AntiPiracy Macrovision Bug is Actually Six Years Old

twitter writes "A recently reported Macrovision bug has actually been around for six years, according to Computerworld. 'Flawed antipiracy software now being exploited by attackers has been bundled with Windows for the last six years to protect game publishers, Macrovision Corp. said today. The "secdrv.sys" driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista ... users do not have to play a SafeDisc-protected game to be vulnerable.' The article goes on to play down danger and claim that Vista is safe, but ZDNet notes: 'Malware authors are actively exploiting a zero-day privilege escalation vulnerability ... [which] can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges. This facilitates the complete compromise of affected computers.'"

Here is update (Macrovision SECDRV.SYS Driver)

[holywarrior21c]

Upgrade your driver here: http://www.macrovision.com/promolanding/7352.htm
Microsoft Security Advisory(944653)http://www.microsoft.com/technet/security/advisory/944653.mspx

MS have known about this bug but didn't update.

[Rashkae]

FTFA, the bug was fixed in Vista, becasue "Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver."

Hackers only started exploiting this 3 weeks ago, but MS must have known about this for 6 months at least. Macrovision even offers an update for WinXP on their web site based on the same fix, but MS never pushed the update through their security update mechanism, and even now, isn't commiting to it.

So, to recap for those keeping score at home, you now have to download patches for Windows system files from Macrovision's website! MS bashers have a goldmine to work from here.

I'm a pirate.

[Bellewether]

...and more of my discretionary income goes towards games than anything else. There was an article here this week (http://yro.slashdot.org/article.pl?sid=07/11/03/048256) about the most profligate music pirates being the biggest music *buyers* as well- same principle.

However...the industry, especially PC gaming, has lost quite a few purchases from me because of copy protection. Just a few examples:

I loved Neverwinter Nights. Would have bought the Infinite Dungeons mod, but it requires an always-on net connection while you play to verify you're not a pirate. Screw that.

Starforce? Any Starforce'd game is automatically disqualified from my consideration.

I don't buy games that use Securom or Safedisc anymore, either. As a pirate, I find it inconvenient to have to download bypasses so I can run stuff on my Daemon Tools-happy gaming box. I almost bought Civ 4 and its expansions recently, but the DRM dissuaded me- though it won't stop those who torrented it from downloading a workaround.

I import games. Over the past year or two I've imported multiple games that would never have been released in the U.S.- the Touhou series, both Ouendans... but I won't do so for any console that has to be modded, because it's too much of a pain. If it weren't for that, I would have bought SO much crap for my PS2- guess I'll never buy any of those Cave shooters.

I'm a huge Megaten fan and will gladly buy FES the day it hits stores, assuming it's released stateside, even though FES is generally considered mediocre. If it weren't for emulation, I might not even be a fan of the series. Atlus acquitted itself pretty poorly with its release of the first two Persona games in the U.S.; it was actually the fanslation/romhacking scene's English patches for SMT1 and 2 that got me into the series. (I remember a comment from another Slashdotter who wrote the same thing in another copy-protection thread, too.)

The funny thing is, if I wanted to bypass any of this copy protection, I easily could. Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle. Me, I prefer to wean myself off the companies who resort to copy protection. There are plenty of other games out there which are just as good and don't involve all the bullshit- more than I have the free time to play, in fact. I'll just buy some of those instead.

And the games that I DO pirate? Those are the ones I wouldn't have bought anyway- though you only have my word on that. Ever spend time on a forum for an Atlus game? Atlus fans know damn well that they're not dealing with automatic-trillion-sellers like Madden 200X: Same Shit, New Roster or World War 2 Shooter: The Shootening. They (we) will tell other fans to buy, and buy a *new* copy, *before* price drops, *because we want Atlus to release more games we like*.

So: can somebody explain to me why all this antipiracy stuff is necessary? Or even prove to me that it isn't outright counterproductive? Last I heard, Galciv and Stardock were doing just fine.

I've played this game from both sides.

[argent]

Every time this is discussed on Slashdot there are comments from Slashdotters who legitimately purchase games and then download cracked versions because the crippled, boxed versions are too much hassle.

I did that around 1981 when I went to the local "unlicensed software distributors" at the University to get a cracked copy of Wizardry written out on top of my gold-labeled store-bought floppy because the copy protection had made the original unplayable... which meant I may have had the only "legal" cracked copy in existence. I ran into the author of the game online many years later, and he thought that was pretty amusing.

Several years later a friend and I released a game for the Amiga and since the publisher required copy protection we came up with a copy protection scheme for it that didn't require modifying the OS or bypassing the driver, and allowed the protected disks to be created using a regular script. Since we knew that copy protection was a speedbump, we came up with some speedbump-quality protection that would still do a better job at blocking the most common cracking tools than the "professional" and more intrusive protection schemes.

What we did was take advantage of the way the Amiga identified disks by using a unique ID in the disk header. All copy protection cracking tools we knew of generated a new ID by default, so that the user wouldn't get an error from the OS if they left the original and the copy both in the drives after they exited the program. We stored an obfuscated copy of the ID in file comments, and ran in "demo mode" if they didn't match. It didn't pop up any warning screens, it just wouldn't let you get past the 'attract mode' display. This meant that most people just using a "raw" copier would get an apparently "damaged" copy that still kind of worked... we figured this was unintrusive and at least as good a speedbump as you got from a scheme that had defeat code preprogrammed into the copying tools, for the week or so before it got figured out and our scheme got added to the rest.

We provided our publisher with detailed instructions, explanations, and a set of disks to use to create the copies if they didn't use an image duplicator. They fobbed production off on another company who blithely used one of the cracking tools we were targeting to do the production run. If they'd used a normal image duplicator or our scripts everything would have been fine, but instead all the shipped copies came up in demo mode. Of course the game had to be recalled, and we missed the Christmas launch.

Copy protection (whether you call it copy protection or DRM) increases the costs and risks of production and just plain doesn't do anything more than flashing a "don't pirate this game" splash screen would.

Local Exploit Only, and Very Unlikely

[ThinkFr33ly]

This can only be exploited locally, so the chances it will affect any significant number of people are very small.

Since virtually everybody who uses Windows XP runs as admin, there would be no reason to use this exploit, since if you get code to run on the target machine, it's already running as admin.

For Windows Server, a bad guy with local access is going to be rare, and most admins don't usually download and run random code on their servers. The one exception might be a server used as a terminal services provider, but I can't imagine that's particularly common. Plus, standard domain policy best practices would prevent unsigned/unapproved code from being run by any non-admin anyway, so it's really not an issue.

Lastly, Vista isn't affected, both because it includes the newer version of the DLL, and because the privilege elevation itself would not be possible thanks to some new security measures in Vista's kernel.

So while it makes a great "DRM Sucks!" story, the security ramifications of this bug are essentially zero.