Zero-day flaw in Macrovision DRM app under attack

Zero-day flaw in Macrovision DRM app under attack

Summary: Malicious hackers are exploiting a privilege escalation vulnerability in a copy protection application to launch malware attacks against Windows users.


Zero-day hole in Windows DRM app under attackMalware authors are actively exploiting a zero-day privilege escalation vulnerability in a copy protection application installed by default in Windows XP and Windows 2003, according to a warning from anti-virus vendor Symantec.

The unpatched vulnerability, confirmed in the Macrovision SafeDisc (secdrv.sys) DRM scheme for online games, can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges.

This facilitates the complete compromise of affected computers.

An advisory from the NVD (National Vulnerability Database) provides the skinny:

Buffer overflow in Macrovision SafeDisc secdrv.sys, as shipped in Microsoft Windows XP and Server 2003, allows local users to overwrite arbitrary memory locations and gain privileges via a crafted argument to a METHOD_NEITHER IOCTL.

Symantec researcher Elia Florio stumbled upon the flaw while reverse engineering an in-the-wild malware sample and successfully tested the exploit against fully patched Windows XP-SP2 and Windows 2003-SP1 machines. Windows Vista does not seem to be affected by the problem, Florio said.

Immediately after Florio went public with his discovery, researchers at Reverse Mode traced the issue to the Macrovision SafeDisc application. Exploit code (.zip file) for this issue is already in circulation.

A functional exploit is commercially available through the CORE IMPACT penetration testing platform.

Topics: Windows, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I'm starting to be guardedly optimistic

    Vista seems to be immune to these exploits. Maybe MS actually did do something right for a change.

    Of course, WGA is still an offense of the first magnitude, but maybe on the security front Vista has made some progress.
  • Makes me wonder ? Multiple choices

    a. If the Microsoft Fanbois will claim if this a 3rd party vendors problem .
    b. Another reason to upgrade to Vista .
    c. It's not a problem because it doesn't affect their machine .
    d. All of the above .
  • Makes me wonder ? Multiple choices

    a. If the Microsoft Fanbois will claim if this a 3rd party vendors problem .
    b. Another reason to upgrade to Vista .
    c. It's not a problem because it doesn't affect their machine .
    d. All of the above .
    • Answers

      (a) It is. (and if you're calling me an MS fanboy, you've never seen my other posts)

      (b) It's not. It's likely just a different driver version. There's nothing inherent about Vista that would prevent this. Wasn't it NVidia that opened a hole in Vista with one of their drivers?

      (c) How do you know? The brand and version of DRM is seldom on packaging, and may change between patch levels of the software
      • I hear ya RedhatPackageManager yers . <NT>

        • Check my other posts

          I run 10.4.10, and after the first patch, 10.5.1
          • I did a Google search and found that you have posted on many occasions .

            I myself am currently running 10.4.10 and Debian Linux on an old PowerMac G-3
            (PPC) (Yosemite) . I for one won't be chucking this baby in the trash can , it has
            given me over 12 years of reliability . I'm looking forward to purchasing a G-5 for
            $50.00 off my sister , being that she has purchased herself a new MacBook pro .
            My kids have a Windows XP SP2 machine , but they only use it to play online games
            . It's also a dual-booter with Debian Linux . My Nephew bought himself a PC with
            Windows XP SP2 on it and he formatted the hard drive on it and installed Ubuntu
            Linux on it . He's pretty much a software programmer , he created a few scripts to
            for Nautilus on Gnome . Currently his work is shown on Linux Format the Magazine
            , November issue/2007 on page 52 on the bottom of the page . I have a nephew
            who purchased a laptop with Vista basic included on it , and Vista isn't behaving
            like it's suppose to . Now he wants to convert to Ubuntu also . Well that's enough
            for now .
      • And yet

        >>>Wasn't it NVidia that opened a hole in Vista with one of their drivers?<<<

        nVidia's proprietary driver didn't do the same to Linux, keeps coming back to Microsoft's insecure operating systems, no mattewhat the attack vector.
        tracy anne
    • How about e.

      the same thing the Mac fanbois say as Apple releases patch after security patch?
      • APPLE does patch , you are correct

        f. But there aren't any exploits in the wild for APPLE , but we patch anyway .
        • But there are no exploits in the wild!!!!!!!1

          • Whatever the case Toad .

            It doesn't bother me . For the record I'm also Intellihence on ZDNET also . Just
            thought that you and many others should know .
            "In a world without walls and fences , who needs windows and gates."
            Ya see folks , no hurdles to jump over , no hoops to dive thru , just like APPLE
            wants it to be .
            EASE OF USE .
          • .,.,.,.,.,.

            [i]"For the record I'm also Intellihence on ZDNET also"[/i]

            So you play [i]two[/i] morons on the internet?

            Where do you find the time?
          • Ahhh , the jealous hater resorts to name calling , grow up kid . <NT>

          • Isn't it obvious?

            [b]So you play two morons on the internet?

            Where do you find the time? [/b]

            He's got no job. He's got no life.
          • No hoops or Hurdles

            First up, let me say that I have limited experience with OS X. But I've used OS 9 fairly extensively and most of what I hear about X in terms of ease of use was what I heard about 9.

            With that clarification, I found lots of hoops and hurdles on my Mac. No support for a slave IDE drive, no support for SCSI CD drives (even though there was a SCSI port on the mainboard and the driver from OS 7.3 worked fine) and no right mouse button functionality in the OS or most apps (even though Windows had extensive support of the right mouse button since Win95). With other issues I won't bother going into.

            Granted some of the problems were raised because I was used to Windows when I bought the Mac (not as a new system). But then most of the people that Mac users are telling to buy Macs are Windows users and most of them will be less capable of adjusting to the changes than I am. This isn't to say that Macs are bad. They aren't and they're undoubtedly superior to PCs in a number of ways, especially since they now offer the option of running Windows for those who want both OSes.

            But I'm a bit tired of hearing how wonderful they are compared to PCs, more so when I see the commercials that seem to compare modern Macs to PCs running Windows 9x. Modern PCs running Windows don't generally have a lot of problems overall. Even if the problems tend to be real headaches, since in my experience the same can be said of Macs. And security is something, that although it's much more a concern with PCs than with Macs (for whatever reason you choose to accept), can be easily dealt with using the right combination of (free) security software. You just have to know what to install and the rest is usually pretty easy.

            That isn't to say that I like what Microsoft has done with Windows lately. I still run Win2K and have no plans to go to XP, much less Vista. Win2K does [i]everything[/i] I need and want it to do. Too much fluff in the newer versions and telling me what I can and can't do with my computer is not a way to get me to buy them.

            Something I see as an issue with Macs, by the way. No one should be under the illusion that Jobs is any more concerned with user's rights than Gates & Co. He just doesn't have the monopoly-based leverage to get away with the outrageous things Microsoft can do. Apple already has hoops and hurdles of their own and would have more if they could do it without losing market share. Don't kid yourself. [i]That's[/i] the way Apple (and most every other business) really wants it.
          • It's not market share...

            Get real, man. Before OS X and before Active Desktop Macs and Windows boxes got modest levels of viruses, more for Windows, but not *no* viruses on the Mac. Hell, even the Amiga and Atari ST had vigorous viral ecosystems. The idea that people would simply not bother attacking OS X when even really marginal systems used to get them is just not tenable.

            Near the end of the '90s the virus level on Windows shot through the roof. It's not because Windows suddenly in 1997 sold thousands of times as many units... it's because the natre of Windows changed. Active Desktop and related technologies that merged the internet (dangerous) and the desktop (vulnerable) provided that much richer an environment for malware than before. Before Outlook started displaying HTML, the idea that you coudl run a program on someone's computer by sending them mail.. without them even opening it... was a joke. Literally.

            Good Times virus hoax:

            And ActiveX in Internet Explorer. Just get the browser to save a file in the right place or from the right domain and it'll run it for you? CONVENIENT!

            THAT is why Windows gets the attention.

            Microsoft covered themselves in virus bait and ran around the virus game park during virus mating season screaming "I'm HOT for viruses".
    • This is merely a local privilege escalation exploit.

      This is merely a local privilege escalation exploit. While that's still bad, the dozens of remote exploits on Apple Quicktime is a lot scarrier.
      • Thats old news George , it's already been fixed .

        This issue with the PDF exploit looks bad for the MS platform . Seems as every
        week/day that passes by there is more bad news for MS . George do you own stock on
        MS ? If so I would sell it quick and buy APPLE stock .
      • On a last note George , defend the queen , defend the queen . <NT>