Buffer overflow in Macrovision SafeDisc secdrv.sys, as shipped in Microsoft Windows XP and Server 2003, allows local users to overwrite arbitrary memory locations and gain privileges via a crafted argument to a METHOD_NEITHER IOCTL.
The “secdrv.sys” driver has shipped with all versions of Windows XP, Windows Server 2003 and Windows Vista “to increase compatibility and playability” of games whose publishers license Santa Clara, Calif.-based Macrovision’s SafeDisc copy-protection offering, Macrovision spokeswoman Linda Quach said in an e-mail. “Without the driver, games with SafeDisc protection would be unable to play on Windows,” said Quach.
“The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows,” she added.
The privilege elevation bug in the driver first surfaced more than three weeks ago, when Symantec Corp. researcher Elia Florio spotted the vulnerability being actively exploited. The presence of the file – dubbed Macrovision Security Driver – is enough to open Windows XP and Server 2003 machines to attack; users do not have to play a SafeDisc-protected game to be vulnerable.
Microsoft is working on an update, but it refused to commit to delivering an update for secdrv.sys by next Tuesday, its next scheduled patch delivery day. “Microsoft will provide a security update through its regularly scheduled monthly release process once that update is ready and has been fully tested,” a Microsoft spokesman said in an e-mail.
Users can remove the vulnerable driver – it’s typically found in the “%System%drivers” folder – or update it with a more recent, and apparently safe, version by downloading it from the Macrovision site. “[But] if removed, Macrovision SafeDisc games will not run properly,” the Microsoft spokesman cautioned.
Secdrv.sys is included with Windows Vista, but Microsoft’s newest operating system is safe from attack, said Quach. “Microsoft and Macrovision worked together during the development of Windows Vista RTM [release to manufacturing] to review the security of the Vista version of the driver,” she said. " Thanks to this security review, this vulnerability is not present in Windows Vista." Microsoft went a step further and credited its Security Development Lifecycle (SDL) approach for beefing up the driver.
The version Macrovision offers XP and Server 2003 users as an update is identical to the one built for Windows Vista, Quach said.
As for the three-week stretch between first disclosure of the Macrovision bug and Microsoft’s advisory, Microsoft’s spokesman denied the company had dragged its feet. “Macrovision and Microsoft immediately began investigating the vulnerability when proof-of-concept code was publicly posted Oct. 17,” said the spokesman. The investigation wasn’t the only thing that was a Microsoft-Macrovision joint effort: many of the responses the two companies gave to similar questions were word-for-word matches.
In a follow-up posting to the Symantec security blog, Elia Florio, the researcher who first disclosed that an exploit was on the loose said that home users are actually less at risk than business users – an unusual turn-about. “The attacker has to be logged on to the computer with an account [which] mitigates risks for home users who often work with one account on their computers,” he said. “The situation is more complicated for corporate networks, where multiple users with different privileges can log on to different computers.”
Even so, everyone should apply Microsoft’s fix or update the driver, Florio said. “Malware dropped on the system via some other exploit, [such as] a browser vulnerability or the recent PDF exploit, could potentially take advantage of the bug to take further control of the computer and bypass other layers of protection.”