|
Home Forum Radio Memberlist Help Search Quick Links | |
| Forum Index » Internet » Security Alerts and vulnerabilities » Follow-up on Macrovision Secdrv exploit |
| Security Alerts and vulnerabilities Lets keep abreast on the latest threats by posting those findings here.. |
 |
 |
|
Thread Tools | Display Modes |  |
|
#1
11-07-2007, 06:07 AM
|
||||
|
||||
|
Follow-up on Macrovision Secdrv exploit
Follow-up on Macrovision Secdrv exploit
<p>A few weeks ago, we warned users about a new <a href="http://www.symantec.com/enterprise/security_response/weblog/2007/10/privilege_escalation_exploit_i.html">Local Privilege Escalation vulnerability in Windows XP and 2003</a>. The original exploit was found in the wild and actively used against Windows-based computers to gain SYSTEM privileges and install additional malware or bypass other restrictions. It wasn’t just proof-of-concept code, but a malicious exploit used in real (but limited) attacks. Today, Microsoft posted <a href="http://www.microsoft.com/technet/security/advisory/944653.mspx">Microsoft Security Advisory (944653)</a> about this issue.</p> <p>With the release of this advisory, I’d like to answer a few follow-up questions for blog readers:</p> <p><em>Q: I don’t play games and I don’t use Macrovision software, so am I safe?</em><br /> <em>A:</em> No. The vulnerable component affected by the bug is the Macrovision driver SECDRV.SYS, which is shipped by default with Windows systems. It is usually installed under the %System%\drivers folder.</p> <p><em>Q: Is Windows Vista affected by this vulnerability?</em><br /> <em>A:</em> Vista is not affected. Only SECDRV versions shipped with Windows XP and 2003 are. Instead the version shipped with Vista is a completely different driver, reworked and not vulnerable to this attack. We have tested versions of SECDRV.SYS taken from different systems and here is what we have seen:</p> <table width="370" height="173" border="1" cellpadding="0" cellspacing="0" > <tr> <td width="71" height="47" valign="top"><p><strong>Operating System</strong></p></td> <td width="57" valign="top"><p><strong>File Size (bytes)</strong></p></td> <td width="72" valign="top"><p><strong>Properties (version)</strong></p></td> <td width="85" valign="top"><p><strong>Properties (date)</strong></p></td> <td width="73" valign="top"><p><strong>Vulnerable</strong></p></td> </tr> <tr> <td width="71" height="42" valign="top"><p>Vista</p></td> <td width="57" valign="top"><p>20,480</p></td> <td width="72" valign="top"><p>4.3.86.0</p></td> <td width="85" valign="top"><p>September 13, 2006</p></td> <td width="73" valign="top"><p>No</p></td> </tr> <tr> <td width="71" height="41" valign="top"><p>2003</p></td> <td width="57" valign="top"><p>163,644</p></td> <td width="72" valign="top"><p>4.0.60.0</p></td> <td width="85" valign="top"><p>August 31, 2004</p></td> <td width="73" valign="top"><p>Yes</p></td> </tr> <tr> <td width="71" height="41" valign="top"><p>XP</p></td> <td width="57" valign="top"><p>27,440</p></td> <td width="72" valign="top"><p>n/a</p></td> <td width="85" valign="top"><p>n/a<br />(2004?)</p></td> <td width="73" valign="top"><p>Yes</p></td> </tr> </table> <p>So the version released in 2006 and shipped with Vista is safe.</p> <p><em>Q: What can attackers do using this exploit?</em><br /> <em>A:</em> The exploit can overwrite memory locations in the kernel, so the attacker can execute code in ring-0. This means that bad guys can bypass security restrictions, gain additional privileges, disable security protections, install a rootkit, etc.</p> <p>It is a local exploit only, so the attacker has to be logged on to the computer with an account. This fact mitigates risks for home users who often work with one account on their computers. The situation is more complicated for corporate networks, where multiple users with different privileges can log on to different computers. </p> <p>However, all users should keep in mind that, in a multi-layered defense perspective, it is possible that malware dropped on the system via some other exploit (e.g. browser vulnerability or <a href="http://www.symantec.com/enterprise/security_response/weblog/2007/10/when_pdfs_attack_again.html">the recent PDF exploit</a>) could potentially take advantage of the SECDRV bug to take further control of the computer and bypass other layers of protection.</p> <p><em>Q: Where is the patch?</em><br /> <em>A:</em> Macrovision released a version of the driver today (almost identical to the one shipped with Vista) that fixes this problem. The update is available here:<br /> <a href="http://www.macrovision.com/promolanding/7352.htm">http://www.macrovision.com/promolanding/7352.htm</a></p> <p>It’s not clear at the moment if Microsoft will distribute this update with the next cycle of Windows Update. </p> http://www.symantec.com/enterprise/security_response/weblog/2007/11/followup_on_macrovision_secdrv.html http://www.symantec.com/enterprise/security_response/weblog/2007/11/followup_on_macrovision_secdrv.html Tue, 06 Nov 2007 07:59:45 -0800 
|
 Posted |
|
| Bookmarks |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
|
||
|
|
|
It appears you have not yet registered with our community
which limits what you can do & see. It's Free To register, please click here.
Linear Mode
