AntiPiracy Macrovision Bug is Actually Six Years Old

twitter writes "A recently reported Macrovision bug has actually been around for six years, according to Computerworld. 'Flawed antipiracy software now being exploited by attackers has been bundled with Windows for the last six years to protect game publishers, Macrovision Corp. said today. The "secdrv.sys" driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista ... users do not have to play a SafeDisc-protected game to be vulnerable.' The article goes on to play down danger and claim that Vista is safe, but ZDNet notes: 'Malware authors are actively exploiting a zero-day privilege escalation vulnerability ... [which] can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges. This facilitates the complete compromise of affected computers.'"

Yay DRM.

[RandoX (828285)]

Can Macrovision be held liable for losses?

Re:Not a bug

[TheMeuge (645043)]

It's not a bug, it's a feature.

DRM: It's not just wrong

[blueZ3 (744446)]

It's wrong in so many ways.

I'm not a big fan of the "oh noes! DRM is the suxors!" crowd, because I'm rational enough to see both sides of the DRM issue: producers want to get paid, consumers want full control over what they've bought. But there are a lot of reasons DRM sucks, besides the wild conspiracy theories and the "porn just wants to be free" arguments that you regularly see on /. This article is an example.

Letting some (lame) third-party, like Macrovision, put hooks into the OS, and then have no cle

DRM doesn't help producers make money

[LKM (227954)]

I'm not a big fan of the "oh noes! DRM is the suxors!" crowd, because I'm rational enough to see both sides of the DRM issue: producers want to get paid

Here's what you're missing: DRM hurts precisely those people who actually do pay the producers.

If I buy a DVD in a store, I get the hassle of DRM, and putting it on my iPhone is going to be complicated. If I just download the movie from the Internet, I just open it in QuickTime and export to iPhone. If I buy music in the iTunes Music Store, I can't easily use it on my PC at work, unless I authorize it with my iTunes login, only to forget to de-authorize it if I get a new computer or reinstall the OS. If I just download music, I have none of these issues.

Now, I do buy DVDs, and I do buy music from the iTunes store, and I do buy a lot of stuff with DRM. But I do not buy these things because they have DRM, but despite of it. DRM is actually an incentive to not give the producers money; without DRM, they'd see a lot more money from me.

Re:

[Dog-Cow (21281)]

Apple's DRM has zero affect on non-Apple anything.

Re:Yay DRM.

[vtscott (1089271)]

Pff. When you installed windows you agreed not to hold them liable. [microsoft.com]

17. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES, INFORMATON, SOFTWARE, AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Oh, you didn't know about those terms when you bought the product? And you want to return software that's been opened? It was in all caps, surely you could have read that through the box.

So, the slashdot lameness filter doesn't like the the clip of the microsoft eula I posted because it has too many caps. Well I'm not retyping all of that in lower case, so I guess I'll post another part of the eula that doesn't abuse the caps lock key...

18. LIMITATION OF LIABILITY AND REMEDIES. Notwithstanding any damages that you might incur for any reason whatsoever (including, without limitation, all damages referenced herein and all direct or general damages in contract or anything else), the entire liability of Microsoft and any of its suppliers under any provision of this EULA and your exclusive remedy hereunder (except for any remedy of repair or replacement elected by Microsoft with respect to any breach of the Limited Warranty) shall be limited to the greater of the actual damages you incur in reasonable reliance on the Software up to the amount actually paid by you for the Software or US$5.00. The foregoing limitations, exclusions and disclaimers (including Sections 15, 16 and 17) shall apply to the maximum extent permitted by applicable law, even if any remedy fails its essential purpose.

Re:Yay DRM.

[Volante3192 (953645)]

EULAs are shaky legal ground though; they're untested. Just because they say they're not liable doesn't mean it's been held up in court. They're there to scare people into thinking there's no recourse.

Re:

[truthsearch (249536)]

Not necessarily. At least one court has found that a shrink wrap license is enforceable [bitlaw.com].

Re:

[Volante3192 (953645)]

Hrm, gray area...

First paragraph:

...Shrinkwrap licenses are enforceable unless their terms are objectionable on grounds applicable to contracts in general (for example, if they violate a rule of positive law, or if they are unconscionable). Because no one argues that the terms of the license at issue here are troublesome, we remand with instructions to enter judgment for the plaintiff.

But it seems the only aspect of the licence that was questioned was the following:

This license, which is encoded on the CD-ROM disks as well as printed in the manual, and which appears on a user's screen every time the software runs, limits use of the application program and listings to non-commercial purposes.

Other aspects of EULAs, specifically the arbitration clauses, have been found to be unconscionable ( http://games.slashdot.org/article.pl?sid=07/06/08/2017257 [slashdot.org] ). It all depends on which part of the EULA you're going after.

Re:

[reebmmm (939463)]

This is not very good legal analysis or advice. EULAs are far no "untested" (though, the same is not necessarily true for browsewrap agreements).

EULAs are very much enforceable and have definitely been held up in court. Like any contract, though, some have certainly been found to be unenforceable in their entirety or in part. Those that are denied enforceability have some other procedural or technical flaw, usually proper notice.

In addition, as between a company and a consumer, there are definitely some hur

Re:

[jZnat (793348)]

Well I'm not retyping all of that in lower case

Some geek you are! guG or similar in Vim is all you need.

Re:

[Holmwood (899130)]

The company that sold you the dead parrot... err... dog... might well be required to refund you your purchase price, sure.

The distinction is, if the dog they sold you fails to apprehend an intruder who robs you blind, they're not liable for everything he stole.

Similarly, if some piece of software you purchase for $500 crashes and corrupts your hard drive, the developer isn't liable for the $100,000 (pick a number) worth of data you have on the drive.

Limitation of liability is important, and not just for 'ev

Here is update (Macrovision SECDRV.SYS Driver)

[holywarrior21c (933929)]

Upgrade your driver here: http://www.macrovision.com/promolanding/7352.htm [macrovision.com]
Microsoft Security Advisory(944653)http://www.microsoft.com/technet/security/advisory/944653.mspx [microsoft.com]

Re:

[Sen.NullProcPntr (855073)]

Can I just delete secdrv.sys?

AFAIK I don't use any macrovision disks.

Re:Here is update (Macrovision SECDRV.SYS Driver)

[BlueStrat (756137)]

Can I just delete secdrv.sys?

AFAIK I don't use any macrovision disks.

Well, I just renamed the files to $secdrv.sys (I found 2 copies..one in system32/drivers and one in a game folder (MechWarrior4 Vengeance, in mw4x folder) and the game still loads and runs.

Cheers!

Strat

Re:Here is update (Macrovision SECDRV.SYS Driver)

[Nom du Keyboard (633989)]

Well, I just renamed the files...and the game still loads and runs.

Did you reboot after the rename, and ensure that the rename still held? DRM seeks to protect itself.

Why are they shipping this in business computers?

[140Mandak262Jamuna (970587)]

This is complete lunacy. Almost all corporations prohibit their users from playing computer games on their PCs. The fastest safest thing for MSFT would be to tell its customers, "If you are not playing macrovision protected games in your computer, just rename this xxx.dll or yyy.sys file."

Why was it not disclosed to the corporate customers that a dll or a sys file, that is exclusively used to play games published by a particular vendor is bundled and installed on ALL their computers? What are the priorities here? We have been pained enough by MS-Office suddenly demanding you to pop in the origial CD/DVD-ROM to get a particular module. But they don't want their users to be hassled to fetch the original disc to get a driver used only by a subset of users. How screwed up this set up can be? Why are not the corporate customers demanding a full disclosure of what is being bundled, and why and what can be safely removed from their computers?

Does the total cost of ownership studies include the cost of keeping up with these security disclosures and applying patches to the holes?

Re:Why are they shipping this in business computer

[Hatta (162192)]

How are they shipping this on computers anyway? Isn't Macrovision that crap that makes it impossible to dub VHS tapes without the gain going crazy and looking awful?

Re:

[petermgreen (876956)]

That is macrovisions most famous defective restricted media system (mainly because it was one of the first defective restricted media systems created) but it is far from thier only one.

Re:Why are they shipping this in business computer

[MarkGriz (520778)]

More to the point, why in the world would this file even be included on Windows Server 2003?
Not all business prohibit games, but I doubt there are any sysadmins playing games on their server machines.

Re:

[gEvil (beta) (945888)]

Not all business prohibit games, but I doubt there are any sysadmins playing games on their server machines.

You severely overestimate the brainpower of a Windows sysadmin.

Other apps some times use the same copy protection

[Joe The Dragon (967727)]

Non Game apps some times use the same copy protection that games use and some M$ apps do use copy protection as well.

Re:Why are they shipping this in business computer

[sqlrob (173498)]

Copy protection != games. Business related software can certainly be protected (cf. Quickbooks)

Re:Why are they shipping this in business computer

[truthsearch (249536)]

There are many files included with Windows that corporate desktops don't require. One of my past employers chose to remove any unnecessary files. Even with a large Microsoft contract, Microsoft refused to disclose the details of every bundled DLL and EXE. So a small team of people deleted each file, one by one, and tested every desktop app in use in the company, until they determined the set of files they didn't need. It's almost silly, but if you're determined Microsoft leaves little choice. (I would have used one of those apps that shows every DLL in memory, but the idea is the same.)

This of course causes problems later, like when a patch or service pack requires a DLL that it never needed before. Or one of the custom apps adds a new feature and needs an OS file that's not part of any standard desktop in the company.

Microsoft isn't interested in giving customers exactly what they need. They prefer to generalize the OS to maximize revenue. These are just some of the negative consequences.

There's a solution!

[VincenzoRomano (881055)]

Don't worry, windowers!
All these problems will loose any meaning with ... Windows 7 [wikipedia.org]

1) Accountability 2) Technical integrity

[dpbsmith (263124)]

How can an operating system be considered "secure" if the inclusion of a third-party component makes it insecure? Why does Vista allow Macrovision's component to do whatever it likes?

Is this a case where Microsoft allowed "signing" to be a substitute for good engineering?

Even if the act of buying Windows implies that I trust Microsoft, does the act of buying Windows imply that I trust Macrovision?

When I buy a home computer with Windows on it, do I even know all of the companies that have contributed content that is included on the hard drive at the time of purchase? Do I have a list? Have I agreed to trust them all? Does Vista trust all of them? Could all them them punch holes in Vista's security if the vendors that supplied them don't have engineers as competent as Microsoft's?

Re:

[A beautiful mind (821714)]

Could all them them punch holes in Vista's security if the vendors that supplied them don't have engineers as competent as Microsoft's?

Let's stop asking highly theoretical questions.

Software freedom is the cure.

[jbn-o (555068)]

How can an operating system be considered "secure" if the inclusion of a third-party component makes it insecure?

This has to do with the software being proprietary, not coming from a third party.

How can an operating system be considered "secure" if it has proprietary software installed? It can't. Proprietary software security is unverifiable by anyone you can trust and therefore unworthy of being considered secure. Apparently bugs will go unfixed for years because only the proprietor is allowed to fix the bugs. However, the proprietor is unmotivated to fix bugs until the proprietor is pushed (through publicly announced exploits, better competition, and so on). All the while you, the user, are denied complete control over your computer.

The cure is simple: install nothing but free software [gnu.org] on your computer. Give yourself the freedom to inspect, change, and share the software, hire someone else to do it for you, or leverage the talent of a community of hackers improving free software all the time. This is not about making everyone a programmer, it's about giving people the freedom to control their computers while building a society of cooperation and social solidarity. Proprietary software denies you your software freedom, so deny proprietary software a place on your computer.

Re:

[I'm Don Giovanni (598558)]

"How can an operating system be considered "secure" if it has proprietary software installed? It can't. Proprietary software security is unverifiable by anyone you can trust and therefore unworthy of being considered secure."

huh, I didn't know that software verification had been perfected such that FLOSS was "verifieable" as "secure".
The fact is, FLOSS "security is unverifiable by anyone I can trust and therefore unworthy of being considered secure."
I don't know who is "verifying" the security of FLOSS. Li

Fixed in Vista - WTF?

[shadow_slicer (607649)]

Thanks to this security review, this vulnerability is not present in Windows Vista

So they fixed it in Vista, but didn't send out a security update for the other systems?

you mean...

[realkiwi (23584)]

... XP has been around for 6 years? And Dell is still offering it?

MS have known about this bug but didn't update.

[Rashkae (59673)]

FTFA, the bug was fixed in Vista, becasue "Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver."

Hackers only started exploiting this 3 weeks ago, but MS must have known about this for 6 months at least. Macrovision even offers an update for WinXP on their web site based on the same fix, but MS never pushed the update through their security update mechanism, and even now, isn't commiting to it.

So, to recap for those keeping score at home, you now have to download patches for Windows system files from Macrovision's website! MS bashers have a goldmine to work from here.

Re:MS have known about this bug but didn't update.

[jo42 (227475)]

The 'fixed' secdrv.sys in SECDRVSYS.zip from Macrovision's web site is dated 2006-09-13.

So it has been over a year...

Re:MS have known about this bug but didn't update.

[Dan East (318230)]

Hackers only started exploiting this 3 weeks ago ...that we know of. It is likely that on some irc channel a couple of hackers are congratulating themselves on having kept this exploit under wraps for the last half decade.

Dan East

What is the vulnerability?

[Monty845 (739787)]

It should be required that any story about a security hole indicate whether user interaction is required for the system to be comprimised... If I have to download/run something then I could care less... only if the vulnerability can be exploited remotely with NO interaction on my part do I care... There are many stories that hype threats were it all boils down to the user running something they shouldn't have.

How is this vulnerability exploited?

Re:

[argent (18001)]

During the weekend I found an interesting sample exploiting a possibly new and undocumented vulnerability for Windows XP and 2003. The exploit is a local privilege escalation that allows users with a restricted account to gain a SYSTEM shell with higher privileges. In my tests the exploit seems to work successfully against a fully patched Windows XP-SP2 and also Windows 2003-SP1. At this time, Vista does not seem to be affected by the problem.
-- Elia Florio [symantec.com]

Local privilege escalation.

Re:

[garylian (870843)]

Reading the actual article FTW!

It came packaged with every copy of Windows XP (and Server 2003) that M$ has sold.

Windows 2000 is still immune. :)

[argent (18001)]

Makes me doubly glad I've stuck with Windows 2000 all these years.

Remove secdrv.sys.

[argent (18001)]

The only purpose of secdrv.sys is to run games that depend on "SafeDisc" copy protection. If you don't play games on your computer (or you shouldn't... corporate users take note) you don't need it, and if you do you only need it to play games using this particular scheme.

This is a local privilege escalation exploit. An attacker will have to use some other exploit to get onto your computer before using this one to get system privileges. This is another reason for corporate administrators to eliminate the dri

Re:

[sqlrob (173498)]

No, it's to run SOFTWARE with SafeDisc. Although it is probably a game, there's nothing that says it will definitely be a game.

I'm a pirate.

[Bellewether (972797)]

...and more of my discretionary income goes towards games than anything else. There was an article here this week (http://yro.slashdot.org/article.pl?sid=07/11/03/048256) about the most profligate music pirates being the biggest music *buyers* as well- same principle.

However...the industry, especially PC gaming, has lost quite a few purchases from me because of copy protection. Just a few examples:

I loved Neverwinter Nights. Would have bought the Infinite Dungeons mod, but it requires an always-on net connection while you play to verify you're not a pirate. Screw that.

Starforce? Any Starforce'd game is automatically disqualified from my consideration.

I don't buy games that use Securom or Safedisc anymore, either. As a pirate, I find it inconvenient to have to download bypasses so I can run stuff on my Daemon Tools-happy gaming box. I almost bought Civ 4 and its expansions recently, but the DRM dissuaded me- though it won't stop those who torrented it from downloading a workaround.

I import games. Over the past year or two I've imported multiple games that would never have been released in the U.S.- the Touhou series, both Ouendans... but I won't do so for any console that has to be modded, because it's too much of a pain. If it weren't for that, I would have bought SO much crap for my PS2- guess I'll never buy any of those Cave shooters.

I'm a huge Megaten fan and will gladly buy FES the day it hits stores, assuming it's released stateside, even though FES is generally considered mediocre. If it weren't for emulation, I might not even be a fan of the series. Atlus acquitted itself pretty poorly with its release of the first two Persona games in the U.S.; it was actually the fanslation/romhacking scene's English patches for SMT1 and 2 that got me into the series. (I remember a comment from another Slashdotter who wrote the same thing in another copy-protection thread, too.)

The funny thing is, if I wanted to bypass any of this copy protection, I easily could. Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle. Me, I prefer to wean myself off the companies who resort to copy protection. There are plenty of other games out there which are just as good and don't involve all the bullshit- more than I have the free time to play, in fact. I'll just buy some of those instead.

And the games that I DO pirate? Those are the ones I wouldn't have bought anyway- though you only have my word on that. Ever spend time on a forum for an Atlus game? Atlus fans know damn well that they're not dealing with automatic-trillion-sellers like Madden 200X: Same Shit, New Roster or World War 2 Shooter: The Shootening. They (we) will tell other fans to buy, and buy a *new* copy, *before* price drops, *because we want Atlus to release more games we like*.

So: can somebody explain to me why all this antipiracy stuff is necessary? Or even prove to me that it isn't outright counterproductive? Last I heard, Galciv and Stardock were doing just fine.

I've played this game from both sides.

[argent (18001)]

Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle.

I did that around 1981 when I went to the local "unlicensed software distributors" at the University to get a cracked copy of Wizardry written out on top of my gold-labeled store-bought floppy because the copy protection had made the original unplayable... which meant I may have had the only "legal" cracked copy in existence. I ran into the author of the game online many years later, and he thought that was pretty amusing.

Several years later a friend and I released a game for the Amiga and since the publisher required copy protection we came up with a copy protection scheme for it that didn't require modifying the OS or bypassing the driver, and allowed the protected disks to be created using a regular script. Since we knew that copy protection was a speedbump, we came up with some speedbump-quality protection that would still do a better job at blocking the most common cracking tools than the "professional" and more intrusive protection schemes.

What we did was take advantage of the way the Amiga identified disks by using a unique ID in the disk header. All copy protection cracking tools we knew of generated a new ID by default, so that the user wouldn't get an error from the OS if they left the original and the copy both in the drives after they exited the program. We stored an obfuscated copy of the ID in file comments, and ran in "demo mode" if they didn't match. It didn't pop up any warning screens, it just wouldn't let you get past the 'attract mode' display. This meant that most people just using a "raw" copier would get an apparently "damaged" copy that still kind of worked... we figured this was unintrusive and at least as good a speedbump as you got from a scheme that had defeat code preprogrammed into the copying tools, for the week or so before it got figured out and our scheme got added to the rest.

We provided our publisher with detailed instructions, explanations, and a set of disks to use to create the copies if they didn't use an image duplicator. They fobbed production off on another company who blithely used one of the cracking tools we were targeting to do the production run. If they'd used a normal image duplicator or our scripts everything would have been fine, but instead all the shipped copies came up in demo mode. Of course the game had to be recalled, and we missed the Christmas launch.

Copy protection (whether you call it copy protection or DRM) increases the costs and risks of production and just plain doesn't do anything more than flashing a "don't pirate this game" splash screen would.

Re:I've played this game from both sides.

[99BottlesOfBeerInMyF (813746)]

My favorite copy protection was in the game "Escape Velocity." I'm not referring to the mechanism, just the way it was implemented. Unregistered version beyond 30 days did not stop working, or do anything annoying, except occasionally a special, unkillable space ship would show up tell you they hate pirates and attack you... forcing you to jump to another star system or two and escape. Coders that go to that kind of effort inspire me to not only buy the game, but encourage others to do the same.

Re:I've played this game from both sides.

[Lothsahn (221388)]

And after a while, that ship appears ALL THE TIME.

I bought the game, but my friend didn't. :) I think it's the only game he DIDN'T crack, because it was so ingenious, he actually kept trying to run from the ship, instead of cracking the game.

Local Exploit Only, and Very Unlikely

[ThinkFr33ly (902481)]

This can only be exploited locally, so the chances it will affect any significant number of people are very small.

Since virtually everybody who uses Windows XP runs as admin, there would be no reason to use this exploit, since if you get code to run on the target machine, it's already running as admin.

For Windows Server, a bad guy with local access is going to be rare, and most admins don't usually download and run random code on their servers. The one exception might be a server used as a terminal services provider, but I can't imagine that's particularly common. Plus, standard domain policy best practices would prevent unsigned/unapproved code from being run by any non-admin anyway, so it's really not an issue.

Lastly, Vista isn't affected, both because it includes the newer version of the DLL, and because the privilege elevation itself would not be possible thanks to some new security measures in Vista's kernel.

So while it makes a great "DRM Sucks!" story, the security ramifications of this bug are essentially zero.

Re:

[ThinkFr33ly (902481)]

Which is different than running as SYSTEM.

Effectively, it is not. The only real difference is that the SYSTEM account has access to terminate/modify certain processes directly, where as Administrator must essentially request that they be done by SYSTEM.

For instance, there are some processes that run as SYSTEM that you can't kill in Task Manager, but that can be killed via certain administrative commands that are then run as SYSTEM.

In fact, SYSTEM typically has FEWER privileges than Administrator because some network operations can't be done by SYS

Macrovision is legally vulnerable

[Animats (122034)]

If anyone incurs costs as a result of this, they can sue Macrovision. Macrovision isn't protected by Microsoft's EULA. (Nor can it be; there's a legal concept called "privity" that applies to third party issues like this.) The end user has no contractual relationship with Macrovision. So there's nothing protecting them from a negligence lawsuit.

Macrovision is as vulnerable as Sony was.

0 Days

[DrSkwid (118965)]

0 days is the length of time Windows goes without a critical vulnerability.

shaking my head...

[logicassasin (318009)]

Wow... It's 2007 and some people still don't get it.

Many people (myself included) would love nothing more than to move away from M$ products but, sadly, are trapped in them because of the applications we use. I can't use linux for music production and the particular apps I use don't exist under MacOS (Sonar 6 and FL Studio). While I can certainly do Flash authoring under OSX, I can't under Linux. One of my PC's has an old Matrox Mystique220 with Rainbow Runner Studio in it. There are no Linux drivers for it

Alternate solution. :)

[argent (18001)]

if not exist "%windir%\system32\drivers\secdrv.sys" goto ok
del "%windir%\system32\drivers\secdrv.sys"
echo "Removed Safedisc driver"
:ok