On BNET: Online porn struggles for profits
BNET Business Network:
BNET
TechRepublic
ZDNet

October 23rd, 2007

Zero-day flaw in Macrovision DRM app under attack

Posted by Ryan Naraine @ 11:47 am

Categories: Botnets, Browsers, Data theft, Digital rights management, Exploit code, Hackers, Metasploit, Microsoft, Passwords, Patch Watch, Pen testing, Piracy, Privacy, Responsible disclosure, Spyware and Adware, Viruses and Worms, Vulnerability research

Tags: Digital-rights Management, Macrovision Corp., Attack, Flaw, Microsoft Windows, Digital Rights Management (DRM), Operating Systems, Security, Viruses And Worms, Software

Zero-day hole in Windows DRM app under attackMalware authors are actively exploiting a zero-day privilege escalation vulnerability in a copy protection application installed by default in Windows XP and Windows 2003, according to a warning from anti-virus vendor Symantec.

The unpatched vulnerability, confirmed in the Macrovision SafeDisc (secdrv.sys) DRM scheme for online games, can be exploited overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges.

This facilitates the complete compromise of affected computers.

An advisory from the NVD (National Vulnerability Database) provides the skinny:

Buffer overflow in Macrovision SafeDisc secdrv.sys, as shipped in Microsoft Windows XP and Server 2003, allows local users to overwrite arbitrary memory locations and gain privileges via a crafted argument to a METHOD_NEITHER IOCTL.

Symantec researcher Elia Florio stumbled upon the flaw while reverse engineering an in-the-wild malware sample and successfully tested the exploit against fully patched Windows XP-SP2 and Windows 2003-SP1 machines. Windows Vista does not seem to be affected by the problem, Florio said.

Immediately after Florio went public with his discovery, researchers at Reverse Mode traced the issue to the Macrovision SafeDisc application. Exploit code (.zip file) for this issue is already in circulation.

A functional exploit is commercially available through the CORE IMPACT penetration testing platform.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 42 Talkback(s)
Macrovision *cough RIAA cough* Spyware!
Nasty, nasty, insidious and well ... we could add expletives - except this is a family show.

It would seem Macrovision's once hidden *cat is well and truly out of its bag*. I'm not surprised ... (Read the rest)
Posted by: thx-1138_@... Posted on: 10/25/07 You are currently: a Guest | | Terms of Use
I'm starting to be guardedly optimistic  frgough | 10/23/07
Makes me wonder ? Multiple choices  Intellihence | 10/23/07
Makes me wonder ? Multiple choices  Intellihence | 10/23/07
Answers  rpmyers1 | 10/23/07
I hear ya RedhatPackageManager yers .  Intellihence | 10/23/07
Check my other posts  rpmyers1 | 10/23/07
I did a Google search and found that you have posted on many occasions .  Intellihence | 10/23/07
And yet  tracy anne | 10/24/07
How about e.  mdemuth | 10/23/07
APPLE does patch , you are correct  Intellihence | 10/23/07
But there are no exploits in the wild!!!!!!!1  toadlife | 10/23/07
Whatever the case Toad .  Intellihence | 10/23/07
.,.,.,.,.,.  toadlife | 10/23/07
Ahhh , the jealous hater resorts to name calling , grow up kid .  Intellihence | 10/23/07
Isn't it obvious?  Wolfie2K3 | 10/24/07
No hoops or Hurdles  mds_z | 10/25/07
It's not market share...  Resuna | 10/24/07
This is merely a local privilege escalation exploit.  georgeou | 10/23/07
Thats old news George , it's already been fixed .  Intellihence | 10/23/07
On a last note George , defend the queen , defend the queen .  Intellihence | 10/23/07
Finally Some Perspective  DannyO_0x98 | 10/23/07
Well, you can start by not letting a bad guy on your system  georgeou | 10/24/07
Disabling Macrovision  Computer_User_1024 | 10/24/07
Aren't there generally  notsofast | 10/24/07
Oops  Computer_User_1024 | 10/25/07
Starting to be openly guarded...  SpikeyMike | 10/23/07
Ahhh , the jealous hater resorts to name calling , grow up kid .  Intellihence | 10/23/07
Posted to the wrong person , so sorry .  Intellihence | 10/23/07
as a 40-something guy...  SpikeyMike | 10/24/07
Agreed  Computer_User_1024 | 10/24/07
This can't happen  notsofast | 10/24/07
Attack of Adobe PDF's  Intellihence | 10/23/07
George is right this time - local exploit only  Narr vi | 10/24/07
Even local exploits can be used by malware  bugmenot2 | 10/24/07
Security is like sex...  Resuna | 10/24/07
Sorry who owns MacroVision ?  pounder_arthur@... | 10/24/07
Games Machines  Computer_User_1024 | 10/24/07
One small quibble  mds_z | 10/25/07
RE:: don't cha just love it...  wti | 10/24/07
Cracks  Computer_User_1024 | 10/25/07
RE: Zero-day flaw in Macrovision DRM app under attack  msspurlock2 | 10/25/07
Macrovision *cough RIAA cough* Spyware!  thx-1138_@... | 10/25/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here