vulnerability does not affect Windows Vista."

Computerworld confirmed that secdrv.sys is present on stock installations of both Windows XP and Vista, but that the file creation dates -- February 28, 2006 and November 1, 2006, respectively -- differ, with the newer version included in Vista.

Microsoft also said that attacks were in progress. "We are aware of limited attacks that try to use the reported vulnerability," the advisory continued. "Microsoft will take the appropriate action [which] will include providing a security update through our monthly release process." Until then, Windows XP and Server 2003 users can download a more recent version of the driver -- marked with a creation date of September 13, 2006 -- from Macrovision's Web site.

The bug first surfaced three weeks ago, when Symantec researcher Elia Florio said an undocumented vulnerability in fully-patched XP and Server 2003 machines, was being exploited in the wild. Although he did not disclose the flaw, Florio's write-up gave several hints about the flawed file. He also reported that when notified, Microsoft said it was already aware of the problem.

"At the moment, it's still not clear how the driver is used by Windows because this file does not have the typical Microsoft file properties present in other Windows system files," Florio wrote in a posting to the Symantec security blog on October 16.

Within 24 hours, other researchers, using Florio's clues, had focused on secdrv.sys, found the vulnerability, and posted proof-of-concept code. "Despite there is no patch available, at the momment [sic], we are disclosing this information since an exploit has been caught in the wild so we see no reason to hide information that can be useful for administrators and researchers," said someone identified only as RubA©n on the Bugtraq security mailing list October 17. [A corrected version of the Bugtraq message was posted the next day, October 18 -- Ed.]

Florio classified the vulnerability as a local privilege elevation bug -- meaning that an attacker would need local or authorized access to the PC before successfully running an exploit -- but some researchers cautioned that it was dangerous nonetheless. An advisory posted by eEye Digital Security, for instance, said it could be paired with another attack. "The most common exploit scenario would be to couple an exploit for this vulnerability with a user-based exploit (file-format, client-side)," said the eEye alert. "This allows the attacker to launch a remote attack (web-page, email) to execute code that would then launch this attack."

eEye rated the vulnerability as "medium," and warned that attacks might become widespread.

It was not known late Monday why Microsoft bundles the Macrovision driver with Windows. The company was not available for comment, and its security advisory was mum on the subject.

Macrovision pitches its SafeDisc digital rights management (DRM) software to PC game publishers, and touts such characteristics as Automatic Asymmetric Code Blending as part of the package. "Without using a developer's time or resources, automatically intertwine as many as hundreds of Secure Data Types (SDTs) with game code, making it extremely difficult for hackers to remove the security components without essentially crashing the game," Macrovision says on its Web site.

Microsoft did not specify a timetable for patching the Macrovision driver -- or simply pushing the newer version to Windows XP and Server 2003 users -- but its next regularly-scheduled security update is next Tuesday, November 13.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest News Articles

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?