Slashdot Mirror
AntiPiracy Macrovision Bug is Actually Six Years Old
twitter writes "A recently reported Macrovision bug has actually been around for six years, according to Computerworld. 'Flawed antipiracy software now being exploited by attackers has been bundled with Windows for the last six years to protect game publishers, Macrovision Corp. said today. The "secdrv.sys" driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista ... users do not have to play a SafeDisc-protected game to be vulnerable.' The article goes on to play down danger and claim that Vista is safe, but ZDNet notes: 'Malware authors are actively exploiting a zero-day privilege escalation vulnerability ... [which] can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges. This facilitates the complete compromise of affected computers.'"
Can Macrovision be held liable for losses?
So, wouldn't this be a -2190 day vulnerability?
That's not *terrible* by MS or Oracle standards...
It's not a bug, it's a feature.
0 days is the length of time Windows goes without a critical vulnerability.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Another glowing testimony for the greatness that is DRM.
...And that feature is: to bug your machine.
Hey, look! It's Bono's brother.
Sigh, call me when WINE catches up with this feature.
Upgrade your driver here: http://www.macrovision.com/promolanding/7352.htm
Microsoft Security Advisory(944653)http://www.microsoft.com/technet/security/advisory/944653.mspx
Why was it not disclosed to the corporate customers that a dll or a sys file, that is exclusively used to play games published by a particular vendor is bundled and installed on ALL their computers? What are the priorities here? We have been pained enough by MS-Office suddenly demanding you to pop in the origial CD/DVD-ROM to get a particular module. But they don't want their users to be hassled to fetch the original disc to get a driver used only by a subset of users. How screwed up this set up can be? Why are not the corporate customers demanding a full disclosure of what is being bundled, and why and what can be safely removed from their computers?
Does the total cost of ownership studies include the cost of keeping up with these security disclosures and applying patches to the holes?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It's wrong in so many ways.
/. This article is an example.
I'm not a big fan of the "oh noes! DRM is the suxors!" crowd, because I'm rational enough to see both sides of the DRM issue: producers want to get paid, consumers want full control over what they've bought. But there are a lot of reasons DRM sucks, besides the wild conspiracy theories and the "porn just wants to be free" arguments that you regularly see on
Letting some (lame) third-party, like Macrovision, put hooks into the OS, and then have no clear or timely answer on how this is going to get fixed is a perfect example of why I'm opposed to this type of restriction. On top of that, every expensive new DRM trick that gets tried is broken almost immediately by hackers and companies that see profit in selling the work-arounds. So what's the point?
I think Apple's solution with iTunes was a reasonable compromise (though I know not everyone agrees). You prevent casual copying to reassure the artists/labels, but let users access the music on a large number of computers/devices and close your eyes to the loopholes that essentially allow unlimited copying into other formats. I never found Apple's DRM onerous, obtrusive, or objectionable (nice alliteration, eh?)
In any event, I think that it's likely that this argument (for music) is likely to be mooted in the next year or two as the industry embraces the MP3 format. Whether the movie industry sees the light and follows their lead is another question.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
If you've read up on some of the abusive tricks these copy protection schemes pull (corrupt registry entries etc.) I really wouldn't be surprised if it WAS a feature that something relies on.
Don't worry, windowers! ... Windows 7
All these problems will loose any meaning with
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
How can an operating system be considered "secure" if the inclusion of a third-party component makes it insecure? Why does Vista allow Macrovision's component to do whatever it likes?
Is this a case where Microsoft allowed "signing" to be a substitute for good engineering?
Even if the act of buying Windows implies that I trust Microsoft, does the act of buying Windows imply that I trust Macrovision?
When I buy a home computer with Windows on it, do I even know all of the companies that have contributed content that is included on the hard drive at the time of purchase? Do I have a list? Have I agreed to trust them all? Does Vista trust all of them? Could all them them punch holes in Vista's security if the vendors that supplied them don't have engineers as competent as Microsoft's?
"How to Do Nothing," kids activities, back in print!
... XP has been around for 6 years? And Dell is still offering it?
realkiwi
FTFA, the bug was fixed in Vista, becasue "Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver."
Hackers only started exploiting this 3 weeks ago, but MS must have known about this for 6 months at least. Macrovision even offers an update for WinXP on their web site based on the same fix, but MS never pushed the update through their security update mechanism, and even now, isn't commiting to it.
So, to recap for those keeping score at home, you now have to download patches for Windows system files from Macrovision's website! MS bashers have a goldmine to work from here.
How are they shipping this on computers anyway? Isn't Macrovision that crap that makes it impossible to dub VHS tapes without the gain going crazy and looking awful?
Give me Classic Slashdot or give me death!
Safedisc is crap anyway. At least up to v2.x can easily be defeated by a generic unpacker, and all versions are vulnerable to loopback mounting e.g. with daemon tools + CureRom.
More to the point, why in the world would this file even be included on Windows Server 2003?
Not all business prohibit games, but I doubt there are any sysadmins playing games on their server machines.
Beauty is in the eye of the beerholder.
That is macrovisions most famous defective restricted media system (mainly because it was one of the first defective restricted media systems created) but it is far from thier only one.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
can you lose control of your computer with that tool tip display bug? i don't think so
I didn't realize this .sys file was included w/ Windows.... I had always assumed it was put onto my system by a game I installed.
Either way I used SysInternals' (Now owned by Microsoft) AutoRuns to disable it (along with WGA and a few other things).
You'd think by now people would have begin to move over to something non-microsoft but this too shall be not true. Too many sheep in the fields and Mr. Ballmer seems to be herding his sheep rather well.
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
You obviously ain't a sysadmin.
Not all business prohibit games, but I doubt there are any sysadmins playing games on their server machines.
You severely overestimate the brainpower of a Windows sysadmin.
This guy's the limit!
It should be required that any story about a security hole indicate whether user interaction is required for the system to be comprimised... If I have to download/run something then I could care less... only if the vulnerability can be exploited remotely with NO interaction on my part do I care... There are many stories that hype threats were it all boils down to the user running something they shouldn't have.
How is this vulnerability exploited?
Makes me doubly glad I've stuck with Windows 2000 all these years.
Here's what you're missing: DRM hurts precisely those people who actually do pay the producers.
If I buy a DVD in a store, I get the hassle of DRM, and putting it on my iPhone is going to be complicated. If I just download the movie from the Internet, I just open it in QuickTime and export to iPhone. If I buy music in the iTunes Music Store, I can't easily use it on my PC at work, unless I authorize it with my iTunes login, only to forget to de-authorize it if I get a new computer or reinstall the OS. If I just download music, I have none of these issues.
Now, I do buy DVDs, and I do buy music from the iTunes store, and I do buy a lot of stuff with DRM. But I do not buy these things because they have DRM, but despite of it. DRM is actually an incentive to not give the producers money; without DRM, they'd see a lot more money from me.
Wow... It's 2007 and some people still don't get it.
Many people (myself included) would love nothing more than to move away from M$ products but, sadly, are trapped in them because of the applications we use. I can't use linux for music production and the particular apps I use don't exist under MacOS (Sonar 6 and FL Studio). While I can certainly do Flash authoring under OSX, I can't under Linux. One of my PC's has an old Matrox Mystique220 with Rainbow Runner Studio in it. There are no Linux drivers for it. That PC runs Win98SE and servers as my video editing box (TBird 1.3GHz/512MB RAM). The RR Studio has a feature that makes it quite unique; it ignores Macrovision encoding on VHS. Because of this, I have a nice little niche business of transferring old VHS tapes to DVD or VCD. Won't work anywhere else but Win98SE, so I stick with it.
My programming/scripting machine runs Linux (Mandriva 2007 Spring) and my tinkering machine runs FreeBSD 6.0, so I'm partially M$ free.
Fifty watts per channel, baby cakes.
This has to do with the software being proprietary, not coming from a third party.
How can an operating system be considered "secure" if it has proprietary software installed? It can't. Proprietary software security is unverifiable by anyone you can trust and therefore unworthy of being considered secure. Apparently bugs will go unfixed for years because only the proprietor is allowed to fix the bugs. However, the proprietor is unmotivated to fix bugs until the proprietor is pushed (through publicly announced exploits, better competition, and so on). All the while you, the user, are denied complete control over your computer.
The cure is simple: install nothing but free software on your computer. Give yourself the freedom to inspect, change, and share the software, hire someone else to do it for you, or leverage the talent of a community of hackers improving free software all the time. This is not about making everyone a programmer, it's about giving people the freedom to control their computers while building a society of cooperation and social solidarity. Proprietary software denies you your software freedom, so deny proprietary software a place on your computer.
Digital Citizen
The only purpose of secdrv.sys is to run games that depend on "SafeDisc" copy protection. If you don't play games on your computer (or you shouldn't... corporate users take note) you don't need it, and if you do you only need it to play games using this particular scheme.
This is a local privilege escalation exploit. An attacker will have to use some other exploit to get onto your computer before using this one to get system privileges. This is another reason for corporate administrators to eliminate the driver, since it can be used by employees to bypass local policies.
...and more of my discretionary income goes towards games than anything else. There was an article here this week (http://yro.slashdot.org/article.pl?sid=07/11/03/048256) about the most profligate music pirates being the biggest music *buyers* as well- same principle.
However...the industry, especially PC gaming, has lost quite a few purchases from me because of copy protection. Just a few examples:
I loved Neverwinter Nights. Would have bought the Infinite Dungeons mod, but it requires an always-on net connection while you play to verify you're not a pirate. Screw that.
Starforce? Any Starforce'd game is automatically disqualified from my consideration.
I don't buy games that use Securom or Safedisc anymore, either. As a pirate, I find it inconvenient to have to download bypasses so I can run stuff on my Daemon Tools-happy gaming box. I almost bought Civ 4 and its expansions recently, but the DRM dissuaded me- though it won't stop those who torrented it from downloading a workaround.
I import games. Over the past year or two I've imported multiple games that would never have been released in the U.S.- the Touhou series, both Ouendans... but I won't do so for any console that has to be modded, because it's too much of a pain. If it weren't for that, I would have bought SO much crap for my PS2- guess I'll never buy any of those Cave shooters.
I'm a huge Megaten fan and will gladly buy FES the day it hits stores, assuming it's released stateside, even though FES is generally considered mediocre. If it weren't for emulation, I might not even be a fan of the series. Atlus acquitted itself pretty poorly with its release of the first two Persona games in the U.S.; it was actually the fanslation/romhacking scene's English patches for SMT1 and 2 that got me into the series. (I remember a comment from another Slashdotter who wrote the same thing in another copy-protection thread, too.)
The funny thing is, if I wanted to bypass any of this copy protection, I easily could. Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle. Me, I prefer to wean myself off the companies who resort to copy protection. There are plenty of other games out there which are just as good and don't involve all the bullshit- more than I have the free time to play, in fact. I'll just buy some of those instead.
And the games that I DO pirate? Those are the ones I wouldn't have bought anyway- though you only have my word on that. Ever spend time on a forum for an Atlus game? Atlus fans know damn well that they're not dealing with automatic-trillion-sellers like Madden 200X: Same Shit, New Roster or World War 2 Shooter: The Shootening. They (we) will tell other fans to buy, and buy a *new* copy, *before* price drops, *because we want Atlus to release more games we like*.
So: can somebody explain to me why all this antipiracy stuff is necessary? Or even prove to me that it isn't outright counterproductive? Last I heard, Galciv and Stardock were doing just fine.
There's just not much positive spin Microsoft marketing can put on this, that's why a dumb dig at a FOSS project gets modded up.
Copy protection != games. Business related software can certainly be protected (cf. Quickbooks)
Non Game apps some times use the same copy protection that games use and some M$ apps do use copy protection as well.
There are many files included with Windows that corporate desktops don't require. One of my past employers chose to remove any unnecessary files. Even with a large Microsoft contract, Microsoft refused to disclose the details of every bundled DLL and EXE. So a small team of people deleted each file, one by one, and tested every desktop app in use in the company, until they determined the set of files they didn't need. It's almost silly, but if you're determined Microsoft leaves little choice. (I would have used one of those apps that shows every DLL in memory, but the idea is the same.)
This of course causes problems later, like when a patch or service pack requires a DLL that it never needed before. Or one of the custom apps adds a new feature and needs an OS file that's not part of any standard desktop in the company.
Microsoft isn't interested in giving customers exactly what they need. They prefer to generalize the OS to maximize revenue. These are just some of the negative consequences.
Developers: We can use your help.
Don't you just love how Microsoft is in bed with DRM, and in the end it always comes back to bite!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
don't assume everyone is an unemployed cellar-masturbator. the only answer is mac OSX.
Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle.
I did that around 1981 when I went to the local "unlicensed software distributors" at the University to get a cracked copy of Wizardry written out on top of my gold-labeled store-bought floppy because the copy protection had made the original unplayable... which meant I may have had the only "legal" cracked copy in existence. I ran into the author of the game online many years later, and he thought that was pretty amusing.
Several years later a friend and I released a game for the Amiga and since the publisher required copy protection we came up with a copy protection scheme for it that didn't require modifying the OS or bypassing the driver, and allowed the protected disks to be created using a regular script. Since we knew that copy protection was a speedbump, we came up with some speedbump-quality protection that would still do a better job at blocking the most common cracking tools than the "professional" and more intrusive protection schemes.
What we did was take advantage of the way the Amiga identified disks by using a unique ID in the disk header. All copy protection cracking tools we knew of generated a new ID by default, so that the user wouldn't get an error from the OS if they left the original and the copy both in the drives after they exited the program. We stored an obfuscated copy of the ID in file comments, and ran in "demo mode" if they didn't match. It didn't pop up any warning screens, it just wouldn't let you get past the 'attract mode' display. This meant that most people just using a "raw" copier would get an apparently "damaged" copy that still kind of worked... we figured this was unintrusive and at least as good a speedbump as you got from a scheme that had defeat code preprogrammed into the copying tools, for the week or so before it got figured out and our scheme got added to the rest.
We provided our publisher with detailed instructions, explanations, and a set of disks to use to create the copies if they didn't use an image duplicator. They fobbed production off on another company who blithely used one of the cracking tools we were targeting to do the production run. If they'd used a normal image duplicator or our scripts everything would have been fine, but instead all the shipped copies came up in demo mode. Of course the game had to be recalled, and we missed the Christmas launch.
Copy protection (whether you call it copy protection or DRM) increases the costs and risks of production and just plain doesn't do anything more than flashing a "don't pirate this game" splash screen would.
Per my subject line above: It appears to work properly so far but "don't quote me on that", as far as 100% for all things working, software-wise, thusfar ON BOTH MACHINES I HAVE IT ON.
E.G. -> I have had my XP SP2 @ work & Server 2003 SP2 doing this (patch in place from MacroVision) & so far, all appears to be fine!
(I say, for the MOST part, because unfortunately, I did have an "external USB 2.0 drive enclosure" with a WD 74gb 10k rpm disk stop working @ home on my Win2k3SP2 rig though, but I don't think it is related to THIS driver (or, @ least I do not think so)).
This issue is most likely related to the way they secure their code by assembling and creating run time executable code and then injecting it into a random portion of its own allocated kernel memory to further avoid debugging. I have seen these games fail because of this with memory protection bit turned on. I suspect their own use of randomness and polymorphic code opens the driver to malicious use and make it harder to detect between intended and malicious intent. I am curious if they can fix this without removing some of their own security.
What I have always found interesting is that it does not fail with software executable protection turned on but does with hardware. This implies Windows understands how this drivers functions and allows it. The issue may be worse that one thinks. Thanks again DRM.
This can only be exploited locally, so the chances it will affect any significant number of people are very small.
Since virtually everybody who uses Windows XP runs as admin, there would be no reason to use this exploit, since if you get code to run on the target machine, it's already running as admin.
For Windows Server, a bad guy with local access is going to be rare, and most admins don't usually download and run random code on their servers. The one exception might be a server used as a terminal services provider, but I can't imagine that's particularly common. Plus, standard domain policy best practices would prevent unsigned/unapproved code from being run by any non-admin anyway, so it's really not an issue.
Lastly, Vista isn't affected, both because it includes the newer version of the DLL, and because the privilege elevation itself would not be possible thanks to some new security measures in Vista's kernel.
So while it makes a great "DRM Sucks!" story, the security ramifications of this bug are essentially zero.
But they don't use macrovision. I don't know a single pro app that require you to insert the software CD each time you launch it, like games do.
I work in the audio industry and all the protections I can recall are dongles (USB dongles nowadays) and online/phone activation. Pro apps using dongle will install their OWN driver, it's not bundled with Winblows.
Many people (myself included) would love nothing more than to move away from M$ products but, sadly, are trapped in them because of the applications we use.
There is a solution. Linux + (Windows inside VirtualBox).
Haven't tested it yet because I've come to hate windows so much that I don't want ANY of it installed in my system. But I've read a couple of VirtualBox reviews, and they're all positive.
Drivers can still be installed for that software.
Quickbooks is the non-game copy protected software I was thinking of as my example.
If anyone incurs costs as a result of this, they can sue Macrovision. Macrovision isn't protected by Microsoft's EULA. (Nor can it be; there's a legal concept called "privity" that applies to third party issues like this.) The end user has no contractual relationship with Macrovision. So there's nothing protecting them from a negligence lawsuit.
Macrovision is as vulnerable as Sony was.
Gamingmuseum.com: Give your 3D accelerator a rest.
Why on earth is this bundled with a Server OS?
This is the kind of patently stupid thing that we really ought to result in damages being awarded...
Seriously, the entire corporate world has been vulnerable for the LAST SIX YEARS because they wanted to make it minutely harder to pirate a video game?
Could not the Macrovision games simply been coded to add this cruft to a server upon inserting the game CD? s/Could/Should/g
There absolutely HAS TO BE a violation of duty here.
Why is this a driver? From what I gather all it does is read some data from a disk and use it to decide if some software can run or not. This looks like something that could easily be done in user space. Maybe I've missed some fundamental aspect of its workings though.
"Welcome to our world. We are the wasted youth. And we are the future too." Yes, I know these are stupid lyrics.
I just added a bit of code to my company's Windows domain login scripts to roll out the fix.
.\SecDrv.inf
:safedisc_driver_updated
You'll need to download Macrovision's fix from the their site here:
http://www.macrovision.com/promolanding/7352.htm
Then extract the ZIP and put it somewhere on a network server where it's publicly accessible.
You could then do the update via login script or GPO or whatever suits your fancy. Probably need admin privs to do this.
You probably also want some code to determine if the system is XP or Server 2003. If it's not, you don't need the update. I use the OS detection routines from here:
http://www.amset.info/loginscripts/os-id.asp
Enough setup, here's my quick and dirty code:
rem
rem Update stupid Macrovision SecureDisc driver, if needed
rem
if exist "%windir%\system32\drivers\safedisc-fix-11-09-07.txt" goto safedisc_driver_updated
echo.
echo Fixing Macrovision SecureDisc vulnerability...
echo.
rem
rem replace location here with the proper location for your Macrovision update files
rem
pushd "\\someserver\someshare\macrovision-secdrv-update\"
rundll32.exe setupapi,InstallHinfSection DefaultInstall 128
echo Macrovision safedisc driver updated on %date% > "%windir%\system32\drivers\safedisc-fix-11-09-07.txt"
popd
Your forced to have a full install of directx too, including the joystick/gamepad support, directplay (for network gaming) and all the sound/video stuff...
Why would you need all this on a corporate desktop, let alone a supposed "server".
None of my unix servers have anything that's not relevant to whatever the server is hosting, the only server i have which has *ANY* gaming or graphics related software on it is a quake server!
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Windows "server" is a joke anyway, your forced to have a gui, browser, mail client, media player, gaming support libs (directx) etc, which is a complete hassle to remove and often needs to be patched.
A server should always have the bare minimum software installed, less to go wrong, less to have security problems, less overhead, and you don't have the hassle of patching anything that's not installed.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
That's why the large number of Linux distributions, often cited as a problem, is so good. You can customise to your hearts content, and remove what you don't need, or better yet never install it.
And any half decent package manager will pull in extra dependencies if they start being required.
All my linux machines are built to spec, only what's required is installed and nothing else.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I recommended switching to Linux (or actually performing some research into switching) to a few managers there. Once I got past the usual lip service the end result was "well, we're a Microsoft shop." The conversation always ended there.
And that's one of the reasons I no longer work there.
Developers: We can use your help.
Still doesn't use the Macrovision copy protection. Macrovision copy protection is for games only, as it validates a CD-ROM. There's NO serious business software that requires the CD to be inserted to run.
My blog. Good stuff (when I remember to update it). Read it.
Bad example, I don't see a reason you would install quickbooks on a server.
-The world would be a better place if everyone had a hoverboard
I don't think it comes with DirectX. Maybe I'm wrong. Once upon a time when the ArmA demo was first released, we happened to have a new Bladecenter sitting idle so I set up an ArmA server on that, and I needed to install DX for it to run. So if it does come with DirectX, then it's an old version.
But I do agree that Windows "server" comes with a lot of useless shit. A lot of my earlier VMs are seriously disc constrained, because it didn't occur to me that an out-of-the-box installation of Windows 2003 would need almost 5 gigs of disc space. And that's before it actually DOES anything. Most of the space seems to go to redundant copies of every DLL on the system just in case it needs to fix anything which has magically become "corrupted". What a joke.
It certainly does come with directx, i believe 2003 even comes with a newer version than XP did... You can try by starting the dxdiag tool on a default 2003 install.
And your right, 5gig for a base install is pathetic. Even worse on your VMs, because that's 5gig multiplied by the number of VMs you have.
As for redundant copies of DLLs, this was microsoft's hyped "self repair" feature from windows 2000... As sun pointed out at the time, it's better for your system to prevent itself from being corrupted than to try and clean up the mess after the fact. I don't think any unix systems keep backup copies of everything, but then unix users typically don't run masses of software as root unnecessarily.
Besides, keeping a backup copy and copying it back has many flaws, if your installing something malicious you just need to corrupt the backup aswell, and it now becomes harder to remove your malware because windows will keep copying it back. It also becomes harder to remove unwanted windows components for the same reason, if you delete ie or outlook express it just gets copied back. And ofcourse if the program that does the copying gets corrupted, or part of the boot process leading up to that, your screwed anyway.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
This is exactly the problem Trusted Computing wants to fix. By making non-DRM media a bigger hassle, you'll be happy to spend $30 on the DVD, another $15 to put it on your iPhone, $0.25 each time you use one of the soundtrack songs as your ringtone, etc.
Spell cheek you've failed me four the last thyme!
We have been pained enough by MS-Office suddenly demanding you to pop in the origial CD/DVD-ROM to get a particular module
You want to see something really funny? Try installing a copy of Office 97. Now try to uninstall without the disc in the drive. It will require the disc. No I'm not kidding, it needs the original disc to remove the software from your PC.
How pointless and frustrating is that?