Quote:
Update: Buggy game DRM puts Windows users at risk
Everyone running Windows XP or Server 2003 is vulnerable, not just gamers
Gregg Keizer
November 07, 2007 (Computerworld) -- Flawed antipiracy software now being exploited by attackers has been bundled with Windows for the last six years to protect game publishers, Macrovision Corp. said today.
The "secdrv.sys" driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista "to increase compatibility and playability" of games whose publishers license Santa Clara, Calif.-based Macrovision's SafeDisc copy-protection offering, Macrovision spokeswoman Linda Quach said in an e-mail. "Without the driver, games with SafeDisc protection would be unable to play on Windows," said Quach.
"The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows," she added.
The privilege elevation bug in the driver first surfaced more than three weeks ago, when Symantec Corp. researcher Elia Florio spotted the vulnerability being actively exploited. The presence of the file -- dubbed Macrovision Security Driver -- is enough to open Windows XP and Server 2003 machines to attack; users do not have to play a SafeDisc-protected game to be vulnerable.
Microsoft is working on an update, but it refused to commit to delivering an update for secdrv.sys by next Tuesday, its next scheduled patch delivery day. "Microsoft will provide a security update through its regularly scheduled monthly release process once that update is ready and has been fully tested," a Microsoft spokesman said in an e-mail.
Users can remove the vulnerable driver -- it's typically found in the "%System%drivers" folder -- or update it with a more recent, and apparently safe, version by downloading it from the Macrovision site. "[But] if removed, Macrovision SafeDisc games will not run properly," the Microsoft spokesman cautioned.
Secdrv.sys is included with Windows Vista, but Microsoft's newest operating system is safe from attack, said Quach. "Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver," she said. " Thanks to this security review, this vulnerability is not present in Windows Vista." Microsoft went a step further and credited its Security Development Lifecycle (SDL) approach for beefing up the driver.
Everyone running Windows XP or Server 2003 is vulnerable, not just gamers
Gregg Keizer
November 07, 2007 (Computerworld) -- Flawed antipiracy software now being exploited by attackers has been bundled with Windows for the last six years to protect game publishers, Macrovision Corp. said today.
The "secdrv.sys" driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista "to increase compatibility and playability" of games whose publishers license Santa Clara, Calif.-based Macrovision's SafeDisc copy-protection offering, Macrovision spokeswoman Linda Quach said in an e-mail. "Without the driver, games with SafeDisc protection would be unable to play on Windows," said Quach.
"The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows," she added.
The privilege elevation bug in the driver first surfaced more than three weeks ago, when Symantec Corp. researcher Elia Florio spotted the vulnerability being actively exploited. The presence of the file -- dubbed Macrovision Security Driver -- is enough to open Windows XP and Server 2003 machines to attack; users do not have to play a SafeDisc-protected game to be vulnerable.
Microsoft is working on an update, but it refused to commit to delivering an update for secdrv.sys by next Tuesday, its next scheduled patch delivery day. "Microsoft will provide a security update through its regularly scheduled monthly release process once that update is ready and has been fully tested," a Microsoft spokesman said in an e-mail.
Users can remove the vulnerable driver -- it's typically found in the "%System%drivers" folder -- or update it with a more recent, and apparently safe, version by downloading it from the Macrovision site. "[But] if removed, Macrovision SafeDisc games will not run properly," the Microsoft spokesman cautioned.
Secdrv.sys is included with Windows Vista, but Microsoft's newest operating system is safe from attack, said Quach. "Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver," she said. " Thanks to this security review, this vulnerability is not present in Windows Vista." Microsoft went a step further and credited its Security Development Lifecycle (SDL) approach for beefing up the driver.
Quote:
The version Macrovision offers XP and Server 2003 users as an update is identical to the one built for Windows Vista, Quach said.
As for the three-week stretch between first disclosure of the Macrovision bug and Microsoft's advisory, Microsoft's spokesman denied the company had dragged its feet. "Macrovision and Microsoft immediately began investigating the vulnerability when proof-of-concept code was publicly posted Oct. 17," said the spokesman. The investigation wasn't the only thing that was a Microsoft-Macrovision joint effort: many of the responses the two companies gave to similar questions were word-for-word matches.
In a follow-up posting to the Symantec security blog, Elia Florio, the researcher who first disclosed that an exploit was on the loose said that home users are actually less at risk than business users -- an unusual turn-about. "The attacker has to be logged on to the computer with an account [which] mitigates risks for home users who often work with one account on their computers," he said. "The situation is more complicated for corporate networks, where multiple users with different privileges can log on to different computers."
Even so, everyone should apply Microsoft's fix or update the driver, Florio said. "Malware dropped on the system via some other exploit, [such as] a browser vulnerability or the recent PDF exploit, could potentially take advantage of the bug to take further control of the computer and bypass other layers of protection."
oh, and yes it is in your computer. i have never played one of their games, at least that i know of, on my computer and that file was there. it is no more.
also ZDNet states that the flaw is being actively used.
http://blogs.zdnet.com/security/?p=603
Quote:
October 23rd, 2007
Zero-day flaw in Macrovision DRM app under attack
Posted by Ryan Naraine @ 11:47 am
Zero-day hole in Windows DRM app under attackMalware authors are actively exploiting a zero-day privilege escalation vulnerability in a copy protection application installed by default in Windows XP and Windows 2003, according to a warning from anti-virus vendor Symantec.
The unpatched vulnerability, confirmed in the Macrovision SafeDisc (secdrv.sys) DRM scheme for online games, can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges.
This facilitates the complete compromise of affected computers.
An advisory from the NVD (National Vulnerability Database) provides the skinny:
Buffer overflow in Macrovision SafeDisc secdrv.sys, as shipped in Microsoft Windows XP and Server 2003, allows local users to overwrite arbitrary memory locations and gain privileges via a crafted argument to a METHOD_NEITHER IOCTL.
Symantec researcher Elia Florio stumbled upon the flaw while reverse engineering an in-the-wild malware sample and successfully tested the exploit against fully patched Windows XP-SP2 and Windows 2003-SP1 machines. Windows Vista does not seem to be affected by the problem, Florio said.
Immediately after Florio went public with his discovery, researchers at Reverse Mode traced the issue to the Macrovision SafeDisc application. Exploit code (.zip file) for this issue is already in circulation.
A functional exploit is commercially available through the CORE IMPACT penetration testing platform.
Zero-day flaw in Macrovision DRM app under attack
Posted by Ryan Naraine @ 11:47 am
Zero-day hole in Windows DRM app under attackMalware authors are actively exploiting a zero-day privilege escalation vulnerability in a copy protection application installed by default in Windows XP and Windows 2003, according to a warning from anti-virus vendor Symantec.
The unpatched vulnerability, confirmed in the Macrovision SafeDisc (secdrv.sys) DRM scheme for online games, can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges.
This facilitates the complete compromise of affected computers.
An advisory from the NVD (National Vulnerability Database) provides the skinny:
Buffer overflow in Macrovision SafeDisc secdrv.sys, as shipped in Microsoft Windows XP and Server 2003, allows local users to overwrite arbitrary memory locations and gain privileges via a crafted argument to a METHOD_NEITHER IOCTL.
Symantec researcher Elia Florio stumbled upon the flaw while reverse engineering an in-the-wild malware sample and successfully tested the exploit against fully patched Windows XP-SP2 and Windows 2003-SP1 machines. Windows Vista does not seem to be affected by the problem, Florio said.
Immediately after Florio went public with his discovery, researchers at Reverse Mode traced the issue to the Macrovision SafeDisc application. Exploit code (.zip file) for this issue is already in circulation.
A functional exploit is commercially available through the CORE IMPACT penetration testing platform.