Slashdot Mirror
AntiPiracy Macrovision Bug is Actually Six Years Old
twitter writes "A recently reported Macrovision bug has actually been around for six years, according to Computerworld. 'Flawed antipiracy software now being exploited by attackers has been bundled with Windows for the last six years to protect game publishers, Macrovision Corp. said today. The "secdrv.sys" driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista ... users do not have to play a SafeDisc-protected game to be vulnerable.' The article goes on to play down danger and claim that Vista is safe, but ZDNet notes: 'Malware authors are actively exploiting a zero-day privilege escalation vulnerability ... [which] can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges. This facilitates the complete compromise of affected computers.'"
Why was it not disclosed to the corporate customers that a dll or a sys file, that is exclusively used to play games published by a particular vendor is bundled and installed on ALL their computers? What are the priorities here? We have been pained enough by MS-Office suddenly demanding you to pop in the origial CD/DVD-ROM to get a particular module. But they don't want their users to be hassled to fetch the original disc to get a driver used only by a subset of users. How screwed up this set up can be? Why are not the corporate customers demanding a full disclosure of what is being bundled, and why and what can be safely removed from their computers?
Does the total cost of ownership studies include the cost of keeping up with these security disclosures and applying patches to the holes?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
How can an operating system be considered "secure" if the inclusion of a third-party component makes it insecure? Why does Vista allow Macrovision's component to do whatever it likes?
Is this a case where Microsoft allowed "signing" to be a substitute for good engineering?
Even if the act of buying Windows implies that I trust Microsoft, does the act of buying Windows imply that I trust Macrovision?
When I buy a home computer with Windows on it, do I even know all of the companies that have contributed content that is included on the hard drive at the time of purchase? Do I have a list? Have I agreed to trust them all? Does Vista trust all of them? Could all them them punch holes in Vista's security if the vendors that supplied them don't have engineers as competent as Microsoft's?
"How to Do Nothing," kids activities, back in print!
can you lose control of your computer with that tool tip display bug? i don't think so
Makes me doubly glad I've stuck with Windows 2000 all these years.
Hackers only started exploiting this 3 weeks ago ...that we know of. It is likely that on some irc channel a couple of hackers are congratulating themselves on having kept this exploit under wraps for the last half decade.
Dan East
Better known as 318230.
Here's what you're missing: DRM hurts precisely those people who actually do pay the producers.
If I buy a DVD in a store, I get the hassle of DRM, and putting it on my iPhone is going to be complicated. If I just download the movie from the Internet, I just open it in QuickTime and export to iPhone. If I buy music in the iTunes Music Store, I can't easily use it on my PC at work, unless I authorize it with my iTunes login, only to forget to de-authorize it if I get a new computer or reinstall the OS. If I just download music, I have none of these issues.
Now, I do buy DVDs, and I do buy music from the iTunes store, and I do buy a lot of stuff with DRM. But I do not buy these things because they have DRM, but despite of it. DRM is actually an incentive to not give the producers money; without DRM, they'd see a lot more money from me.
Wow... It's 2007 and some people still don't get it.
Many people (myself included) would love nothing more than to move away from M$ products but, sadly, are trapped in them because of the applications we use. I can't use linux for music production and the particular apps I use don't exist under MacOS (Sonar 6 and FL Studio). While I can certainly do Flash authoring under OSX, I can't under Linux. One of my PC's has an old Matrox Mystique220 with Rainbow Runner Studio in it. There are no Linux drivers for it. That PC runs Win98SE and servers as my video editing box (TBird 1.3GHz/512MB RAM). The RR Studio has a feature that makes it quite unique; it ignores Macrovision encoding on VHS. Because of this, I have a nice little niche business of transferring old VHS tapes to DVD or VCD. Won't work anywhere else but Win98SE, so I stick with it.
My programming/scripting machine runs Linux (Mandriva 2007 Spring) and my tinkering machine runs FreeBSD 6.0, so I'm partially M$ free.
Fifty watts per channel, baby cakes.
This has to do with the software being proprietary, not coming from a third party.
How can an operating system be considered "secure" if it has proprietary software installed? It can't. Proprietary software security is unverifiable by anyone you can trust and therefore unworthy of being considered secure. Apparently bugs will go unfixed for years because only the proprietor is allowed to fix the bugs. However, the proprietor is unmotivated to fix bugs until the proprietor is pushed (through publicly announced exploits, better competition, and so on). All the while you, the user, are denied complete control over your computer.
The cure is simple: install nothing but free software on your computer. Give yourself the freedom to inspect, change, and share the software, hire someone else to do it for you, or leverage the talent of a community of hackers improving free software all the time. This is not about making everyone a programmer, it's about giving people the freedom to control their computers while building a society of cooperation and social solidarity. Proprietary software denies you your software freedom, so deny proprietary software a place on your computer.
Digital Citizen
Apple's DRM has zero affect on non-Apple anything.