AntiPiracy Macrovision Bug is Actually Six Years Old

twitter writes "A recently reported Macrovision bug has actually been around for six years, according to Computerworld. 'Flawed antipiracy software now being exploited by attackers has been bundled with Windows for the last six years to protect game publishers, Macrovision Corp. said today. The "secdrv.sys" driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista ... users do not have to play a SafeDisc-protected game to be vulnerable.' The article goes on to play down danger and claim that Vista is safe, but ZDNet notes: 'Malware authors are actively exploiting a zero-day privilege escalation vulnerability ... [which] can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges. This facilitates the complete compromise of affected computers.'"

Yay DRM.

[RandoX]

Can Macrovision be held liable for losses?

Re:Yay DRM.

[vtscott]

Pff. When you installed windows you agreed not to hold them liable.

17. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES, INFORMATON, SOFTWARE, AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Oh, you didn't know about those terms when you bought the product? And you want to return software that's been opened? It was in all caps, surely you could have read that through the box.

So, the slashdot lameness filter doesn't like the the clip of the microsoft eula I posted because it has too many caps. Well I'm not retyping all of that in lower case, so I guess I'll post another part of the eula that doesn't abuse the caps lock key...

18. LIMITATION OF LIABILITY AND REMEDIES. Notwithstanding any damages that you might incur for any reason whatsoever (including, without limitation, all damages referenced herein and all direct or general damages in contract or anything else), the entire liability of Microsoft and any of its suppliers under any provision of this EULA and your exclusive remedy hereunder (except for any remedy of repair or replacement elected by Microsoft with respect to any breach of the Limited Warranty) shall be limited to the greater of the actual damages you incur in reasonable reliance on the Software up to the amount actually paid by you for the Software or US$5.00. The foregoing limitations, exclusions and disclaimers (including Sections 15, 16 and 17) shall apply to the maximum extent permitted by applicable law, even if any remedy fails its essential purpose.

Here is update (Macrovision SECDRV.SYS Driver)

[holywarrior21c]

Upgrade your driver here: http://www.macrovision.com/promolanding/7352.htm
Microsoft Security Advisory(944653)http://www.microsoft.com/technet/security/advisory/944653.mspx

Why are they shipping this in business computers?

[140Mandak262Jamuna]

This is complete lunacy. Almost all corporations prohibit their users from playing computer games on their PCs. The fastest safest thing for MSFT would be to tell its customers, "If you are not playing macrovision protected games in your computer, just rename this xxx.dll or yyy.sys file."

Why was it not disclosed to the corporate customers that a dll or a sys file, that is exclusively used to play games published by a particular vendor is bundled and installed on ALL their computers? What are the priorities here? We have been pained enough by MS-Office suddenly demanding you to pop in the origial CD/DVD-ROM to get a particular module. But they don't want their users to be hassled to fetch the original disc to get a driver used only by a subset of users. How screwed up this set up can be? Why are not the corporate customers demanding a full disclosure of what is being bundled, and why and what can be safely removed from their computers?

Does the total cost of ownership studies include the cost of keeping up with these security disclosures and applying patches to the holes?

1) Accountability 2) Technical integrity

[dpbsmith]

How can an operating system be considered "secure" if the inclusion of a third-party component makes it insecure? Why does Vista allow Macrovision's component to do whatever it likes?

Is this a case where Microsoft allowed "signing" to be a substitute for good engineering?

Even if the act of buying Windows implies that I trust Microsoft, does the act of buying Windows imply that I trust Macrovision?

When I buy a home computer with Windows on it, do I even know all of the companies that have contributed content that is included on the hard drive at the time of purchase? Do I have a list? Have I agreed to trust them all? Does Vista trust all of them? Could all them them punch holes in Vista's security if the vendors that supplied them don't have engineers as competent as Microsoft's?

MS have known about this bug but didn't update.

[Rashkae]

FTFA, the bug was fixed in Vista, becasue "Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver."

Hackers only started exploiting this 3 weeks ago, but MS must have known about this for 6 months at least. Macrovision even offers an update for WinXP on their web site based on the same fix, but MS never pushed the update through their security update mechanism, and even now, isn't commiting to it.

So, to recap for those keeping score at home, you now have to download patches for Windows system files from Macrovision's website! MS bashers have a goldmine to work from here.

Re:MS have known about this bug but didn't update.

[jo42]

The 'fixed' secdrv.sys in SECDRVSYS.zip from Macrovision's web site is dated 2006-09-13.

So it has been over a year...

Re:MS have known about this bug but didn't update.

[Dan+East]

Hackers only started exploiting this 3 weeks ago ...that we know of. It is likely that on some irc channel a couple of hackers are congratulating themselves on having kept this exploit under wraps for the last half decade.

Dan East

DRM doesn't help producers make money

[LKM]

I'm not a big fan of the "oh noes! DRM is the suxors!" crowd, because I'm rational enough to see both sides of the DRM issue: producers want to get paid

Here's what you're missing: DRM hurts precisely those people who actually do pay the producers.

If I buy a DVD in a store, I get the hassle of DRM, and putting it on my iPhone is going to be complicated. If I just download the movie from the Internet, I just open it in QuickTime and export to iPhone. If I buy music in the iTunes Music Store, I can't easily use it on my PC at work, unless I authorize it with my iTunes login, only to forget to de-authorize it if I get a new computer or reinstall the OS. If I just download music, I have none of these issues.

Now, I do buy DVDs, and I do buy music from the iTunes store, and I do buy a lot of stuff with DRM. But I do not buy these things because they have DRM, but despite of it. DRM is actually an incentive to not give the producers money; without DRM, they'd see a lot more money from me.

Software freedom is the cure.

[jbn-o]

How can an operating system be considered "secure" if the inclusion of a third-party component makes it insecure?

This has to do with the software being proprietary, not coming from a third party.

How can an operating system be considered "secure" if it has proprietary software installed? It can't. Proprietary software security is unverifiable by anyone you can trust and therefore unworthy of being considered secure. Apparently bugs will go unfixed for years because only the proprietor is allowed to fix the bugs. However, the proprietor is unmotivated to fix bugs until the proprietor is pushed (through publicly announced exploits, better competition, and so on). All the while you, the user, are denied complete control over your computer.

The cure is simple: install nothing but free software on your computer. Give yourself the freedom to inspect, change, and share the software, hire someone else to do it for you, or leverage the talent of a community of hackers improving free software all the time. This is not about making everyone a programmer, it's about giving people the freedom to control their computers while building a society of cooperation and social solidarity. Proprietary software denies you your software freedom, so deny proprietary software a place on your computer.

I'm a pirate.

[Bellewether]

...and more of my discretionary income goes towards games than anything else. There was an article here this week (http://yro.slashdot.org/article.pl?sid=07/11/03/048256) about the most profligate music pirates being the biggest music *buyers* as well- same principle.

However...the industry, especially PC gaming, has lost quite a few purchases from me because of copy protection. Just a few examples:

I loved Neverwinter Nights. Would have bought the Infinite Dungeons mod, but it requires an always-on net connection while you play to verify you're not a pirate. Screw that.

Starforce? Any Starforce'd game is automatically disqualified from my consideration.

I don't buy games that use Securom or Safedisc anymore, either. As a pirate, I find it inconvenient to have to download bypasses so I can run stuff on my Daemon Tools-happy gaming box. I almost bought Civ 4 and its expansions recently, but the DRM dissuaded me- though it won't stop those who torrented it from downloading a workaround.

I import games. Over the past year or two I've imported multiple games that would never have been released in the U.S.- the Touhou series, both Ouendans... but I won't do so for any console that has to be modded, because it's too much of a pain. If it weren't for that, I would have bought SO much crap for my PS2- guess I'll never buy any of those Cave shooters.

I'm a huge Megaten fan and will gladly buy FES the day it hits stores, assuming it's released stateside, even though FES is generally considered mediocre. If it weren't for emulation, I might not even be a fan of the series. Atlus acquitted itself pretty poorly with its release of the first two Persona games in the U.S.; it was actually the fanslation/romhacking scene's English patches for SMT1 and 2 that got me into the series. (I remember a comment from another Slashdotter who wrote the same thing in another copy-protection thread, too.)

The funny thing is, if I wanted to bypass any of this copy protection, I easily could. Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle. Me, I prefer to wean myself off the companies who resort to copy protection. There are plenty of other games out there which are just as good and don't involve all the bullshit- more than I have the free time to play, in fact. I'll just buy some of those instead.

And the games that I DO pirate? Those are the ones I wouldn't have bought anyway- though you only have my word on that. Ever spend time on a forum for an Atlus game? Atlus fans know damn well that they're not dealing with automatic-trillion-sellers like Madden 200X: Same Shit, New Roster or World War 2 Shooter: The Shootening. They (we) will tell other fans to buy, and buy a *new* copy, *before* price drops, *because we want Atlus to release more games we like*.

So: can somebody explain to me why all this antipiracy stuff is necessary? Or even prove to me that it isn't outright counterproductive? Last I heard, Galciv and Stardock were doing just fine.

I've played this game from both sides.

[argent]

Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle.

I did that around 1981 when I went to the local "unlicensed software distributors" at the University to get a cracked copy of Wizardry written out on top of my gold-labeled store-bought floppy because the copy protection had made the original unplayable... which meant I may have had the only "legal" cracked copy in existence. I ran into the author of the game online many years later, and he thought that was pretty amusing.

Several years later a friend and I released a game for the Amiga and since the publisher required copy protection we came up with a copy protection scheme for it that didn't require modifying the OS or bypassing the driver, and allowed the protected disks to be created using a regular script. Since we knew that copy protection was a speedbump, we came up with some speedbump-quality protection that would still do a better job at blocking the most common cracking tools than the "professional" and more intrusive protection schemes.

What we did was take advantage of the way the Amiga identified disks by using a unique ID in the disk header. All copy protection cracking tools we knew of generated a new ID by default, so that the user wouldn't get an error from the OS if they left the original and the copy both in the drives after they exited the program. We stored an obfuscated copy of the ID in file comments, and ran in "demo mode" if they didn't match. It didn't pop up any warning screens, it just wouldn't let you get past the 'attract mode' display. This meant that most people just using a "raw" copier would get an apparently "damaged" copy that still kind of worked... we figured this was unintrusive and at least as good a speedbump as you got from a scheme that had defeat code preprogrammed into the copying tools, for the week or so before it got figured out and our scheme got added to the rest.

We provided our publisher with detailed instructions, explanations, and a set of disks to use to create the copies if they didn't use an image duplicator. They fobbed production off on another company who blithely used one of the cracking tools we were targeting to do the production run. If they'd used a normal image duplicator or our scripts everything would have been fine, but instead all the shipped copies came up in demo mode. Of course the game had to be recalled, and we missed the Christmas launch.

Copy protection (whether you call it copy protection or DRM) increases the costs and risks of production and just plain doesn't do anything more than flashing a "don't pirate this game" splash screen would.

Local Exploit Only, and Very Unlikely

[ThinkFr33ly]

This can only be exploited locally, so the chances it will affect any significant number of people are very small.

Since virtually everybody who uses Windows XP runs as admin, there would be no reason to use this exploit, since if you get code to run on the target machine, it's already running as admin.

For Windows Server, a bad guy with local access is going to be rare, and most admins don't usually download and run random code on their servers. The one exception might be a server used as a terminal services provider, but I can't imagine that's particularly common. Plus, standard domain policy best practices would prevent unsigned/unapproved code from being run by any non-admin anyway, so it's really not an issue.

Lastly, Vista isn't affected, both because it includes the newer version of the DLL, and because the privilege elevation itself would not be possible thanks to some new security measures in Vista's kernel.

So while it makes a great "DRM Sucks!" story, the security ramifications of this bug are essentially zero.

Macrovision is legally vulnerable

[Animats]

If anyone incurs costs as a result of this, they can sue Macrovision. Macrovision isn't protected by Microsoft's EULA. (Nor can it be; there's a legal concept called "privity" that applies to third party issues like this.) The end user has no contractual relationship with Macrovision. So there's nothing protecting them from a negligence lawsuit.

Macrovision is as vulnerable as Sony was.