DRM Hole Sets Patch Speed Record For Microsoft

puppetman writes "Wired columnist Bruce Schneier has an article up called 'Quickest Patch Ever', about a patch that was issued within three days to fix a vulnerability in Windows Digital Rights Management (DRM)." From the article: "Now, this isn't a 'vulnerability' in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: 'Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore.' But to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels. It affects the company's product offerings. It affects the company's bottom line. Fixing this 'vulnerability' is in the company's best interest; never mind the customer."

Patch

[Damastus+the+WizLiz]

So this is going to be the least installed patch for windows ever. untill they make it mandatory

Re:Patch

[Danga]

I've only recently figured out how to tweak the registry to allow me to disable automatic updates again.

Umm all that I have to do to disable automatic updates is:

1) Start->Control Panel
2) Click Automatic Updates
3) Select Turn Off Automatic Updates
4) Press OK

No registry tweaking needed. Now I do have XP Pro, do other versions of XP really make you edit the registry? That would really piss me off.

Re:Patch

[Fordiman]

Meh. It's already rebroken. And this time, with video support.

MS is just way too slow for t3h hax0rz.

Meanwhile, I'm testing the new version in conjunction with Vongo (Downloading a movie now). Let's see how that works. If so, I may stick to Vongo rather than BitTorrent ('cept, the very rare/hard-to-find stuff will still get me on BT).

I'm sure the DRM astroturfers on here will scoff, and say, "Yeah right, you spoiled rich college kid theif scumbag criminal. You're just going to keep stealing from the mouths of millionaires like the incorrugible brat you are." If you'll just take it as read that I said 'Fuck off, tool.', we can avoid the whole thing.

Kinda blows their excuse

[Eldred]

What's their excuse going to be the next time a user vulnerability that has exploits in the wild has to wait for the next release cycle?

Re:Kinda blows their excuse

[Stripsurge]

Easy. They used up all their overtime hours already.

Re:Kinda blows their excuse

[buro9]

That they didn't have the bug pre-patched?

In the case of DRM, the system is setup to block comprised clients at the server level immediately.

In the case of DRM, backup DRM methods are already pre-written and ready to ship.

As soon as a system is compromised, the existing method is deactivated, servers notified to deny licenses, and the new system is delivered via the servers.

They are able to 'patch' this so quickly because they already had it written months, if not years, ago. Just like when this one gets compromised, they will be able to 'patch' as fast because they already have the next backup DRM method already on the shelf waiting.

They know this is a game with those who circumvent DRM, and a game which requires time for each DRM method to be circumvented. So they build a store of different methods of DRM and when one is circumvented they release the next. The game continues... and time is currently on the side of Microsoft as they have their next few moves on the shelf ready.

Re:Kinda blows their excuse

[skaap]

I wonder if they'll introduce clippy to this:

Clippy: It looks like you're trying to pirate some music, do you want me to:

1. Send your details to the RIAA
2. Delete your files
3. Ruin the files by overlaying Cliff Richard music into it?

Re:Kinda blows their excuse

[HermMunster]

In WA state the programmer is a slave to overtime. WA state laws allows busineses to require overtime without having to pay for it on any salaried worker. This is a device of Microsoft. Microsoft lobbied to get he laws changed so that the programmer positions changed.

A programmer is the person who actually, through their very creativity and knowledge, makes the product come into being. This is far different than someone that works as an assembly line worker who just does their small part. Programmers are the reason the products exist. For me, that's the reason I don't work as a programmer. I don't want my blood, sweat, and creativity exploited by companies such as Microsoft that make billions of dollars a quarter on my work.

WA needs to revert back to the laws that allow these programmers to get paid overtime. It is only fair. This isn't a management position and thus should never have been changed. It only happened because Microsoft lobbied to make it happen.

Re:Kinda blows their excuse

[marcello_dl]

What's their excuse going to be the next time a user vulnerability...

Windows has no users. It has hostages.

Futile request to any /. reading MS employee

[MightyYar]

No matter what anyone in your company tries to tell you, this kind of rapid response is EXACTLY what we are clamoring for when we ask that you take security seriously. Please tell your bosses. Thanks...

They patched it, but...

[mendaliv]

From the article:
"It should surprise no one that the system didn't stay patched for long. FairUse4WM 1.2 gets around Microsoft's patch, and also circumvents the copy protection in Windows Media DRM 9 and 11beta2 files."

So it's not totally horrible... though I'm sure (and the article agrees here) that M$ will be quick to fix their fix.

Regulation?

[linguizic]

If Microsoft abandoned this Sisyphean effort and put the same development effort into building a fast and reliable patching system, the entire internet would benefit. But simple economics says it probably never will.

This leads me to 2 questions: "can patching be regulated?" and "should patching be regulated?". It seems obvious the free market can't keep our computers secure. I've been wrong before though. I guess maybe it could if people didn't already have the expectation that they shouldn't have to pay for patches b/c Microsoft should fix their own faulty software.
I guess it's all pretty moot since open source is going to take over the world anyway.

Re:Regulation?

[RocketScientist]

The free market is EXACTLY how this should be fixed.

It's currently regulated so that the free market has NOTHING TO DO WITH THE PROBLEM.

The primary issue, and this is exactly out of Mr Schneier's playbook, is that Microsoft has no direct civil liability for their defects. It's exaclty as if you couldn't sue Ford becase your Pinto's gas tank exploded. Ford would have no reason to fix the defect. Well, the same problem here: if you buy defective software, you have no recourse to sue the manufacturer of the product. Remove that lack of liability and you'll start to see problems get fixed very very quickly.

If Microsoft was civilly liable for every piece of spam that was sent by a Windows zombie PC, there would very quickly be patches.

Less protection of corporations, and more market forces, would fix this problem. This is EXACTLY the kind of problem markets are very good at fixing. The problem is that the current regulation circumvents the market.

Re:Regulation?

[spun]

Unfortunately, free markets lead to concentration of wealth. Concentration of wealth leads to concentration of power, which leads to control of the regulatory process. Free markets invariably become unfree because of a runaway feedback loop. At least in democracy we have checks and balances. Where are the checks and balances within a free market that will work to keep it free? there are none.

Re:Regulation?

[betterunixthanunix]

No, free markets create problems like this. In a truly free market, you have no legal recourse if you are sold a defective product, and as Windows demonstrates, market forces do not stop poor-quality products from dominating the market. What is needed is less protection of corporations, as you said -- and more protection of consumers. Microsoft should be legally obligated to immediately patch any bugs that are reported. Unfortunately, singling out Microsoft wouldn't solve the problem, and a general solution to the problem would ruin the open source movement. The only actual solution to this problem is better education -- so that consumers are educated enough to choose the best software available, which would force publishers (including FOSS publishers) to patch quickly, or lose market share. Standards help, too.

Re:Regulation?

[ultranova]

If a user puts an unpatched computer on a network, they are grossly negligent and should be liable for any damages it causes.

So basically, plugging a computer into a network opens you up to the RIAA-style legal blackmail - after all, finding out if your computer was "sufficiently patched and configured" to clear you of negligence charges is going to make file sharing cases seem simple. Oh, and does running some non-mainstream program - such as Firefox - make you negligent ? After all, an obscure program could well have obscure bugs in it; in other words: "No one ever got sued (or at least convicted) for running Microsoft".

Besides, if your computer or network got damaged from traffick coming from my hijacked computer, then clearly you have been at least as negligent as I, since you failed to adequately secure your computer before plugging it to the network. So, given that you got damaged because of your own negligence, why should I pay for it ? Or, more to the point: why should I be responsible for my negligence but you not responsible for yours ?

No; the culprit here is the guy who hijacked my machine, not me. I cannot be blamed for you failing to adequately protect yourself from damage, anymore than I could be blamed if someone walked over my lawn to break into your house, or a hostage could be blamed for aiding terrorists since he didn't exercise enough caution to avoid being captured by them. The whole concept is absurd and totally unjust, and will also make running any new or non-mainstream program an unacceptable risk, since you never know if that program has any obscure security bugs that could make you liable for potentially infinite damages. It will grind software development to halt and disintegrate computer networks since plugging your computer into them becomes the financial equivalent of grabbing a high-tension wire. Even the US Government can't possibly be stupid enough to pass this law.

No need for a new law, just enforce the ones we already have for dealing with this sort of behavior.

Yeah, go after the guy who hijacks people's machines in the first place, don't blame his victims for failing to defend themselves. Your whole idea is basically the same as throwing a serial rapist's first victim to jail because she failed to stop him and is therefore, by your twisted logic, responsible for every rape he does afterwards.

Re:Regulation?

[ChronosWS]

And there's no concentration of wealth and power now, in our democracy? Maybe you've missed the consistent erosion of our rights lately, and fail to realize that the people eroding those rights also have the power to use force (as in they can lock you up and/or kill you) to further their ends AND it's perfectly legal so long as the right people are paid off (or themselves coerced.)

What day is it?

[hansamurai]

For a second there, I thought it was Tuesday.

Ever?

[truthsearch]

'Quickest Patch Ever'... for Microsoft. Linux distros have definitely had patches available within 48 hours of a security hole being found. IIRC the samba team once fixed a hole within 24 hours and it was in most of the big distros within another 24.

And isn't it sad that the quickest patch they ever release is for a hole no user cares about? More proof that MS cares more about their corporate friends than users.

can someone explain ths

[geekoid]

"ut to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels."

what relationship? why is it important?
Do the get money from them? Is Steve B. banging a secretary in the RIAA office?
I just don't get it.

Re:can someone explain ths

[nine-times]

Microsoft is trying to sell their formats on the strength of the DRM. DRM is what record companies want. If the DRM is insecure and easily cracked, then it won't be used.

Re:can someone explain ths

[hublan]

what relationship? why is it important?

It's called Zune and MSN Music. If the labels don't think that Microsoft can bolt down the music they "sell" to people then the labels don't want Microsoft to be selling their music. Microsoft wants to own this market segment because Apple does, since it forms a part of their new "MS is your everything" strategy.

Plus it might also make the labels pull the plug from other on-line music stores that use Microsoft's DRM technology, opening themselves up to another volley of lawsuits.

Re:can someone explain ths

[daranz]

There are DRM-ed WMA playing portable devices and online download services. It's in MS's interest to keep the DRM doing what it's supposed to do. Otherwise, everyone goes to iPod and iTunes, and that's not what MS wants.

Not an article

[Red+Flayer]

I know it seems like semantics, but Schneier's piece is not an article. It's an editorial, an opinion piece -- even if it is based on some real event(s). We really should differentiate between the two, as I do prefer 'news for nerds', not 'opinions for nerds'. I've already got opinions o'plenty, and the comment section is where I like to see others' opinions. :)

Headline wrong again

[in2mind]

Should have read :

DRM Hole Sets Patch Speed Record For Microsoft & Gets cracked again!!

Re:Headline wrong again

[in2mind]

The reason is Fairuse4WM version 1.2 gets around the microsoft patch. http://www.engadget.com/2006/09/02/fairuse4wm-peep s-stay-one-step-ahead-of-microsoft

Priorities

[wardk]

fatal holes in the browser? whatever

allowing spyware to take over? who cares

DRM? we're on it!

Re:Priorities

[PriceIke]

This is not a patch. A patch fixes a problem and makes software usable again.

This takes usable, functioning software (FairUse4WM) and breaks it.

"Patch" my ass, this is a bug, which users are expected to install themselves.

Plain and simple

this kind of rapid response is EXACTLY what we are clamoring for when we ask that you take security seriously

The fast fix suggests that rapidness of response might be a function of "whose ox is being gored".

Re:Plain and simple

[MightyYar]

Exactly! The cat's out of the bag... we know that they are CAPABLE of a 3-day turnaround. That line about having to wait for testing and blah, blah, blah was totally bogus, apparently.

Re:Plain and simple

[Abcd1234]

Well, just to play devil's advocate - what if the vulnerability fix was, literally, a couple of lines of code? Maybe it was just a tiny fix.

Actually, I suspect the vast majority of security fixes are just this. Usually it involves adding a couple more error checks to function inputs, putting length limits on operations on memory buffers, that sort of thing. I suspect it's quite rare for a patch to be any more involved, unless it's the result of a serious error in design.

Re:Plain and simple

[DaggertipX]

Good point, good point... but why can't they do this with the security patches that are just as small then? I mean, sure, some of the patches may require billions of lines of code and touch every product in their lineup, but I have a hard time believing they all do. In fact, I would be shocked if there weren't quite a few of them that are easier to repair, once the vulnerability is known, than this was.
I don't want the "monthly rollouts were requested by corporate customers" line, either... Even if they were - there is no reason to not release them to those that want them earlier, as well as a monthly package.

Re:Plain and simple

[radtea]

Well, just to play devil's advocate - what if the vulnerability fix was, literally, a couple of lines of code? Maybe it was just a tiny fix.

I once moved a single line of code up one line and broke the product in a subtle and interesting way that fouled up major testing, delayed a milestone, and severely and justifiably pissed off one of my colleagues.

There are no small fixes. A famous single-character error (typing "." for "," in a FORTRAN DO loop header, so it read DO I=1.10 instead of DO I=1,10) resulted in the destruction of a spacecraft.

So I guess fixes that involve changing less than one character are safe to release with minimal testing. All the rest need the full cycle.

The only reason why Microsoft might not do that in the present case is because keeping partners who depend on DRM happy is really, really important, and therefore they are willing to take the risk of crashing user's machines. Either that, or the person making the decision is just not very smart, a possibility never to be discounted.

Re:Plain and simple

[gludington]

There are no small fixes. A famous single-character error (typing "." for "," in a FORTRAN DO loop header, so it read DO I=1.10 instead of DO I=1,10) resulted in the destruction of a spacecraft.

While I agree that even tiny changes can have large consequences, it appears the FORTRAN-lost-a-spacecraft bug is a programming urban legend that eventually made its way into computer texts as a cautionry example. (See this Google archive of a relevant 1993 alt.computer.folklore discussion on Mariner I.)

Who profits?

[Damiano]

As TFA says, it's simple. A normal security hole costs the user money, not Microsoft. This "security hole" (indirectly) costs MS money so it gets fixed ASAP. MS is, if nothing, good at protecting its bottom line.

Critical, or not?

[kripkenstein]

So this is going to be the least installed patch for windows ever. untill they make it mandatory

Actually, this is a very serious question: is the patch marked critical, or not? This is important, because:

1. If the patch is critical, it will get criticized for being, in effect, mandatory degradation of capability (by the tech-savvy). Also, this will make light of Microsoft's security policy, to call this sort of patch 'critical'.
2. If the patch is not critical, then - oh, the irony - by default, it will not be installable on computers failing WGA. Perhaps Microsoft will get around this. But, as WGA currently works, only critical patches are allowed to systems marked as 'non-genuine'. This would be amusing - pirated copies of Windows would not receive this unwanted patch, but paid-for copies would.

I can't find, in TFA or the sources it cites, any mention of the severity of the patch. Anyone know the answer to this?

Re:Critical, or not?

[SoCalChris]

This would be amusing - pirated copies of Windows would not receive this unwanted patch, but paid-for copies would.

That's a good question. If it isn't marked critical, that will be just one more instance of a pirated product being superior to a genuine product (Pirated games not requiring the CD to play, pirated music not being restricted to certain devices, pirated movies not displaying unskipable ads & warning, etc...)

Re:Critical, or not?

[nine-times]

How can they make it a mandatory patch, even if marked critical? It seems to me that the most they could do is impose a restriction that you couldn't install other patches until you installed this one, but they still can't force you to install it.

<microsoft bashing bitch session>It really makes me wonder whether, as Microsoft introduces more "security" and "protection" that diminish a user's capability, at what point will it cease to be worthwhile to upgrade/patch/fix? Sometimes I think that point was crossed with the introduction of Windows XP</microsoft bashing bitch session>

Re:Critical, or not?

[guruevi]

Dear Windows Media Licensee,

On August 25th, 2006, Engadget.com reported on a software tool that would allow consumers to decrypt WMDRM protected content. In response, on August 28, 2006, Microsoft released an update to the individualized blackbox component (IBX) designed to ensure that client applications using the Windows Media Format SDK version 9.5 who individualize to this latest version are robust against a new circumvention tool.

This update is not yet available for the Windows Media Format 9 Series FSDK or for users of Windows XP Media Center Edition 2005 Update Rollup 2.

Consumers are not at risk in any way. Content services can require that the updates be present in order to issue licenses by following the instructions below. Please note that the version number of IBX was not incremented as part of these updates to avoid delaying the release of these critical breach mitigations. Consequently, the only way to determine if the update is installed is to query the build number of the IBX. This requires code executing on the client.

To determine the build number of the IBX:

1. Ensure the PC is running the August 2005 update to Windows Media DRM. See the attached white paper for details.
2. Determine the path of the WMDRM folder. The path is stored in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\DRM\DataPath
3. Identify the file name of the latest IBX. If the machine has been individualized only once, the IBX file name will be indivbox.key. Otherwise, the IBX file name is in the form indivbox_xxx.key, where xxx are digits 0-9. The file name with the greatest value of xxx will be the latest IBX.
4. Call GetFileVersionInfo() to retrieve the build version of the file identified in step 3. See [link].
5. If the IBX file version is 11.0.5497.6285 or greater, then the updated IBX is installed

Please submit questions to [email removed]

Best regards,

Windows Media Licensing Department
Microsoft Windows Digital Media Division

Basically -> the content provider CAN require that patch to be there. I don't know whether it's a separate patch through WMP or through MSUpdate but since I don't use Windows/Microsoft I can't speak for them.

Re:Critical, or not?

Neither, this is not a "patch" in the sense people think it is, and it has nothing to do with windows update. All it is is a new version of your "individualized" private keys. drmv2clt.dll isn't touched by the fix, you just re-indiv your machine, and get the new keys from MSFT.

Re:Critical, or not?

[digitallife]

I stopped patching my xp box 2 years ago. The average user of course probably wouldn't be able to do that, but it works fine for most computer geeks.
Back when I first stopped, I would have patched if I felt it was necessary. Now, I wouldn't patch unless you held a gun to my head.

To be honest, I am stuck in a position that as my computer software ages, I am unsure how to upgrade. I will be VERY unlikely to switch to Vista or any future MS offering. Switching to some Linux distro will be a pain because my main computer has been windows for so long, and I enjoy playing games and using various software that is generally not supported on Linux. Mac might be a possibility, but it will still be a pain in the ass.
Oh well, I'll consider the options when the time comes.

Re:Critical, or not?

[abandonment]

I think that WGA has already proven that it's not worth upgrading. Running a hardware firewall and being half-intelligent as an internet user is more than sufficient to protect yourself from ANY issues with non-patched software.

I know some people that have never upgraded their windows XP ever via windows update, yet have never been infected with virus' (virii?) or other malware. Just takes half of a brain on the user-end to make this possible.

Re:Critical, or not?

[jZnat]

Just dual boot and keep a copy of Windows for gaming. One day you'll be able to play basically any game flawlessly via WINE, but that's not the case right now. Maybe it'll be ready for that by the time Vista comes out?

Re:Critical, or not?

[Carewolf]

Pirates just are better. Get used to it, ninja!

Re:Critical, or not?

[Analogy+Man]

And if we could just figure out a way to get a couple million pirates of the "Aargh! Treasure" variety we could kiss global warming goodbye!

Re:Critical, or not?

[put_the_cat_out]

It sounds like it should be easy enough to make WM licenees believe the patch has been installed when it really hasn't.

Re:Critical, or not?

[LucBorg]

Fine they are being a typical company, but it's not as if Apple would behave any differently if something like this happened to their music.

Re:Critical, or not?

[brouski]

If your XP box has a network cable plugged in, I would consider it irresponsible not to keep it patched up with at least the critical security updates. No one's ever as perfect as they claim to be... :)

Re:Critical, or not?

[200_success]

In the long run, it doesn't matter whether this particular patch is mandatory. The next time there is a truly security-related patch for Media Player, they'll either include this fix or require it as a prerequisite.

Re:Critical, or not?

[MightyYar]

Actually, this DID happen to Apple when Hymn broke the FairPlay encryption. It remained broken, off and on, for quite a few months (years?) until iTunes 6 came out. Even now, you can buy music using the older "broken" iTunes software and break the encryption. Eventually they will probably disallow the use of pre-6, but I don't think they have yet.

Re:Critical, or not?

[pete6677]

Keep in mind who Microsoft's real customers are: the content providers paying big bucks for a Microsoft-exclusive distribution arrangement. The consumers who pay $200 or so for a Windows license (or who don't pay at all) are not where Billy G. got his billions from. Microsoft is simply fixing problems in order of business priority.

Re:Critical, or not?

[clem]

And if we could just figure out a way to get a couple million pirates of the "Aargh! Treasure" variety we could kiss global warming goodbye!

Wouldn't a pirate be more likely to say, "Ah! Treasure!" or "How nice! Treasure!"? Unless, of course, he dropped the chest on his own foot.

Re:Critical, or not?

[BlueStrat]

I stopped patching my xp box 2 years ago. The average user of course probably wouldn't be able to do that, but it works fine for most computer geeks.
Back when I first stopped, I would have patched if I felt it was necessary. Now, I wouldn't patch unless you held a gun to my head.

To be honest, I am stuck in a position that as my computer software ages, I am unsure how to upgrade. I will be VERY unlikely to switch to Vista or any future MS offering. Switching to some Linux distro will be a pain because my main computer has been windows for so long, and I enjoy playing games and using various software that is generally not supported on Linux. Mac might be a possibility, but it will still be a pain in the ass.
Oh well, I'll consider the options when the time comes.

One option you might consider is running XP (or even 2000, or, *shudder*, 98SE) in a VMWare-type virtual machine. Especially with the new multi-core CPUs, cheaper RAM, and heftier GPUs coming out, this will continue to be an increasingly-viable option for those that don't want to suffer from unwanted DRM in XP or switching to the even more locked-down Vista.

You could be securely browsing, e-mailing, etc. from your linux/FreeBSD OS, while fragging your buddies in CS/Doom3/whatever running in a virtual, sandboxed instance of 2000/XP running in a window on your desktop.

Cheers!

Strat

Re:Critical, or not?

[Cederic]

Oh no, "Aaaaaarghhhhh!" is very pirate like. The full drawn out heavily accented version of 'ah' spoken at barely louder than standard volume helps establish the credibility and persona of the pirate, helping differentiate him from the Royal Navy captain ("Oh, I say!"), the unretrievably insane ("Twip Feeble Snarf!") and the common or garden ninja ("").

Re:Critical, or not?

[tacocat]

An imperfect solution?

I ran into this question some years ago and decided on a different solution. I installed Linux and bought a PS2 (Now GameCube). The reasons are simple and straightforward:

• Game consoles don't crash like computers do.
• They are less expensive than the video upgrades or anything else
• Similarly the games are console compatible for years without requiring hardware upgrades.
• I have a 34" game monitor!
• Kids play games and I still have my computer available.

I found over the years that this is a great solution.

While there are some games I can't get on my console I've learned to live without them (see human history for survival stories of people without video games). And there's always a variety of free games. Frozen Bubble!

Re:Critical, or not?

[LordSnooty]

But as long as you are behind a firewall (which any geek would be), and use a competent virus scanner (Clamwin will do), the only threat comes from IE bugs, and who in our community uses IE?

Re:Critical, or not?

[orasio]

Switch to consoles.
Windows gaming is more expensive than console gaming, if you include licenses and special hardware needed, and it's far less convenient.
Windows gaming doesn't have much to stand against next generation console gaming. I don't think gaming in Vista will be as important as it was, for instance, in win98. Consoles have lots of advantages over what a computer has to offer.
GNU/Linux for computing, Wii (or whatever rocks your boat) for gaming. That should be easy enough, and keep administration issues at the lowest.

Oh, I know!

[rice_burners_suck]

I have an idea. Let's embrace and extend DRM in Windows. From now on, the operating system will not allow anything to read any information from anywhere. Your own files on your hard drive? Sorry, you can't access them, because you might accidently pirate your English class essay that you wrote last night, and Windows, being much, much, much smarter than you could ever dream of being in your wildest dreams, is therefore charged with the duty of making sure you don't do something illegal like that.

Re:Oh, I know!

[The+MAZZTer]

Vista's default file access settings prohibit the access of any hard drive partitions except your Vista one. So you have to go and Take Ownership of every item on every drive, and then give yourself Full Control permissions to be able to use the drive. It's quite annoying, but luckily it's faster in RC1 than B2.

Re:Oh, I know!

[Foolhardy]

What are you talking about? File access is handled by the filesystem. When you mount an existing fileystem, its files continue to have the same security descriptors as they did before. The only access check done when opening a file is against that file's SD. In order to have the behavior you're implying, Vista would have to intentionally modify the SD of every file to some ridiculous default, just by mounting a volume-- a behavior I've not witnessed and seriously doubt exists.

What it sounds like is ACTUALLY happening is that you assigned ownership and sole access to a local account from your previous installation that does not exist in the new Vista installation's account database. Since no account on the new installation can match the unique SID of the old account in the previous installation, you are not granted access. This behavior has been the same in every version of NT. In UNIX terms, you've assigned ownership and group on the files to a uid that doesn't exist in this installation.

Usernames are not assigned access to and ownership of objects; SIDs are. A SID is a binary value that is used as the primary key identifying a user or group. A unique local account SID contains a randomly generated prefix that was generated during installation and a sequential suffix for the specific user. With the machine's prefix, no two unique SIDs from different installations can be the same. Even if the account name matches in the two installs, the accounts will have different SIDs.

When you said that "you have to go and Take Ownership of every item on the drive, and then give yourself Full Control" (emphasis mine) you're setting yourself up for failure if you ever try to access the volume from another installation that (again) can't and won't have information about the local accounts from this installation. If, in the future you want to assign access consistently across installations sharing a volume, assign access to non-unique groups such as Users and Administrators. The SIDs of these groups are the same regardless of installation. Either that, or join both installs to a domain and use domain accounts.

Re:Customers' best interest

[Tackhead]

> While it may be funny to joke about it serving the customers' best interest if Microsoft were to go belly up,

Microsoft is serving its customers' best interests. Their customers are system builders such as Dell, purchasing managers at businesses, and media companies.

The guy at the keyboard of a Windows Vista box, using Microsoft Office at work, and Windows Media Player at home is not the customer, he is the product.

Cued up for a reason

[Mateo_LeFou]

This sort of story indicates something about Microsoft's priorities. It doesn't mean they're evil and/or going to software hell. It just indicates something about their priorities.

Priorities...

[Supp0rtLinux]

So let me see if I get this right... they'll wait a month for normal patches, sometimes longer for some that've been well known but they either can't fix or don't see the potential risk... but in general, if a new vulnerability is found on the Wednesday after black Tuesday, they'll wait a month (at earliest) to release a patch even if an exploit is in the wild... yet when it comes to protecting their cash cow, they'll fix it right away. In other words, screw the consumer... we can just damn well wait for updates to critical vulnerabilities, but when it comes to protecting their own revenue stream, they'll fix something right away. Not sure why I would've thought they'd do any different... but it would seem they rushed to provide a "bug fix" to protect their revenue stream, but won't rush to creat "critical updates" that customers need. Amazing...

Funny how fast they are on screwing the customer

Normally. Microshaft ignores security problems for at LEAST a month, they they deny that a problem exists for at LEAST another month, then they "study" the issue for at LEAST another month, then they "work on the problem" for at LEAST another month, and finally release a patch that does not really address the original problem and breaks a half dozen other things (and apparently inflicts even more sadistically controlling DRM on Microshaft's victims).

A Correction

[in2mind]

"Wired columnist Bruce Schneier has an article up called 'Quickest Patch Ever', about a patch that was issued within three days to fix a vulnerability in Windows Digital Rights Management (DRM)."

When the summary says "Within three days" they mean "three days after it was reported in engadget".

Coz,FairUSE4Wm was released on August 19th in the forum.Microsoft patched it on August 28th.So 9 Days.

Not Accurate

[ThinkFr33ly]

Microsoft did not really "patch" their DRM. This wasn't a code change. Their DRM was designed to be updateable in the event that it was compromised.

There is a big difference in how fast you can roll out what ammounts to a configuration change and how fast you can roll out a code change.

That said, it didn't seem to do much good given that it was cracked again in a matter of days.

Knowing Where Your Priorities Lie

[segedunum]

So Microsoft wasted no time; it issued a patch three days after learning about the hack. There's no month-long wait for copyright holders who rely on Microsoft's DRM.

It's nice of Microsoft to let us know where their priorities lie. Obviously, things aren't as complex as Microsoft have let on (one of the many excuses for not getting patches out) if they can patch something that quick.

"Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore."

Really? I'm going to Windows Update as I write this. Mind you, good luck finding anyone who actually uses PlaysforSure. For those that are they've found out that stores selling Windows Media files are crap (you effectively rent your music - yay, what a great idea!) and they're looking to get out before they buy any more of the crap. Microsoft have some slight delusions of grandeur about the importance of their DRM software.

It is semantics, and its wrong semantics, too...

[DragonWriter]

An opinion piece is an "article" ("piece" and "article" in the relevant senses are synonyms.) It is not a "news article". But the existence of the opinion piece is itself news, as are the underlying facts it relates too, so a Slashdot article pointing to it is not inconsistent with the slogan "News for nerds."

Of course, the full slogan is "News for nerds. Stuff that matters." Whether the second part is a limitation on, or addition to, the first is debatable.

Turn Off Your Automatic Updates

[organgtool]

It's a good thing I have automatic updates turned off. However, automatic updates in Vista will be turned on by default. If I ever end up using Vista, that will be the first feature that I disable which is a shame since automatic updates are a good thing if you can trust the company that performs them.

Timeline is wrong

[mdb31]

The KB891122 patch wasn't developed in response to FairUse4WM 1.0 -- MS started working on it after seeing an earlier bunch of tools (drmdbg and friends) that were released on the cover CD of a Japanese magazine a few months ago, but were too cumbersome in operation to gain widespread use.

FairUse4WM "merely" wrapped up the techniques used by these tools in a neat package, and got to the frontpage of Engadget. It was pure luck that MS had a patch available at the time, even though it took extraordinary effort on the behalf of its DRM partners to implement, and denied "legacy" OS users, as well as users of the latest Media Center version, the use of new DRM-protected tracks.

A patch for FairUse4WM 1.2 still isn't available, even though the tool was released last weekend.

BTW, if you think MS is getting screwed by class breaks like this, think again. Content providers (think: RIAA members) will call in their non-refundable advances (usually over $25K per label!) received from distribution partners (think: music stores) for "material breach of contract". MS will fix the issue, the RIAA gets richer, and the guys that actually try to get music to you get screwed. Oh, well, they're used to it...

Re:Timeline is wrong

[mdb31]

Don't do business with the RIAA if you don't want to get screwed

Your idealism is touching, but you really should get out more often. Without content from the 'majors', all of whom insist on DRM, online music stores are dead in the water. It's not like music stores actually like DRM: most indie labels, for example, allow their music to be sold without DRM, and most music stores will jump at the opportunity do so. Sales of indie content alone, though, are nowhere (and I mean: nowhere) near enough for the stores to survive.

"Don't deal with the RIAA" sounds good, but it's just not practical in the real world.

Computers are not a free market

[Colin+Smith]

Not the desktop anyway. It's a monopoly. The actions of Microsoft are those of a monopolist.

Shocking

[Effugas]

First of all, the DRM code is most likely pretty self-contained, and is only interfaced with by a limited amount of code. (All the files run through some version of the Windows Media Encoder engine, remember?). So on that front, it's a hell of alot easier to patch an issue contained to DRM-land than it is to deal with something like IE, which has to interact with a much messier set of incoming files (the Web).

Even then, the reason you don't release a patch in three days is that you're probably going to screw it up and not actually fix the problem. Amazingly enough, that appears to be exactly what happened.

patch is not pushed via windows update

[tomz16]

First of all, it's been cracked again. Look up FairUse4WM 1.2.

Second of all, from what I've seen, it's not pushed out via windows update, but rather the client you are using for music. For instance, Napster pushed out the new version via a tiny patch when I launched the client. There IS a way to trick your client into believing that you already have the latest version (thus preventing the forced update). Look it up in the doom9 forums.

This should keep the crack working until Napster pushes out a completely new version of the client that explicitly checks the version, or Micrsoft issues a regular update.

-T

P.S. Napster provided free of charge by my university. Hell, as a grad student, I guess I get paid to use it...

The squeaky wheel gets the grease

[TopShelf]

And isn't it sad that the quickest patch they ever release is for a hole no user cares about? More proof that MS cares more about their corporate friends than users.

Is it proof that MS doesn't care enough about users, or is it (by extension) proof that users don't care much about OS vulnerabilities? Sure, they may complain, but do they actually take action and demonstrate that they care, by switching to more secure OS's (by moving to Apple or Linux)?

After all, MS reacts to what its customers and business partners care about. The music companies go apeshit over stuff like this, but users (both corporate and personal) haven't really demonstrated that they'd rather take their business somewhere else, so why should MS give them anything more than lip service?

Let's be fair here*

[c0d3h4x0r]

Not all fixes pose the same risks or require the same amount of testing.

A patch for a DRM component surely involves much less code churn, risk, and testing than a change to a core OS component (such as network stack or IE) would require.

Furthermore, as the original post indicated, no end-users are going to care about this patch or badmouth it in the press if it doesn't perfectly close the hole. And partner businesses aren't going to abandon their deep investments in Microsoft's platform just b/c of one hole. This scenario actually presents less pressure on Microsoft to have to get the fix right compared to other scenarios, meaning they can afford to do less up-front testing.

* I know someone will want to reply to this post to say: This is Slashdot, and you're looking for fairness?!? HahaaHAhaAHA! I know this is Slashdot, and so I know better than to expect to see fair reporting around here. Still, there's no harm in trying to raise the bar a bit.

Re:Customers' best interest

[IamTheRealMike]

I know this goes against the Slashdot groupthink but yeah, real customers (as in people) do get hurt by this kind of thing.

My brother used to subscribe to the Napster "all you can eat" music service, in which you basically rent music - you pay a fixed amount each month and just listen to however much you like. If you stop subscribing you lose access to the music. He liked this business model, because it suited the way he listens to music. I'm the same. There isn't any way to implement this without DRM, and if DRM is not robust, that business model will die. And then the silent section of the populace who doesn't read Slashdot, and doesn't really give a crap about DRM, will just get pissed off.

You've gotta love how one sided DRM debates here always are ... the artists and non-technical users are sort of presumed to not exist, or not be important.

Who the customer REALLY is

[dustwun]

People seem to be overlooking who the customer REALLY is here. The bottom line lies in corporate back scratching for multi-$$$$ contracts and agreements

One business contract with a large label, Dell, or Sony is worth more than the mutterings and begrudging updates from Windows consumers. Most of us are not the customers, we're the consumers. Most people don't buy windows from microsoft, they buy it from Dell, or Gateway, or whoever else sold them their computer. The Dells, Gateways, etc are the customers. The game companies writing for xbox 360s, the phone vendors embedding wince, they're the customers.

Bottom line, If you're bitching about this update, you're a consumer. If you think it's a good thing, then you're the customer.

Not quite accurate

[neokushan]

That article is completely misleading. This "Vulnerability" has been known about since January 2005, the tools to bypass it were available since then, they just didn't have a fancy GUI to make it easier. This is actually one of the LONGEST periods Microsoft took to patch something.

They'll sneak it in like a U.S. Congressman

[rubberbando]

Just like the bozos in congress that attach totally unrelated garbage to a bill trying to get passed, Microsoft will probably just attach it to another update that people will actually install...

You're not a shareholder

[slowbad]

Unless you're regularly buying 10,000 shares of Microsoft stock or 1,000 copies of Vista, you don't matter much. That quarter million dollars, either way, is the cost-of-entry for your opinions to possibly matter in Redmond.

Microsoft's level of quality in the Windows software offerings is similar to GM's level of quality in their car offerings -- good enough for most. Then they both put further efforts toward matching the competition's features and product line.

Finally, just talk a good game about quality to your sales people and the general public. New car buyers don't follow advice from professional drivers or mechanics, any more than consumers listen to IT pros or technicians about what OS to install.

Like WGA

[doodlebumm]

I can just see it now -

In order to serve you better, updates to your Windows OS require that you have this DRM patch installed on your system. In fact we're going to turn off your system soon if you don't update it with this patch. And if you find a way around this patch, we'll come back and serve you with a law suit, courtesy of the RIAA.

Moreover...

[mce]

The amount of testing needed for any patch, as variable or fixed as it may be, does not in itself justify the "second Tuesday of the month" approach.

I fully understand that there may be very critical patches that may take a few weeks to develop and test properly. I also fully agree that MicroSoft should not release those prematurely. However, it is not because one critical patch isn't ready that others that are ready must be queued up for up to a month. After all, if said critical one doesn't make the deadline, do they then also postpone publishing the others for an extra month? No. So why postpone at all the first time round? MicroSoft should just release each patch when it is ready, testing included. Not sooner, but also not later.

Re:I'll play devil's advocate too

[brianosaurus]

Its all about money. The DRM is key to their relationship with media partners. If DRM is broken then all Windows users will suddenly, uncontrollably start pirating their media; we can't help it, apparently, and without the DRM firmly in place, we mind end up like Sweden.

I'm sure they're more "worried" about DRM breaking than the everyday security holes that merely allow someone to glom your computer onto their botnet, since there's money and contracts that depend on the DRM. The EULA is probably the only agreement that might be impacted by a security flaw, but we all know those are meaningless.

Hotfix or patch, but not a security patch

[penperson]

We tend to think of all patches as security patches, but that isn't the case. A change to DRM should not, on the face of it, appear among the security updates seen on Tuesdays.

Second the VM thing.

[Kadin2048]

I was going to suggest this. When I really need to run something that's Windows-only, I run it in a WinXP virtual machine on my Linux box.

I was actually surprised at how spry Windows feels, when it's not bogged down by a lot of anti-virus/spyware/adware, automated backup programs, and the like. Of course, without those things it's not a terribly useful host OS, because it gets owned so easily (click on wrong link in Internet Explorer -> ActiveX control -> rootkit), but as a guest OS, I just disable all patching and auto-updates.

When I'm done with whatever I'm doing with it, I just roll the image back to its saved state and shut it down. Basically I can abuse the living shit out of it, and then just kiss it goodbye the second it starts acting up.

Obviously you need to take steps to make sure that you save your work somewhere not on the VM's drive (duh...), but I could definitely see the possibility for working like this. I still hate working in Windows, but Windows as a VM is orders of magnitude nicer than Windows running on the actual metal.

References for Treason and Perjury.

[twitter]

One of the many M$ troll accounts that cloud around here challenged me to produce references to M$'s infamous Windoze source code national security claim swiftly followed by sale of said code to China and Russia. Of course, I'd love to trot that whole mess out again. Non free software exists on trust alone and M$'s performance there really shows what contempt they have for the US Government and their customers.The memory hole has not yet extinguished the information presented by eweek and Microsoft themselves. You can read it all yourself.

From eWeek, 2002:

"A senior Microsoft Corp. [Jim Allchin's] executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed."

If you need to, you can always reference the anti-trust evidence, which is still published and available. The quotes in the article are more than enough for me.

A quick Google Search digs up all the articles here and a parade of Wintel rags falling over themselves to toe the party line. ZDNet echos Alchin again in 2004, a year after they had already sold out! Something called Neowin joins the chorus of woe that someone might look at the source code to W2k or NT4 and see how crappy it is. All as if any real hacker needed it.

The very next year, 2003, M$ announced sale to the highest bidding governments as noted above. Included was China and other friendly countries. But you know, Bill Gates it's just business buddies being chummy. Microsoft would never place the interests of Communist dictators over the rights and well being of their fellow citizens, would they?

The double talk going on at M$ was glaring and all of was bullshit. Access to the OpenBSD source code has not made OpenBSD less secure, it's made it better. The whole episode represented more perjury and a three year FUD attack on free software than it did treason, but you have to wonder what they really believe. Looking back, it's a low point in US corporate history that will only be made worse when they unravel like Enron did. The biggest lie of all is that the Microsoft Monopoly is based on anything more than mass delusion.

I ask you once again, do you trust Microsoft to do as they say? With your business? Code so crappy, it can't be shared but is shared with your worst enemies. If you do, you probably will tell me that Windows XP is easy to install, has good uptimes and other nonsense like that. I'm not sure anyone really believes anything other than Windoze is "good enough because I'm using it for one or two specific tasks." No, that's not good enough and Vista's imminent flop is a good chance to move on to something better. The market is filled with better contenders and M$ will not be missed.

Version can be changed on old file?

[addie+macgruer]

Anyone know how the GetFileVersionInfo() call works? Does it just read the IBX file version as a sequence of unencryted bits from the .key file? If so, why not just take a hex editor to it and 'update' your old version to one which fill pass the DRM checks?