AntiPiracy Macrovision Bug is Actually Six Years Old

twitter writes "A recently reported Macrovision bug has actually been around for six years, according to Computerworld. 'Flawed antipiracy software now being exploited by attackers has been bundled with Windows for the last six years to protect game publishers, Macrovision Corp. said today. The "secdrv.sys" driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista ... users do not have to play a SafeDisc-protected game to be vulnerable.' The article goes on to play down danger and claim that Vista is safe, but ZDNet notes: 'Malware authors are actively exploiting a zero-day privilege escalation vulnerability ... [which] can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges. This facilitates the complete compromise of affected computers.'"

Yay DRM.

[RandoX]

Can Macrovision be held liable for losses?

Re:Not a bug

[TheMeuge]

It's not a bug, it's a feature.

DRM: It's not just wrong

[blueZ3]

It's wrong in so many ways.

I'm not a big fan of the "oh noes! DRM is the suxors!" crowd, because I'm rational enough to see both sides of the DRM issue: producers want to get paid, consumers want full control over what they've bought. But there are a lot of reasons DRM sucks, besides the wild conspiracy theories and the "porn just wants to be free" arguments that you regularly see on /. This article is an example.

Letting some (lame) third-party, like Macrovision, put hooks into the OS, and then have no cle

DRM doesn't help producers make money

[LKM]

I'm not a big fan of the "oh noes! DRM is the suxors!" crowd, because I'm rational enough to see both sides of the DRM issue: producers want to get paid

Here's what you're missing: DRM hurts precisely those people who actually do pay the producers.

If I buy a DVD in a store, I get the hassle of DRM, and putting it on my iPhone is going to be complicated. If I just download the movie from the Internet, I just open it in QuickTime and export to iPhone. If I buy music in the iTunes Music Store, I can't easily use it on my PC at work, unless I authorize it with my iTunes login, only to forget to de-authorize it if I get a new computer or reinstall the OS. If I just download music, I have none of these issues.

Now, I do buy DVDs, and I do buy music from the iTunes store, and I do buy a lot of stuff with DRM. But I do not buy these things because they have DRM, but despite of it. DRM is actually an incentive to not give the producers money; without DRM, they'd see a lot more money from me.

Re:

[Bert64]

It is completely unreasonable to have this macrovision driver on every windows system, even those that will never be used to run games.
Windows 2003 is supposed to be a server OS, and yet it ships with drivers for copy protection schemes in games? How ridiculous is this?

DRM does not, and is not intended to, stop piracy. DRM is fundamentally flawed due to it's very nature of having to give out the keys in order to play DRM'd media. The major cracking groups have some very skilled people, and any DRM scheme wi

Re:

[Dog-Cow]

Apple's DRM has zero affect on non-Apple anything.

Re:

[OrangeTide]

iTunes music has always played fine for me in my car CD player. And I don't own an iPod.

Re:

[CodeBuster]

The Sony DRM Rootkit case should server as a useful template for litigation so the answer is yes, provided that somebody can actually show damages (i.e. borked computer, identity theft, etc.) based upon a known exploit of the safe disc driver, but once again the lawyers will get 90% of the money with the remaining 10% divided among millions of claimants in the form of $0.20 checks issued to those who will provide their name and address (which will subsequently be sold for marketing purposes). The only conso

Re:Yay DRM.

[vtscott]

Pff. When you installed windows you agreed not to hold them liable. [microsoft.com]

17. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES, INFORMATON, SOFTWARE, AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Oh, you didn't know about those terms when you bought the product? And you want to return software that's been opened? It was in all caps, surely you could have read that through the box.

So, the slashdot lameness filter doesn't like the the clip of the microsoft eula I posted because it has too many caps. Well I'm not retyping all of that in lower case, so I guess I'll post another part of the eula that doesn't abuse the caps lock key...

18. LIMITATION OF LIABILITY AND REMEDIES. Notwithstanding any damages that you might incur for any reason whatsoever (including, without limitation, all damages referenced herein and all direct or general damages in contract or anything else), the entire liability of Microsoft and any of its suppliers under any provision of this EULA and your exclusive remedy hereunder (except for any remedy of repair or replacement elected by Microsoft with respect to any breach of the Limited Warranty) shall be limited to the greater of the actual damages you incur in reasonable reliance on the Software up to the amount actually paid by you for the Software or US$5.00. The foregoing limitations, exclusions and disclaimers (including Sections 15, 16 and 17) shall apply to the maximum extent permitted by applicable law, even if any remedy fails its essential purpose.

Re:Yay DRM.

[Volante3192]

EULAs are shaky legal ground though; they're untested. Just because they say they're not liable doesn't mean it's been held up in court. They're there to scare people into thinking there's no recourse.

Re:

[truthsearch]

Not necessarily. At least one court has found that a shrink wrap license is enforceable [bitlaw.com].

Re:

[Volante3192]

Hrm, gray area...

First paragraph:

...Shrinkwrap licenses are enforceable unless their terms are objectionable on grounds applicable to contracts in general (for example, if they violate a rule of positive law, or if they are unconscionable). Because no one argues that the terms of the license at issue here are troublesome, we remand with instructions to enter judgment for the plaintiff.

But it seems the only aspect of the licence that was questioned was the following:

This license, which is encoded on the CD-ROM disks as well as printed in the manual, and which appears on a user's screen every time the software runs, limits use of the application program and listings to non-commercial purposes.

Other aspects of EULAs, specifically the arbitration clauses, have been found to be unconscionable ( http://games.slashdot.org/article.pl?sid=07/06/08/2017257 [slashdot.org] ). It all depends on which part of the EULA you're going after.

Re:

[truthsearch]

It all depends on which part of the EULA you're going after.

Very true. I was simply referring to the fact that an EULA, in general, has been found to be a valid contract in court. Assuming everything within the license is legal and legit, it is enforceable.

Re:

[reebmmm]

This is not very good legal analysis or advice. EULAs are far no "untested" (though, the same is not necessarily true for browsewrap agreements).

EULAs are very much enforceable and have definitely been held up in court. Like any contract, though, some have certainly been found to be unenforceable in their entirety or in part. Those that are denied enforceability have some other procedural or technical flaw, usually proper notice.

In addition, as between a company and a consumer, there are definitely some hur

Re:

[sowth]

Also, despite what slashdotters like to think, EULAs almost certainly meet the requirements of contracts: offer ("take it or leave it"), acceptance (by signature or performance) and consideration (in exchange for the right to use the software at the price I'm selling it to you, you agree to these other terms).

Okay, IANAL, so help me understand this better. You can buy something from a store, take it home, and after you have purchased the item, the manufacturer of the product can hold usage of said pr

Re:

[jZnat]

Well I'm not retyping all of that in lower case

Some geek you are! guG or similar in Vim is all you need.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[node 3]

Pff. When you installed windows you agreed not to hold them liable.

I didn't *agree* to shit. I clicked a button.

It's well known that people don't read the EULA. It's also well known (and follows) that the overwhelming majority of people have no idea the actual contents of the EULA. That strikes me as extremely shaky ground on which to base claims of any sort of actual "agreement" to anything.

In reality, the only thing agreed to is the user agrees to click a series of "affirmative" buttons in order to install some software.

Re:

[Bert64]

And that's their own fault.
Would you sign an employment contract without reading it first? How about a contract for the transfer of a house or other property?
If your willing to agree to things without reading them, i have a few contracts for you to sign!

People need to be educated as to what they're agreeing to, and perhaps get legal advice before agreeing to anything like this. If more people were aware of these things, then vendors would be forced to make their license agreements less onerous.

Re:

[node 3]

And that's their own fault.

No, it's not. Your sentiment essentially says it's OK to do whatever you can to *trick* people into contractual obligations. It's like that old trick, "a [something negative] says what?" and when the person asks, "what?", you treat them as if that means they *actually* are the [something negative].

Would you sign an employment contract without reading it first? How about a contract for the transfer of a house or other property?

Absolutely not. But we're not talking about employment contracts or deeds.

If your willing to agree to things without reading them, i have a few contracts for you to sign!

And, hypothetically, if I *were* to sign such a contract without reading it, without any actual *agreement* between us being met, withou

Re:

[Bert64]

// If more people were aware of these things, then vendors would be forced to make their license agreements less onerous. // That doesn't necessarily follow.

It does, if people were unwilling to accept onerous agreements, vendors would be forced to change them.

Also, even if an agreement is unenforceable, it's still used to scare people into thinking it is. Such tactics need to stop, agreements should be clearly written and users should be educated not to accept an agreement they don't understand.

These agreem

Re:

[PitaBred]

"Asphinctersayswhat?"
"What?"
"Exactly!"

Re:

[node 3]

In order for a contract to be valid, there *must* be some reasonable measure of actual *agreement* and *understanding* (among other things, but these are the aspects pertinent to the topic at hand).

Clearly, most people do not understand, and have not actually *AGREED* to anything. All they've done is clicked a button. That click *might* count as an "electronic signature", but that's not the primary issue I've raised. The issue is that the contract is not predicated on the fundamental principles of a contrac

Re:

[PitaBred]

So, is a company not liable when it sells you a part that doesn't function like they said it would? "I sold you that dog, but it turns out that he was malnourished and died the next day? Sucks to be you". Doesn't quite fly. There have to be reasonable limits on disclaimers, and I'd think that a gaping security hole in the system built in solely for anti-operator actions that happened to be WORSE for the buyer/owner/operator than it was originally intended to be really isn't what someone realized was part

Re:

[Holmwood]

The company that sold you the dead parrot... err... dog... might well be required to refund you your purchase price, sure.

The distinction is, if the dog they sold you fails to apprehend an intruder who robs you blind, they're not liable for everything he stole.

Similarly, if some piece of software you purchase for $500 crashes and corrupts your hard drive, the developer isn't liable for the $100,000 (pick a number) worth of data you have on the drive.

Limitation of liability is important, and not just for 'ev

Re:

[PitaBred]

Uhhh, sure, this is food. I won't feel bad about selling it to you. Oh, you mean it was rat poison? Oh well. Tough cookies. You took your chances giving me money in the first place.

Here is update (Macrovision SECDRV.SYS Driver)

[holywarrior21c]

Upgrade your driver here: http://www.macrovision.com/promolanding/7352.htm [macrovision.com]
Microsoft Security Advisory(944653)http://www.microsoft.com/technet/security/advisory/944653.mspx [microsoft.com]

Re:

[Sen.NullProcPntr]

Can I just delete secdrv.sys?

AFAIK I don't use any macrovision disks.

Re:Here is update (Macrovision SECDRV.SYS Driver)

[BlueStrat]

Can I just delete secdrv.sys?

AFAIK I don't use any macrovision disks.

Well, I just renamed the files to $secdrv.sys (I found 2 copies..one in system32/drivers and one in a game folder (MechWarrior4 Vengeance, in mw4x folder) and the game still loads and runs.

Cheers!

Strat

Re:Here is update (Macrovision SECDRV.SYS Driver)

[Nom du Keyboard]

Well, I just renamed the files...and the game still loads and runs.

Did you reboot after the rename, and ensure that the rename still held? DRM seeks to protect itself.

Re:

[DigitAl56K]

Being vulnerable or upgrading the Macrovision drivers you never knew you had = Stuck between a rock and a hard place.

Why are they shipping this in business computers?

[140Mandak262Jamuna]

This is complete lunacy. Almost all corporations prohibit their users from playing computer games on their PCs. The fastest safest thing for MSFT would be to tell its customers, "If you are not playing macrovision protected games in your computer, just rename this xxx.dll or yyy.sys file."

Why was it not disclosed to the corporate customers that a dll or a sys file, that is exclusively used to play games published by a particular vendor is bundled and installed on ALL their computers? What are the priorities here? We have been pained enough by MS-Office suddenly demanding you to pop in the origial CD/DVD-ROM to get a particular module. But they don't want their users to be hassled to fetch the original disc to get a driver used only by a subset of users. How screwed up this set up can be? Why are not the corporate customers demanding a full disclosure of what is being bundled, and why and what can be safely removed from their computers?

Does the total cost of ownership studies include the cost of keeping up with these security disclosures and applying patches to the holes?

Re:Why are they shipping this in business computer

[Hatta]

How are they shipping this on computers anyway? Isn't Macrovision that crap that makes it impossible to dub VHS tapes without the gain going crazy and looking awful?

Re:

[petermgreen]

That is macrovisions most famous defective restricted media system (mainly because it was one of the first defective restricted media systems created) but it is far from thier only one.

Re:Why are they shipping this in business computer

[MarkGriz]

More to the point, why in the world would this file even be included on Windows Server 2003?
Not all business prohibit games, but I doubt there are any sysadmins playing games on their server machines.

Re:

[gEvil (beta)]

Not all business prohibit games, but I doubt there are any sysadmins playing games on their server machines.

You severely overestimate the brainpower of a Windows sysadmin.

Other apps some times use the same copy protection

[Joe The Dragon]

Non Game apps some times use the same copy protection that games use and some M$ apps do use copy protection as well.

Re:

[Bert64]

Windows "server" is a joke anyway, your forced to have a gui, browser, mail client, media player, gaming support libs (directx) etc, which is a complete hassle to remove and often needs to be patched.
A server should always have the bare minimum software installed, less to go wrong, less to have security problems, less overhead, and you don't have the hassle of patching anything that's not installed.

Re:Why are they shipping this in business computer

[sqlrob]

Copy protection != games. Business related software can certainly be protected (cf. Quickbooks)

Re:

[sqlrob]

Drivers can still be installed for that software.

Quickbooks is the non-game copy protected software I was thinking of as my example.

Re:

[PitaBred]

Still doesn't use the Macrovision copy protection. Macrovision copy protection is for games only, as it validates a CD-ROM. There's NO serious business software that requires the CD to be inserted to run.

Re:Why are they shipping this in business computer

[truthsearch]

There are many files included with Windows that corporate desktops don't require. One of my past employers chose to remove any unnecessary files. Even with a large Microsoft contract, Microsoft refused to disclose the details of every bundled DLL and EXE. So a small team of people deleted each file, one by one, and tested every desktop app in use in the company, until they determined the set of files they didn't need. It's almost silly, but if you're determined Microsoft leaves little choice. (I would have used one of those apps that shows every DLL in memory, but the idea is the same.)

This of course causes problems later, like when a patch or service pack requires a DLL that it never needed before. Or one of the custom apps adds a new feature and needs an OS file that's not part of any standard desktop in the company.

Microsoft isn't interested in giving customers exactly what they need. They prefer to generalize the OS to maximize revenue. These are just some of the negative consequences.

Re:

[Bert64]

That's why the large number of Linux distributions, often cited as a problem, is so good. You can customise to your hearts content, and remove what you don't need, or better yet never install it.
And any half decent package manager will pull in extra dependencies if they start being required.
All my linux machines are built to spec, only what's required is installed and nothing else.

Re:

[truthsearch]

I recommended switching to Linux (or actually performing some research into switching) to a few managers there. Once I got past the usual lip service the end result was "well, we're a Microsoft shop." The conversation always ended there.

And that's one of the reasons I no longer work there.

Re:Why are they shipping this in business computer

[operagost]

Someone is lying outright.

Secdrv.sys is included with Windows Vista, but Microsoft's newest operating system is safe from attack, said Quach. "Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver," she said. " Thanks to this security review, this vulnerability is not present in Windows Vista." Microsoft went a step further and credited its Security Development Lifecycle (SDL) approach for b

Re:Why are they shipping this in business computer

[Bert64]

Your forced to have a full install of directx too, including the joystick/gamepad support, directplay (for network gaming) and all the sound/video stuff...
Why would you need all this on a corporate desktop, let alone a supposed "server".
None of my unix servers have anything that's not relevant to whatever the server is hosting, the only server i have which has *ANY* gaming or graphics related software on it is a quake server!

There's a solution!

[VincenzoRomano]

Don't worry, windowers!
All these problems will loose any meaning with ... Windows 7 [wikipedia.org]

Re:

[HTH NE1]

Don't worry, windowers!
All these problems will lose any meaning with ... Windows 7

What's in the box?

1) Accountability 2) Technical integrity

[dpbsmith]

How can an operating system be considered "secure" if the inclusion of a third-party component makes it insecure? Why does Vista allow Macrovision's component to do whatever it likes?

Is this a case where Microsoft allowed "signing" to be a substitute for good engineering?

Even if the act of buying Windows implies that I trust Microsoft, does the act of buying Windows imply that I trust Macrovision?

When I buy a home computer with Windows on it, do I even know all of the companies that have contributed content that is included on the hard drive at the time of purchase? Do I have a list? Have I agreed to trust them all? Does Vista trust all of them? Could all them them punch holes in Vista's security if the vendors that supplied them don't have engineers as competent as Microsoft's?

Re:

[A beautiful mind]

Could all them them punch holes in Vista's security if the vendors that supplied them don't have engineers as competent as Microsoft's?

Let's stop asking highly theoretical questions.

Software freedom is the cure.

[jbn-o]

How can an operating system be considered "secure" if the inclusion of a third-party component makes it insecure?

This has to do with the software being proprietary, not coming from a third party.

How can an operating system be considered "secure" if it has proprietary software installed? It can't. Proprietary software security is unverifiable by anyone you can trust and therefore unworthy of being considered secure. Apparently bugs will go unfixed for years because only the proprietor is allowed to fix the bugs. However, the proprietor is unmotivated to fix bugs until the proprietor is pushed (through publicly announced exploits, better competition, and so on). All the while you, the user, are denied complete control over your computer.

The cure is simple: install nothing but free software [gnu.org] on your computer. Give yourself the freedom to inspect, change, and share the software, hire someone else to do it for you, or leverage the talent of a community of hackers improving free software all the time. This is not about making everyone a programmer, it's about giving people the freedom to control their computers while building a society of cooperation and social solidarity. Proprietary software denies you your software freedom, so deny proprietary software a place on your computer.

Re:

[LO0G]

That's cool - fortunately no open source software uses the systrace facility, which has at least one well known vulnerability that affects apps that use the facility [lightbluetouchpaper.org].

The base comment is the one that's unreasonable (an OS can't be considered secure if it allows 3rd party applications to make it insecure).

By that standard, no general purpose operating system in use today can be considered "secure".

If the operating system allows the use of 3rd party code that runs with supervisor privileges, then the 3rd party

Re:

[I'm Don Giovanni]

"How can an operating system be considered "secure" if it has proprietary software installed? It can't. Proprietary software security is unverifiable by anyone you can trust and therefore unworthy of being considered secure."

huh, I didn't know that software verification had been perfected such that FLOSS was "verifieable" as "secure".
The fact is, FLOSS "security is unverifiable by anyone I can trust and therefore unworthy of being considered secure."
I don't know who is "verifying" the security of FLOSS. Li

Re:

[Bert64]

You don't know and trust anyone capable of auditing code? That's a pity.

With proprietary software there is only one entity that can verify the code, with open source there are many. There's no guarantee that either of them will, but 50000 chances are better odds than 1 chance.

As for security updates, this is an unfair comparison. Open source development, including finding and patching of security holes is done in the open, so any security issue becomes known about. Proprietary vendors on the other hand, typ

Re:

[ChaosDiscord]

huh, I didn't know that software verification had been perfected such that FLOSS was "verifieable" as "secure".

You're missing the point.

If you wanted to verify the security of, say, Red Hat Enterprise Linux 5, you can download the source and start reading. It'll be slow, and may not be practical. But you're free to do it. You can pay someone else that you trust to do the review for you. And while reviewing the entire system probably isn't feasible, you can certainly review subsets that you consider

Re:

[Bert64]

You don't, your gambling that one of the people or organisations that looked at the code would have found and disclosed any malicious code located there.

The difference is:

With proprietary code, only one organisation has seen the code and they have no incentive to disclose any malicious code because it's them who put it there.

With open code, many organisations and individuals could have seen the code, and the vast majority of them have no incentive to keep any malicious code under wraps, in fact many will be

Re:

[PitaBred]

I trust the kernel devs with commit access to the source repositories. I also trust NVIDIA. That's a MUCH smaller chain of people to trust, with much more well-known motives and identities.

Fixed in Vista - WTF?

[shadow_slicer]

Thanks to this security review, this vulnerability is not present in Windows Vista

So they fixed it in Vista, but didn't send out a security update for the other systems?

you mean...

[realkiwi]

... XP has been around for 6 years? And Dell is still offering it?

MS have known about this bug but didn't update.

[Rashkae]

FTFA, the bug was fixed in Vista, becasue "Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver."

Hackers only started exploiting this 3 weeks ago, but MS must have known about this for 6 months at least. Macrovision even offers an update for WinXP on their web site based on the same fix, but MS never pushed the update through their security update mechanism, and even now, isn't commiting to it.

So, to recap for those keeping score at home, you now have to download patches for Windows system files from Macrovision's website! MS bashers have a goldmine to work from here.

Re:MS have known about this bug but didn't update.

[jo42]

The 'fixed' secdrv.sys in SECDRVSYS.zip from Macrovision's web site is dated 2006-09-13.

So it has been over a year...

Re:MS have known about this bug but didn't update.

[Dan East]

Hackers only started exploiting this 3 weeks ago ...that we know of. It is likely that on some irc channel a couple of hackers are congratulating themselves on having kept this exploit under wraps for the last half decade.

Dan East

Re:

[ThinkFr33ly]

You're jumping to conclusions. We simply don't know all the facts at this point.

What we do know is that the bug doesn't affect Vista for two reasons. First, some of Vista's new security functionality prevent the privilege elevation regardless of the version of the DLL in question. Second, Microsoft included a newer version of the DLL with Vista, and this version of the DLL doesn't have the potential to attempt the elevation to begin with.

One possible explanation for this is that Microsoft didn't discovered

Re:

[Rashkae]

Actually, I'm basing it on a quote provided in my comment, not to mention that Macrovision *already* has a fix, which someone else here already claims to be over a year old. And we also know that this has been a known "in the wild" exploit for 3 weeks before MS even bothered to release a security announcment, even though the fix already existed.

Nothing indeed, pfeh. *Fail*

Re:

[hweimer]

This is a privilege escalation bug, meaning you need to have access to the machine in the first place. Microsoft usually doesn't care about them (the GDI bug was fixed about six months after the MoKB post) for two reasons: First, most people work with administrator rights anyway, and second, this is only relevant in true multi-user environments, which have never been the top priority for them.

What is the vulnerability?

[Monty845]

It should be required that any story about a security hole indicate whether user interaction is required for the system to be comprimised... If I have to download/run something then I could care less... only if the vulnerability can be exploited remotely with NO interaction on my part do I care... There are many stories that hype threats were it all boils down to the user running something they shouldn't have.

How is this vulnerability exploited?

Re:

[argent]

During the weekend I found an interesting sample exploiting a possibly new and undocumented vulnerability for Windows XP and 2003. The exploit is a local privilege escalation that allows users with a restricted account to gain a SYSTEM shell with higher privileges. In my tests the exploit seems to work successfully against a fully patched Windows XP-SP2 and also Windows 2003-SP1. At this time, Vista does not seem to be affected by the problem.
-- Elia Florio [symantec.com]

Local privilege escalation.

Re:

[jafiwam]

Way to not get or refuse to answer the question! Escalation is one small step in the process, the OP was asking about that overall process, not the one step in the .sys file.

Local privilege escalation an be executed against the user account used with IIS (for example) no?

Or, perhaps the guest account, or whatever is used to display default printer shares on an otherwise unshared machine.... etc.

One would think if there is evidence there is zero day stuff out in the wild using this, someone could have captu

Re:

[argent]

Then he should have asked about the attack, not the vulnerability. From the message I replied to: "only if the vulnerability can be exploited remotely with NO interaction on my part do I care". That's not a question about the whole process, it's a question about this particular hole.

This is not a remote execution hole. Whatever code it was found in may have contained exploits for other vulnerabilities, or this may have been part of a rootkit dropped by an otherwise unrelated exploit. But this vulnerability

Re:

[garylian]

Reading the actual article FTW!

It came packaged with every copy of Windows XP (and Server 2003) that M$ has sold.

Re:

[I'm Don Giovanni]

You're correct, but there is a warped way of looking at things where "I could care less" would be proper.
"I couldn't care less" typically means that it's impossible for me to care less because my care level about the issue in question is zero.
But "I couldn't care less" could also mean that the issue in question is so important to me that there's no way I could care less about it. The corallary of this would be that the issue doesn't mean much to me, so while I might care a bit about it, I wouldn't have any

Windows 2000 is still immune. :)

[argent]

Makes me doubly glad I've stuck with Windows 2000 all these years.

Remove secdrv.sys.

[argent]

The only purpose of secdrv.sys is to run games that depend on "SafeDisc" copy protection. If you don't play games on your computer (or you shouldn't... corporate users take note) you don't need it, and if you do you only need it to play games using this particular scheme.

This is a local privilege escalation exploit. An attacker will have to use some other exploit to get onto your computer before using this one to get system privileges. This is another reason for corporate administrators to eliminate the dri

Re:

[sqlrob]

No, it's to run SOFTWARE with SafeDisc. Although it is probably a game, there's nothing that says it will definitely be a game.

Re:

[argent]

What kind of crazy company uses hardware-based copy protection for anything but games?

Got a list of guilty parties so we know who to stay the hell away from?

Re:

[sqlrob]

Intuit, at the very least. Quickbooks uses some sort of protection, but I'm not sure what offhand.

Re:

[argent]

OK, so you can only remove this file on 99% of the desktops in a typical company, instead of 100%. :)

I'm a pirate.

[Bellewether]

...and more of my discretionary income goes towards games than anything else. There was an article here this week (http://yro.slashdot.org/article.pl?sid=07/11/03/048256) about the most profligate music pirates being the biggest music *buyers* as well- same principle.

However...the industry, especially PC gaming, has lost quite a few purchases from me because of copy protection. Just a few examples:

I loved Neverwinter Nights. Would have bought the Infinite Dungeons mod, but it requires an always-on net connection while you play to verify you're not a pirate. Screw that.

Starforce? Any Starforce'd game is automatically disqualified from my consideration.

I don't buy games that use Securom or Safedisc anymore, either. As a pirate, I find it inconvenient to have to download bypasses so I can run stuff on my Daemon Tools-happy gaming box. I almost bought Civ 4 and its expansions recently, but the DRM dissuaded me- though it won't stop those who torrented it from downloading a workaround.

I import games. Over the past year or two I've imported multiple games that would never have been released in the U.S.- the Touhou series, both Ouendans... but I won't do so for any console that has to be modded, because it's too much of a pain. If it weren't for that, I would have bought SO much crap for my PS2- guess I'll never buy any of those Cave shooters.

I'm a huge Megaten fan and will gladly buy FES the day it hits stores, assuming it's released stateside, even though FES is generally considered mediocre. If it weren't for emulation, I might not even be a fan of the series. Atlus acquitted itself pretty poorly with its release of the first two Persona games in the U.S.; it was actually the fanslation/romhacking scene's English patches for SMT1 and 2 that got me into the series. (I remember a comment from another Slashdotter who wrote the same thing in another copy-protection thread, too.)

The funny thing is, if I wanted to bypass any of this copy protection, I easily could. Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle. Me, I prefer to wean myself off the companies who resort to copy protection. There are plenty of other games out there which are just as good and don't involve all the bullshit- more than I have the free time to play, in fact. I'll just buy some of those instead.

And the games that I DO pirate? Those are the ones I wouldn't have bought anyway- though you only have my word on that. Ever spend time on a forum for an Atlus game? Atlus fans know damn well that they're not dealing with automatic-trillion-sellers like Madden 200X: Same Shit, New Roster or World War 2 Shooter: The Shootening. They (we) will tell other fans to buy, and buy a *new* copy, *before* price drops, *because we want Atlus to release more games we like*.

So: can somebody explain to me why all this antipiracy stuff is necessary? Or even prove to me that it isn't outright counterproductive? Last I heard, Galciv and Stardock were doing just fine.

I've played this game from both sides.

[argent]

Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle.

I did that around 1981 when I went to the local "unlicensed software distributors" at the University to get a cracked copy of Wizardry written out on top of my gold-labeled store-bought floppy because the copy protection had made the original unplayable... which meant I may have had the only "legal" cracked copy in existence. I ran into the author of the game online many years later, and he thought that was pretty amusing.

Several years later a friend and I released a game for the Amiga and since the publisher required copy protection we came up with a copy protection scheme for it that didn't require modifying the OS or bypassing the driver, and allowed the protected disks to be created using a regular script. Since we knew that copy protection was a speedbump, we came up with some speedbump-quality protection that would still do a better job at blocking the most common cracking tools than the "professional" and more intrusive protection schemes.

What we did was take advantage of the way the Amiga identified disks by using a unique ID in the disk header. All copy protection cracking tools we knew of generated a new ID by default, so that the user wouldn't get an error from the OS if they left the original and the copy both in the drives after they exited the program. We stored an obfuscated copy of the ID in file comments, and ran in "demo mode" if they didn't match. It didn't pop up any warning screens, it just wouldn't let you get past the 'attract mode' display. This meant that most people just using a "raw" copier would get an apparently "damaged" copy that still kind of worked... we figured this was unintrusive and at least as good a speedbump as you got from a scheme that had defeat code preprogrammed into the copying tools, for the week or so before it got figured out and our scheme got added to the rest.

We provided our publisher with detailed instructions, explanations, and a set of disks to use to create the copies if they didn't use an image duplicator. They fobbed production off on another company who blithely used one of the cracking tools we were targeting to do the production run. If they'd used a normal image duplicator or our scripts everything would have been fine, but instead all the shipped copies came up in demo mode. Of course the game had to be recalled, and we missed the Christmas launch.

Copy protection (whether you call it copy protection or DRM) increases the costs and risks of production and just plain doesn't do anything more than flashing a "don't pirate this game" splash screen would.

Re:I've played this game from both sides.

[99BottlesOfBeerInMyF]

My favorite copy protection was in the game "Escape Velocity." I'm not referring to the mechanism, just the way it was implemented. Unregistered version beyond 30 days did not stop working, or do anything annoying, except occasionally a special, unkillable space ship would show up tell you they hate pirates and attack you... forcing you to jump to another star system or two and escape. Coders that go to that kind of effort inspire me to not only buy the game, but encourage others to do the same.

Re:I've played this game from both sides.

[Lothsahn]

And after a while, that ship appears ALL THE TIME.

I bought the game, but my friend didn't. :) I think it's the only game he DIDN'T crack, because it was so ingenious, he actually kept trying to run from the ship, instead of cracking the game.

Re:

[Dracolytch]

"Copy protection (whether you call it copy protection or DRM) increases the costs and risks of production and just plain doesn't do anything more than flashing a "don't pirate this game" splash screen would."

Unless, like me, the only means of distribution is over the 'net. In which case, copy protection is the only viable means to differentiate your product from free software.

~D

Re:

[argent]

I'm not sure what you're getting at here:

Unless, like me, the only means of distribution is over the 'net. In which case, copy protection is the only viable means to differentiate your product from free software.

Are you saying that copy protection makes your product better? More competitive? What do you mean by "differentiate" here?

Re:

[Dracolytch]

It means that if you don't put copy protection on your program, and the only way to distribute your program is via download, without copy protection there would be no means to distribute an unlockable trial version. You'd essentially be giving the game away, and hope people would pay you. Either that or have to produce two versions of the game (One trial one full), and then manage that mess.

~D

Re:

[argent]

I think you're combining two unrelated issues here, and neither of them involve any kind of technical copy protection or DRM scheme.

First, unless your build process is really broken, building two versions of a program for distribution out of the same source tree is trivial.

Second, registration and copy protection are really separate issues. Copy protection involves some kind of obfuscation of a shared secret, typically in hardware or in the OS (though sometimes, as in my case, simply in an unobvious place t

Re:

[argent]

Tracers. Dead simple graphics, most of our effort was spent on playability and being a "well behaved" program.

http://amigareviews.classicgaming.gamespy.com/tracers.htm [gamespy.com]

I can't take responsibility for the box art or backstory, the publisher tossed our concept and redid the whole thing from scratch. Which was probably to the good, since the original backstory we came up with was sufficiently unmemorable that I actually can't remember it. :)

Re:

[p0tat03]

Perhaps you're a rare one, but I don't buy the whole "wouldn't have bought it anyway". IMHO if you play more than 20 minutes into a game without throwing your burned disc out a window, you're being dishonest to yourself about your intentions. It's funny, but I haven't pirated a game in ages, and in fact I never feel the need to. I have found numerous trustworthy review sources that guide what I buy. I don't fall into the preorder frenzy, and I always wait for my trusted sources to give their reviews before

Re:

[operagost]

Atlus fans know damn well that they're not dealing with automatic-trillion-sellers like Madden 200X: Same Shit, New Roster or World War 2 Shooter: The Shootening.

You should try Cookie Cutter RPG 2: Electric Boogaloo.

Don't You Just Love

[Nom du Keyboard]

Don't you just love how Microsoft is in bed with DRM, and in the end it always comes back to bite!

Local Exploit Only, and Very Unlikely

[ThinkFr33ly]

This can only be exploited locally, so the chances it will affect any significant number of people are very small.

Since virtually everybody who uses Windows XP runs as admin, there would be no reason to use this exploit, since if you get code to run on the target machine, it's already running as admin.

For Windows Server, a bad guy with local access is going to be rare, and most admins don't usually download and run random code on their servers. The one exception might be a server used as a terminal services provider, but I can't imagine that's particularly common. Plus, standard domain policy best practices would prevent unsigned/unapproved code from being run by any non-admin anyway, so it's really not an issue.

Lastly, Vista isn't affected, both because it includes the newer version of the DLL, and because the privilege elevation itself would not be possible thanks to some new security measures in Vista's kernel.

So while it makes a great "DRM Sucks!" story, the security ramifications of this bug are essentially zero.

Re:

[Anonymous Coward]

Ring zero is kernel space, the highest privilege level - higher than Administrator. Normally an attacker would have to install a driver or suchlike to achieve this, a suspicious behaviour that can be flagged by AV etc, this avoids that and lets them proceed directly to rootkitting. Also as soon as a "minor" remote access exploit comes along this magically becomes an extremely serious remote root. OK so it could be worse, but local privilege escalation exploits are always bad and should be fixed quickly; his

Re:

[organgtool]

Since virtually everybody who uses Windows XP runs as admin, there would be no reason to use this exploit, since if you get code to run on the target machine, it's already running as admin.

Running as admin in a corporate environment is very rare, with the exception of some small companies. Any company that lets their non-sysadmin employees run as the Admin user deserve what they get. So when a company gets attacked through a hole in their workstations' OS that supports DRM in games (something that most c

Re:

[ThinkFr33ly]

Which is different than running as SYSTEM.

Effectively, it is not. The only real difference is that the SYSTEM account has access to terminate/modify certain processes directly, where as Administrator must essentially request that they be done by SYSTEM.

For instance, there are some processes that run as SYSTEM that you can't kill in Task Manager, but that can be killed via certain administrative commands that are then run as SYSTEM.

In fact, SYSTEM typically has FEWER privileges than Administrator because some network operations can't be done by SYS

Macrovision is legally vulnerable

[Animats]

If anyone incurs costs as a result of this, they can sue Macrovision. Macrovision isn't protected by Microsoft's EULA. (Nor can it be; there's a legal concept called "privity" that applies to third party issues like this.) The end user has no contractual relationship with Macrovision. So there's nothing protecting them from a negligence lawsuit.

Macrovision is as vulnerable as Sony was.

On SERVER 2003?

[BobMcD]

Why on earth is this bundled with a Server OS?

This is the kind of patently stupid thing that we really ought to result in damages being awarded...

Seriously, the entire corporate world has been vulnerable for the LAST SIX YEARS because they wanted to make it minutely harder to pirate a video game?

Could not the Macrovision games simply been coded to add this cruft to a server upon inserting the game CD? s/Could/Should/g

There absolutely HAS TO BE a violation of duty here.

0 Days

[DrSkwid]

0 days is the length of time Windows goes without a critical vulnerability.

shaking my head...

[logicassasin]

Wow... It's 2007 and some people still don't get it.

Many people (myself included) would love nothing more than to move away from M$ products but, sadly, are trapped in them because of the applications we use. I can't use linux for music production and the particular apps I use don't exist under MacOS (Sonar 6 and FL Studio). While I can certainly do Flash authoring under OSX, I can't under Linux. One of my PC's has an old Matrox Mystique220 with Rainbow Runner Studio in it. There are no Linux drivers for it

Re:

[couchslug]

Thanks to your post I was inspired to Google, and there are many other capture cards that ignore Macrovision.
There are forums like doom9 and videohelp where you can go for much more info.

What about VirtualBox?

[Spy der Mann]

Many people (myself included) would love nothing more than to move away from M$ products but, sadly, are trapped in them because of the applications we use.

There is a solution. Linux + (Windows inside VirtualBox [virtualbox.org]).

Haven't tested it yet because I've come to hate windows so much that I don't want ANY of it installed in my system. But I've read a couple of VirtualBox reviews, and they're all positive.

Alternate solution. :)

[argent]

if not exist "%windir%\system32\drivers\secdrv.sys" goto ok
del "%windir%\system32\drivers\secdrv.sys"
echo "Removed Safedisc driver"
:ok