Hackers exploiting bug in DRM shipped with Windows

Microsoft promises to patch third-party anti-piracy software in XP, Server 2003

Microsoft Monday said it would patch a vulnerability in third-party anti-piracy software bundled with Windows after it acknowledged that hackers are already exploiting the bug.

According to the researcher who first reported the flaw, Microsoft has known of the vulnerability for at least three weeks.

In a security advisory issued late Monday, Microsoft said it would issue a fix for a vulnerability in an older edition of "secdrv.sys" -- a file also also known as Macrovision Security Driver -- that's part of the SafeDisc copy-protection scheme that Macrovision licenses to game publishers.

"The driver, secdrv.sys, is a dispatch driver developed by Macrovision and shipped on supported editions of Windows Server 2003, Windows XP, and Windows Vista," Microsoft said in the advisory. "This vulnerability does not affect Windows Vista."

Computerworld confirmed that secdrv.sys is present on stock installations of both Windows XP and Vista, but that the file creation dates -- February 28, 2006 and November 1, 2006, respectively -- differ, with the newer version included in Vista.

Microsoft also said that attacks were in progress. "We are aware of limited attacks that try to use the reported vulnerability," the advisory continued. "Microsoft will take the appropriate action [which] will include providing a security update through our monthly release process." Until then, Windows XP and Server 2003 users can download a more recent version of the driver -- marked with a creation date of September 13, 2006 -- from Macrovision's Web site.

The bug first surfaced three weeks ago, when Symantec researcher Elia Florio said an undocumented vulnerability in fully-patched XP and Server 2003 machines, was being exploited in the wild. Although he did not disclose the flaw, Florio's write-up gave several hints about the flawed file. He also reported that when notified, Microsoft said it was already aware of the problem.

"At the moment, it's still not clear how the driver is used by Windows because this file does not have the typical Microsoft file properties present in other Windows system files," Florio wrote in a posting to the Symantec security blog on October 16.

Within 24 hours, other researchers, using Florio's clues, had focused on secdrv.sys, found the vulnerability, and posted proof-of-concept code. "Despite there is no patch available, at the momment [sic], we are disclosing this information since an exploit has been caught in the wild so we see no reason to hide information that can be useful for administrators and researchers," said someone identified only as RubA©n on the Bugtraq security mailing list October 17. [A corrected version of the Bugtraq message was posted the next day, October 18 -- Ed.]

Florio classified the vulnerability as a local privilege elevation bug -- meaning that an attacker would need local or authorized access to the PC before successfully running an exploit -- but some researchers cautioned that it was dangerous nonetheless. An advisory posted by eEye Digital Security, for instance, said it could be paired with another attack. "The most common exploit scenario would be to couple an exploit for this vulnerability with a user-based exploit (file-format, client-side)," said the eEye alert. "This allows the attacker to launch a remote attack (web-page, email) to execute code that would then launch this attack."

eEye rated the vulnerability as "medium," and warned that attacks might become widespread.

It was not known late Monday why Microsoft bundles the Macrovision driver with Windows. The company was not available for comment, and its security advisory was mum on the subject.

Macrovision pitches its SafeDisc digital rights management (DRM) software to PC game publishers, and touts such characteristics as Automatic Asymmetric Code Blending as part of the package. "Without using a developer's time or resources, automatically intertwine as many as hundreds of Secure Data Types (SDTs) with game code, making it extremely difficult for hackers to remove the security components without essentially crashing the game," Macrovision says on its Web site.

Microsoft did not specify a timetable for patching the Macrovision driver -- or simply pushing the newer version to Windows XP and Server 2003 users -- but its next regularly-scheduled security update is next Tuesday, November 13.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?