Slashdot Mirror
DRM Hole Sets Patch Speed Record For Microsoft
puppetman writes "Wired columnist Bruce Schneier has an article up called 'Quickest Patch Ever', about a patch that was issued within three days to fix a vulnerability in Windows Digital Rights Management (DRM)." From the article: "Now, this isn't a 'vulnerability' in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: 'Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore.' But to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels. It affects the company's product offerings. It affects the company's bottom line. Fixing this 'vulnerability' is in the company's best interest; never mind the customer."
From the article:
"It should surprise no one that the system didn't stay patched for long. FairUse4WM 1.2 gets around Microsoft's patch, and also circumvents the copy protection in Windows Media DRM 9 and 11beta2 files."
So it's not totally horrible... though I'm sure (and the article agrees here) that M$ will be quick to fix their fix.
DRM Hole Sets Patch Speed Record For Microsoft & Gets cracked again!!
Wincopy
what relationship? why is it important?
It's called Zune and MSN Music. If the labels don't think that Microsoft can bolt down the music they "sell" to people then the labels don't want Microsoft to be selling their music. Microsoft wants to own this market segment because Apple does, since it forms a part of their new "MS is your everything" strategy.
Plus it might also make the labels pull the plug from other on-line music stores that use Microsoft's DRM technology, opening themselves up to another volley of lawsuits.
My spoon is too big.
When the summary says "Within three days" they mean "three days after it was reported in engadget".
Coz,FairUSE4Wm was released on August 19th in the forum.Microsoft patched it on August 28th.So 9 Days.
Wincopy
Microsoft did not really "patch" their DRM. This wasn't a code change. Their DRM was designed to be updateable in the event that it was compromised.
There is a big difference in how fast you can roll out what ammounts to a configuration change and how fast you can roll out a code change.
That said, it didn't seem to do much good given that it was cracked again in a matter of days.
Dear Windows Media Licensee,
h
On August 25th, 2006, Engadget.com reported on a software tool that would allow consumers to decrypt WMDRM protected content. In response, on August 28, 2006, Microsoft released an update to the individualized blackbox component (IBX) designed to ensure that client applications using the Windows Media Format SDK version 9.5 who individualize to this latest version are robust against a new circumvention tool.
This update is not yet available for the Windows Media Format 9 Series FSDK or for users of Windows XP Media Center Edition 2005 Update Rollup 2.
Consumers are not at risk in any way. Content services can require that the updates be present in order to issue licenses by following the instructions below. Please note that the version number of IBX was not incremented as part of these updates to avoid delaying the release of these critical breach mitigations. Consequently, the only way to determine if the update is installed is to query the build number of the IBX. This requires code executing on the client.
To determine the build number of the IBX:
1. Ensure the PC is running the August 2005 update to Windows Media DRM. See the attached white paper for details.
2. Determine the path of the WMDRM folder. The path is stored in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\DRM\DataPat
3. Identify the file name of the latest IBX. If the machine has been individualized only once, the IBX file name will be indivbox.key. Otherwise, the IBX file name is in the form indivbox_xxx.key, where xxx are digits 0-9. The file name with the greatest value of xxx will be the latest IBX.
4. Call GetFileVersionInfo() to retrieve the build version of the file identified in step 3. See [link].
5. If the IBX file version is 11.0.5497.6285 or greater, then the updated IBX is installed
Please submit questions to [email removed]
Best regards,
Windows Media Licensing Department
Microsoft Windows Digital Media Division
Basically -> the content provider CAN require that patch to be there. I don't know whether it's a separate patch through WMP or through MSUpdate but since I don't use Windows/Microsoft I can't speak for them.
Custom electronics and digital signage for your business: www.evcircuits.com
The KB891122 patch wasn't developed in response to FairUse4WM 1.0 -- MS started working on it after seeing an earlier bunch of tools (drmdbg and friends) that were released on the cover CD of a Japanese magazine a few months ago, but were too cumbersome in operation to gain widespread use.
FairUse4WM "merely" wrapped up the techniques used by these tools in a neat package, and got to the frontpage of Engadget. It was pure luck that MS had a patch available at the time, even though it took extraordinary effort on the behalf of its DRM partners to implement, and denied "legacy" OS users, as well as users of the latest Media Center version, the use of new DRM-protected tracks.
A patch for FairUse4WM 1.2 still isn't available, even though the tool was released last weekend.
BTW, if you think MS is getting screwed by class breaks like this, think again. Content providers (think: RIAA members) will call in their non-refundable advances (usually over $25K per label!) received from distribution partners (think: music stores) for "material breach of contract". MS will fix the issue, the RIAA gets richer, and the guys that actually try to get music to you get screwed. Oh, well, they're used to it...
First of all, the DRM code is most likely pretty self-contained, and is only interfaced with by a limited amount of code. (All the files run through some version of the Windows Media Encoder engine, remember?). So on that front, it's a hell of alot easier to patch an issue contained to DRM-land than it is to deal with something like IE, which has to interact with a much messier set of incoming files (the Web).
Even then, the reason you don't release a patch in three days is that you're probably going to screw it up and not actually fix the problem. Amazingly enough, that appears to be exactly what happened.
Vista's default file access settings prohibit the access of any hard drive partitions except your Vista one. So you have to go and Take Ownership of every item on every drive, and then give yourself Full Control permissions to be able to use the drive. It's quite annoying, but luckily it's faster in RC1 than B2.
I've only recently figured out how to tweak the registry to allow me to disable automatic updates again.
Umm all that I have to do to disable automatic updates is:
1) Start->Control Panel
2) Click Automatic Updates
3) Select Turn Off Automatic Updates
4) Press OK
No registry tweaking needed. Now I do have XP Pro, do other versions of XP really make you edit the registry? That would really piss me off.
Hey, there is only one Return and it's not of the King, it's of the Jedi.
Neither, this is not a "patch" in the sense people think it is, and it has nothing to do with windows update. All it is is a new version of your "individualized" private keys. drmv2clt.dll isn't touched by the fix, you just re-indiv your machine, and get the new keys from MSFT.
That article is completely misleading. This "Vulnerability" has been known about since January 2005, the tools to bypass it were available since then, they just didn't have a fancy GUI to make it easier. This is actually one of the LONGEST periods Microsoft took to patch something.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I think that WGA has already proven that it's not worth upgrading. Running a hardware firewall and being half-intelligent as an internet user is more than sufficient to protect yourself from ANY issues with non-patched software.
I know some people that have never upgraded their windows XP ever via windows update, yet have never been infected with virus' (virii?) or other malware. Just takes half of a brain on the user-end to make this possible.
Gekido's Lair
There are no small fixes. A famous single-character error (typing "." for "," in a FORTRAN DO loop header, so it read DO I=1.10 instead of DO I=1,10) resulted in the destruction of a spacecraft.
While I agree that even tiny changes can have large consequences, it appears the FORTRAN-lost-a-spacecraft bug is a programming urban legend that eventually made its way into computer texts as a cautionry example. (See this Google archive of a relevant 1993 alt.computer.folklore discussion on Mariner I.)