__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in Macrovision SECDRV.SYS Driver on Windows [Microsoft Security Advisory (944653)] November 7, 2007 22:00 GMT Number S-040 [REVISED 09 Nov 2007] ______________________________________________________________________________ PROBLEM: There are reports of a vulnerability in the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. PLATFORM: Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Professional x64 Edition Service Pack 2 Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows Server 2003 with SP2 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Microsoft Windows Server 2003 x64 Edition Service Pack 2 DAMAGE: Could allow elevation of privilege. SOLUTION: See the Microsoft Security Advisory 944653 for suggested actions. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Could allow elevation of privilege. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-040.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/advisory/944653.mspx CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-5587 ______________________________________________________________________________ REVISION HISTORY: 11/09/2007 - revised S-040 to reflect changes Microsoft has made in their Security Advisory 944653 where they included indentified workarounds for this vulnerability and additional information on what is secdrv.sys. [***** Start Microsoft Security Advisory (944653) *****] Microsoft Security Advisory (944653) Vulnerability in Macrovision SECDRV.SYS Driver on Windows Could Allow Elevation of Privilege Published: November 5, 2007 | Updated: November 7, 2007 Microsoft is working with Macrovision, investigating new public reports of a vulnerability in the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This vulnerability does not affect Windows Vista. We are aware of limited attacks that try to use the reported vulnerability. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process. Microsoft is concerned that this new report of a vulnerability in the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP was publicly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed. General Information Overview Purpose of Advisory: Notification of the availability of the update from Macrovision helps protect against this potential threat. Advisory Status: Issue Confirmed, Security Update Planned. Recommendation: Install the update offered by Macrovision for systems running supported editions of Windows XP and Windows Server 2003 to help protect against this vulnerability. References Identification CVE Reference CVE-2007-5587 This advisory discusses the following software. Related Software Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Professional x64 Edition Service Pack 2 Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows Server 2003 with SP2 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Microsoft Windows Server 2003 x64 Edition Service Pack 2 Top of section Frequently Asked Questions What is the scope of the advisory? Microsoft is aware of a new vulnerability report affecting the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This affects the software that is listed in the “Overview” section. Is this a security vulnerability that requires Microsoft to issue a security update? Yes, upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process What causes this vulnerability? The Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP incorrectly handles configuration parameters. What is secdrv.sys? The driver, secdrv.sys, is used by games which use Macrovision SafeDisc. The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows. The secdrv.sys is included with Microsoft Windows XP, Windows Server 2003 and Windows Vista to increase compatibility of the games on Windows. Without the driver, games with SafeDisc protection would be unable to play on Windows. SafeDisc remains inactive until invoked by a game for authorization to play on Windows. What might an attacker use this driver to do? An attacker with local access to a system could successfully exploit this vulnerability to gain elevation of privilege on an affected system. What versions of Windows are associated with this advisory? This advisory addresses the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. What is Microsoft’s position on third party security updates and mitigations? As a best practice, customers should obtain security updates and guidance from the original software vendor. For this vulnerability, Macrovision and Microsoft are the original software vendors. Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process. Microsoft recommends that customers review the Macrovision advisory before applying the update offered by Macrovision. Top of section Suggested Actions • Protect Your PC We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your PC Web site. • For more information about staying safe on the Internet, customers should visit the Microsoft Security Home Page. • Update Provided by Macrovision For supported editions of Windows Server 2003 and Windows XP, users can install the update offered by Macrovision. Microsoft recommends that customers review the Macrovision advisory before applying the update provided by Macrovision. • Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. Mitigating Factors Microsoft Vista is not vulnerable to this issue. An attacker must have logon permissions to the operating system to exploit this vulnerability. Top of section Workarounds • Disable the secdrv.sys driver in the system registry Disabling the secdrv.sys driver in the system registry key helps protect affected systems from attempts to exploit this vulnerability. Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note: We recommend backing up the registry before you edit it. 1. Click Start, click Run, type regedit and then click Continue. 2. Expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, and then expand Services. 3. Left click on Secdrv. 4. To backup the registry before your edit it, left click on File menu, select Export... In the Export Registry File dialog type Secdrv_configuration_backup.reg and select Save. 5. Right click on Start, select Modify, and change Value date: to 4. Impact of Workaround: Programs that require the secdrv.sys driver will not run. Top of section Top of section Resources: • You can provide feedback by completing the form by visiting the following Web site. • Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site. • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • November 05, 2007: Advisory published • November 07, 2007: Advisory revised to include indentified workarounds for this vulnerability and additional information on what is secdrv.sys. [***** End Microsoft Security Advisory (944653) *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-030: Adobe Security Update S-031: RSA Keon Vulnerability S-032: CUPS Security Update and Bug Fix Update S-033: AIX lqueryvg Buffer Overflow Vulnerability S-034: SonicWall NetExtender NELaunchCtrl ActiveX Vulnerability S-035: Perdition Format String Error S-036: Mono Vulnerability S-037: Perl-Compatible Regular Expression (PCRE) Vulnerabilities S-038: Perl Security Update S-039: httpd Security Update