gamers look out, more DRM problems for your securityFollow

Update: Buggy game DRM puts Windows users at risk
Everyone running Windows XP or Server 2003 is vulnerable, not just gamers

Gregg Keizer


November 07, 2007 (Computerworld) -- Flawed antipiracy software now being exploited by attackers has been bundled with Windows for the last six years to protect game publishers, Macrovision Corp. said today.

The "secdrv.sys" driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista "to increase compatibility and playability" of games whose publishers license Santa Clara, Calif.-based Macrovision's SafeDisc copy-protection offering, Macrovision spokeswoman Linda Quach said in an e-mail. "Without the driver, games with SafeDisc protection would be unable to play on Windows," said Quach.

"The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows," she added.

The privilege elevation bug in the driver first surfaced more than three weeks ago, when Symantec Corp. researcher Elia Florio spotted the vulnerability being actively exploited. The presence of the file -- dubbed Macrovision Security Driver -- is enough to open Windows XP and Server 2003 machines to attack; users do not have to play a SafeDisc-protected game to be vulnerable.

Microsoft is working on an update, but it refused to commit to delivering an update for secdrv.sys by next Tuesday, its next scheduled patch delivery day. "Microsoft will provide a security update through its regularly scheduled monthly release process once that update is ready and has been fully tested," a Microsoft spokesman said in an e-mail.

Users can remove the vulnerable driver -- it's typically found in the "%System%drivers" folder -- or update it with a more recent, and apparently safe, version by downloading it from the Macrovision site. "[But] if removed, Macrovision SafeDisc games will not run properly," the Microsoft spokesman cautioned.

Secdrv.sys is included with Windows Vista, but Microsoft's newest operating system is safe from attack, said Quach. "Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver," she said. " Thanks to this security review, this vulnerability is not present in Windows Vista." Microsoft went a step further and credited its Security Development Lifecycle (SDL) approach for beefing up the driver.

The version Macrovision offers XP and Server 2003 users as an update is identical to the one built for Windows Vista, Quach said.

As for the three-week stretch between first disclosure of the Macrovision bug and Microsoft's advisory, Microsoft's spokesman denied the company had dragged its feet. "Macrovision and Microsoft immediately began investigating the vulnerability when proof-of-concept code was publicly posted Oct. 17," said the spokesman. The investigation wasn't the only thing that was a Microsoft-Macrovision joint effort: many of the responses the two companies gave to similar questions were word-for-word matches.

In a follow-up posting to the Symantec security blog, Elia Florio, the researcher who first disclosed that an exploit was on the loose said that home users are actually less at risk than business users -- an unusual turn-about. "The attacker has to be logged on to the computer with an account [which] mitigates risks for home users who often work with one account on their computers," he said. "The situation is more complicated for corporate networks, where multiple users with different privileges can log on to different computers."

Even so, everyone should apply Microsoft's fix or update the driver, Florio said. "Malware dropped on the system via some other exploit, [such as] a browser vulnerability or the recent PDF exploit, could potentially take advantage of the bug to take further control of the computer and bypass other layers of protection."

October 23rd, 2007
Zero-day flaw in Macrovision DRM app under attack
Posted by Ryan Naraine @ 11:47 am


Zero-day hole in Windows DRM app under attackMalware authors are actively exploiting a zero-day privilege escalation vulnerability in a copy protection application installed by default in Windows XP and Windows 2003, according to a warning from anti-virus vendor Symantec.

The unpatched vulnerability, confirmed in the Macrovision SafeDisc (secdrv.sys) DRM scheme for online games, can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges.

This facilitates the complete compromise of affected computers.

An advisory from the NVD (National Vulnerability Database) provides the skinny:

Buffer overflow in Macrovision SafeDisc secdrv.sys, as shipped in Microsoft Windows XP and Server 2003, allows local users to overwrite arbitrary memory locations and gain privileges via a crafted argument to a METHOD_NEITHER IOCTL.

Symantec researcher Elia Florio stumbled upon the flaw while reverse engineering an in-the-wild malware sample and successfully tested the exploit against fully patched Windows XP-SP2 and Windows 2003-SP1 machines. Windows Vista does not seem to be affected by the problem, Florio said.

Immediately after Florio went public with his discovery, researchers at Reverse Mode traced the issue to the Macrovision SafeDisc application. Exploit code (.zip file) for this issue is already in circulation.

A functional exploit is commercially available through the CORE IMPACT penetration testing platform.

I think the issue lies in the fact that they're not held responsible for it. I mean, something happens to your computer and its not them on the line like it would be for a food producer that sold you spoiled food. It's not life threatening. Same sort of deal as pharmaceuticals. Until someone can prove that faulty programs cause people to die unexpectedly as a direct result, they're probably never going to change much.

I'd like to know why I have Macrovision software on my computer that I didn't agree to install.

When I buy Microsoft software I expect to get Microsoft software, not some random company.

no one has to die to be held accountable for exposing children to unwanted filth or other nasties that can come from malware like this DRM cr4p.

I guess I am not really understanding.

Should I be checking my XP PC for this file? Is it malicious enoughf or me to care?

[...] kaelesh you are missing the point. [...] who should i blame Kaelesh?

i blame those who know about the problem, have fixed it for one OS, but have refused to fix it even today for the other OSs they KNEW had and currently HAVE the bad code.

See, Vista is more secure. We should all go out and buy supercomputers so we can all run vista and still be able to open notepad and be secure.

I guess the only difference is that I know I don't know much about computers and therefore don't mess around with things I shouldn't be?

I think you're missing my point boyo. Developing a 100% stable OS is just beyond anyones capabilities. Of course they have problems, everything ran by computers (which is damn near everything these days) runs into a glitch or problem sooner or later.

Take cars for instance (yes, it's an analogy, deal with it): We know for a fact that certain cars have been prone to a recall. Why is that? Because enough people have a problem with a certain item that is unstable or unsafe. The car manufacturer knows (most likely) about it but chooses not to do anything unless a certain amount of accidents happen.

It's a cost analysis. Nothing more. No company is going to spend time, manpower and money on an older product unless they have to. That is going to the new product. Like Vista.

Just something you have to deal with or develop your own OS and quit ********* worrying about an OS that 95& of the world uses and thus far, hasn't had any major problems with.



Edited, Nov 9th 2007 1:06pm by Kaelesh