DRM Hole Sets Patch Speed Record For Microsoft

puppetman writes "Wired columnist Bruce Schneier has an article up called 'Quickest Patch Ever', about a patch that was issued within three days to fix a vulnerability in Windows Digital Rights Management (DRM)." From the article: "Now, this isn't a 'vulnerability' in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: 'Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore.' But to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels. It affects the company's product offerings. It affects the company's bottom line. Fixing this 'vulnerability' is in the company's best interest; never mind the customer."

Kinda blows their excuse

[Eldred]

What's their excuse going to be the next time a user vulnerability that has exploits in the wild has to wait for the next release cycle?

Re:Kinda blows their excuse

[skaap]

I wonder if they'll introduce clippy to this:

Clippy: It looks like you're trying to pirate some music, do you want me to:

1. Send your details to the RIAA
2. Delete your files
3. Ruin the files by overlaying Cliff Richard music into it?

Re:Kinda blows their excuse

[HermMunster]

In WA state the programmer is a slave to overtime. WA state laws allows busineses to require overtime without having to pay for it on any salaried worker. This is a device of Microsoft. Microsoft lobbied to get he laws changed so that the programmer positions changed.

A programmer is the person who actually, through their very creativity and knowledge, makes the product come into being. This is far different than someone that works as an assembly line worker who just does their small part. Programmers are the reason the products exist. For me, that's the reason I don't work as a programmer. I don't want my blood, sweat, and creativity exploited by companies such as Microsoft that make billions of dollars a quarter on my work.

WA needs to revert back to the laws that allow these programmers to get paid overtime. It is only fair. This isn't a management position and thus should never have been changed. It only happened because Microsoft lobbied to make it happen.

Re:Kinda blows their excuse

[marcello_dl]

What's their excuse going to be the next time a user vulnerability...

Windows has no users. It has hostages.

Futile request to any /. reading MS employee

[MightyYar]

No matter what anyone in your company tries to tell you, this kind of rapid response is EXACTLY what we are clamoring for when we ask that you take security seriously. Please tell your bosses. Thanks...

What day is it?

[hansamurai]

For a second there, I thought it was Tuesday.

Priorities

[wardk]

fatal holes in the browser? whatever

allowing spyware to take over? who cares

DRM? we're on it!

Re:Priorities

[PriceIke]

This is not a patch. A patch fixes a problem and makes software usable again.

This takes usable, functioning software (FairUse4WM) and breaks it.

"Patch" my ass, this is a bug, which users are expected to install themselves.

Plain and simple

this kind of rapid response is EXACTLY what we are clamoring for when we ask that you take security seriously

The fast fix suggests that rapidness of response might be a function of "whose ox is being gored".

Re:Plain and simple

[MightyYar]

Exactly! The cat's out of the bag... we know that they are CAPABLE of a 3-day turnaround. That line about having to wait for testing and blah, blah, blah was totally bogus, apparently.

Re:can someone explain ths

[hublan]

what relationship? why is it important?

It's called Zune and MSN Music. If the labels don't think that Microsoft can bolt down the music they "sell" to people then the labels don't want Microsoft to be selling their music. Microsoft wants to own this market segment because Apple does, since it forms a part of their new "MS is your everything" strategy.

Plus it might also make the labels pull the plug from other on-line music stores that use Microsoft's DRM technology, opening themselves up to another volley of lawsuits.

Critical, or not?

[kripkenstein]

So this is going to be the least installed patch for windows ever. untill they make it mandatory

Actually, this is a very serious question: is the patch marked critical, or not? This is important, because:

1. If the patch is critical, it will get criticized for being, in effect, mandatory degradation of capability (by the tech-savvy). Also, this will make light of Microsoft's security policy, to call this sort of patch 'critical'.
2. If the patch is not critical, then - oh, the irony - by default, it will not be installable on computers failing WGA. Perhaps Microsoft will get around this. But, as WGA currently works, only critical patches are allowed to systems marked as 'non-genuine'. This would be amusing - pirated copies of Windows would not receive this unwanted patch, but paid-for copies would.

I can't find, in TFA or the sources it cites, any mention of the severity of the patch. Anyone know the answer to this?

Re:Critical, or not?

[guruevi]

Dear Windows Media Licensee,

On August 25th, 2006, Engadget.com reported on a software tool that would allow consumers to decrypt WMDRM protected content. In response, on August 28, 2006, Microsoft released an update to the individualized blackbox component (IBX) designed to ensure that client applications using the Windows Media Format SDK version 9.5 who individualize to this latest version are robust against a new circumvention tool.

This update is not yet available for the Windows Media Format 9 Series FSDK or for users of Windows XP Media Center Edition 2005 Update Rollup 2.

Consumers are not at risk in any way. Content services can require that the updates be present in order to issue licenses by following the instructions below. Please note that the version number of IBX was not incremented as part of these updates to avoid delaying the release of these critical breach mitigations. Consequently, the only way to determine if the update is installed is to query the build number of the IBX. This requires code executing on the client.

To determine the build number of the IBX:

1. Ensure the PC is running the August 2005 update to Windows Media DRM. See the attached white paper for details.
2. Determine the path of the WMDRM folder. The path is stored in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\DRM\DataPath
3. Identify the file name of the latest IBX. If the machine has been individualized only once, the IBX file name will be indivbox.key. Otherwise, the IBX file name is in the form indivbox_xxx.key, where xxx are digits 0-9. The file name with the greatest value of xxx will be the latest IBX.
4. Call GetFileVersionInfo() to retrieve the build version of the file identified in step 3. See [link].
5. If the IBX file version is 11.0.5497.6285 or greater, then the updated IBX is installed

Please submit questions to [email removed]

Best regards,

Windows Media Licensing Department
Microsoft Windows Digital Media Division

Basically -> the content provider CAN require that patch to be there. I don't know whether it's a separate patch through WMP or through MSUpdate but since I don't use Windows/Microsoft I can't speak for them.

A Correction

[in2mind]

"Wired columnist Bruce Schneier has an article up called 'Quickest Patch Ever', about a patch that was issued within three days to fix a vulnerability in Windows Digital Rights Management (DRM)."

When the summary says "Within three days" they mean "three days after it was reported in engadget".

Coz,FairUSE4Wm was released on August 19th in the forum.Microsoft patched it on August 28th.So 9 Days.

Not Accurate

[ThinkFr33ly]

Microsoft did not really "patch" their DRM. This wasn't a code change. Their DRM was designed to be updateable in the event that it was compromised.

There is a big difference in how fast you can roll out what ammounts to a configuration change and how fast you can roll out a code change.

That said, it didn't seem to do much good given that it was cracked again in a matter of days.

Re:Regulation?

[RocketScientist]

The free market is EXACTLY how this should be fixed.

It's currently regulated so that the free market has NOTHING TO DO WITH THE PROBLEM.

The primary issue, and this is exactly out of Mr Schneier's playbook, is that Microsoft has no direct civil liability for their defects. It's exaclty as if you couldn't sue Ford becase your Pinto's gas tank exploded. Ford would have no reason to fix the defect. Well, the same problem here: if you buy defective software, you have no recourse to sue the manufacturer of the product. Remove that lack of liability and you'll start to see problems get fixed very very quickly.

If Microsoft was civilly liable for every piece of spam that was sent by a Windows zombie PC, there would very quickly be patches.

Less protection of corporations, and more market forces, would fix this problem. This is EXACTLY the kind of problem markets are very good at fixing. The problem is that the current regulation circumvents the market.

Re:Regulation?

[spun]

Unfortunately, free markets lead to concentration of wealth. Concentration of wealth leads to concentration of power, which leads to control of the regulatory process. Free markets invariably become unfree because of a runaway feedback loop. At least in democracy we have checks and balances. Where are the checks and balances within a free market that will work to keep it free? there are none.

Re:Regulation?

[ChronosWS]

And there's no concentration of wealth and power now, in our democracy? Maybe you've missed the consistent erosion of our rights lately, and fail to realize that the people eroding those rights also have the power to use force (as in they can lock you up and/or kill you) to further their ends AND it's perfectly legal so long as the right people are paid off (or themselves coerced.)