23 November 2007

Macrovision “Security” Driver Breaks Windows

[I had this post in my edit queue for over a year. What the hell! But, I am posting it now. Perhaps I will even keep up with this blog again!]

I meant to post this a while back, but as you know I am the laziest blogger evar. Macrovision, a digital restrictions management vendor, is the source of a vulnerability in Windows. The linked article uses nerd jargon like “Ring 0”, but the gist is that a device driver in the Windows operating system, supplied by Macrovision, fails catastrophically when processing data provided by the user. Because it is a device driver, it runs inside the most sensitive part of Windows. When it fails, it mistakenly starts corrupting its memory in a way that can enable the adversarial user who sent it the data to process to run whatever machine instructions they want. (We call this “arbitrary code execution”.) Because the now-corrupted driver runs in the most privileged mode of the computer, the adversary gains complete control over the computer.

The result is that a software component that was created to provide “security” against the user — i.e., to stop you from copying media — can now be used by mean people to break into your computer. For example, if you download a carefully but maliciously crafted file from the internet, and it is of the type that is processed by SECDRV.SYS driver, the creator of that file could break into your machine. (They’d probably make it part of their botnet.)

On the bright side, perhaps this vulnerability can also be used by nice people to break the “protections” on the DRM'd media.

1 comment:

  1. This affair seems to be very complex, However, I am very interested on learning as much as I can about this wonderful matter.
    By the way, I would have liked to see some pics