User Forum | Register | Activate | Help | Language: English | International

Start & Register!

Sign up today for 100% community fun. Create your own page, meet friends, and share your data with the world!

Sign Up

Member Login

Already a member of the My Nero community? Just login:

Your opinion counts

What IM program do you use?
AIM
Google Chat
MSN Messenger
Yahoo! Messenger
Jabber
Another IM Program
None

IanFarquhar

Australia, Sydney

Profile
Blog
Photos
Videos

IanFarquhar's World

 View RSS Feed

Photos

The user did not publish any entries here yet

Videos

The user did not publish any entries here yet

Buddies

This user has no friends at My Nero at the moment.

Invite IanFarquhar to your buddy list

Zero-Day Flaw in Macrovision Driver Shipped with Windows XP and 2003
posted by IanFarquhar at 1 year ago

Well, here's some unpleasant news:

http://blogs.zdnet.com/security/?p=603

It turns out that Microsoft bundles the Macrovision Safedisc driver (secdrv.sys) with all copies of Windows XP-SP2, Windows 2003, and Vista.   On XP and 2003 it has a serious security vulnerability which allows privilege escalation, so that an unprivileged application can gain administrative privileges.

This bug was only found because an anti-virus researcher was analysing malware in the wild, and discovered that malware used this vulnerability!   He reverse engineered the technique to discover the bug.

Oh, and there's also a proof-of-concept exploit (with source code) available, linked from the above article.   So with very little skill, anyone could utilize this vulnerability.

What's wrong with this picture?   Let us count the ways:

1. That Macrovision is unable to code software without introducing a very basic security vulnerability.

2. That Macrovision doesn't properly QA it's software, because it failed to detect this vulnerability, and shipped the code.

3. That Microsoft has included Macrovision's software BY DEFAULT in Windows, even though this software not only has no real user benefit whatsoever , and actively deprives the user of legally-defined and fair-use rights to make backup copies of media.

4. That Microsoft is not properly checking the third-party code which they choose to bundle, despite all claims to the contrary.

5. That this vulnerability is being actively exploited "in the wild " by malware, and has been for an unknown period.

 

Note: some people are claiming that Microsoft must have detected and fixed this problem in Vista, because it doesn't seen to affect that release of Windows.   The implication being that Microsoft has not exercised due dilligence.

This argument is naive, and until someone actually confirms that MS did detect the bug in Vista but neglect to fix it elsewhere, I don't buy this argument.   There are many reasons that the exploit may fail under Vista, so the fact that it isn't working there doesn't automatically prove Microsoft's knowledge of it.

 

Tags:
microsoft mvp macrovision malware exploit vulnerability
Category:
Uncategorized
Rate:
 
Share
Bookmark
Report
Comment
Send an E-mail
Recommend to Buddy

IanFarquhar wrote at 1 year ago

Hmmm....


You don't have to, NeroDude.  Microsoft has obligingly provided it by default in Windows, where it sits there on XP and 2003, ready to be used by any malware which needs privilege escalation.

Ian.

NeroDude wrote at 1 year ago

Thanks for the heads up


Ho boy... excellent.  Good thing I don't use this program.