Microsoft said Monday that it would patch a vulnerability in third-party anti-piracy software bundled with Windows after it acknowledged that hackers are already exploiting the bug.
According to the researcher who first reported the flaw, Microsoft has known of the vulnerability for at least three weeks.
In a security advisory issued late Monday, Microsoft said it would issue a fix for a vulnerability in an older edition of "secdrv.sys" -- a file also also known as Macrovision Security Driver -- that's part of the SafeDisc copy-protection scheme that Macrovision licenses to game publishers.
"The driver, secdrv.sys, is a dispatch driver developed by Macrovision and shipped on supported editions of Windows Server 2003, Windows XP, and Windows Vista," Microsoft said in the advisory. "This vulnerability does not affect Windows Vista."
Computerworld confirmed that secdrv.sys is present on stock installations of both Windows XP and Vista, but that the file creation dates -- Feb. 28, 2006 and Nov. 1, 2006, respectively -- differ, with the newer version included in Vista.
Microsoft also said that attacks were in progress. "We are aware of limited attacks that try to use the reported vulnerability," the advisory continued. "Microsoft will take the appropriate action [which] will include providing a security update through our monthly release process." Until then, Windows XP and Server 2003 users can download a more recent version of the driver -- marked with a creation date of Sept. 13, 2006 -- from Macrovision's Web site.
The bug first surfaced three weeks ago when Symantec researcher Elia Florio said an undocumented vulnerability in fully-patched XP and Server 2003 machines, was being exploited in the wild. Although he did not disclose the flaw, Florio's write-up gave several hints about the flawed file. He also reported that when notified, Microsoft said it was already aware of the problem.
"At the moment, it's still not clear how the driver is used by Windows because this file does not have the typical Microsoft file properties present in other Windows system files," Florio wrote in a posting to the Symantec security blog on Oct. 16.
Within 24 hours, other researchers, using Florio's clues, had focused on secdrv.sys, found the vulnerability, and posted proof-of-concept code. "Despite there is no patch available, at the momment [sic], we are disclosing this information since an exploit has been caught in the wild so we see no reason to hide information that can be useful for administrators and researchers," said someone identified only as Rubén on the Bugtraq security mailing list Oct. 17. [A corrected version of the Bugtraq message was posted the next day, Oct. 18 -- Ed.]
Florio classified the vulnerability as a local privilege elevation bug -- meaning that an attacker would need local or authorized access to the PC before successfully running an exploit -- but some researchers cautioned that it was dangerous nonetheless. An advisory posted by eEye Digital Security, for instance, said it could be paired with another attack. "The most common exploit scenario would be to couple an exploit for this vulnerability with a user-based exploit (file-format, client-side)," said the eEye alert. "This allows the attacker to launch a remote attack (web-page, e-mail) to execute code that would then launch this attack."
eEye rated the vulnerability as "medium," and warned that attacks might become widespread.
It was not known late Monday why Microsoft bundles the Macrovision driver with Windows. The company was not available for comment, and its security advisory was mum on the subject.
Macrovision pitches its SafeDisc DRM software to PC game publishers, and touts such characteristics as Automatic Asymmetric Code Blending as part of the package. "Without using a developer's time or resources, automatically intertwine as many as hundreds of Secure Data Types with game code, making it extremely difficult for hackers to remove the security components without essentially crashing the game," Macrovision says on its Web site.
Microsoft did not specify a timetable for patching the Macrovision driver -- or simply pushing the newer version to Windows XP and Server 2003 users -- but its next regularly-scheduled security update is next Tuesday, Nov. 13.
Computerworld is an InfoWorld affiliate