Microsoft's DRM makes your computer vulnerable to attack

The msnetobj.dll library is an ActiveX control used by Microsoft's DRM; it is intended to prevent the owner of a computer from saving or viewing certain files except under limited circumstances, and to prevent the computer's owner from disabling it or interfering with it.

As if that wasn't bad enough, it is also vulnerable to three separate attacks -- buffer overflow, integer overflow and denial of service -- any of which can compromise your computer's working, leaving your data vulnerable to crooks and vandals.

Microsoft DRM Technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities (Thanks, Freddie Freelance, via Submitterator)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Technology

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

Anonymous

To single out this particular component as being vulnerable to “buffer overflow, integer overflow and denial of service” is ridiculous. Every piece of un-managed code running on an x86 is subject to the first two, and every component that connects to a network can be affected by the third. Not that I’m particularly thrilled with msnetobj’s existence, but.
- Ben Morris
  
  I’m not sure what you mean by “un-managed” here – presumably you aren’t referring to Microsoft’s “managed code”? And why do you single out x86?
  
  In any case, it is indeed possible to write overflow-proof code – overflows are due to programmer error, typically something along the lines of storing user input somewhere without first checking that it will fit (“Nobody’s first name is longer than one thousand characters, therefore nobody will try to enter more than one thousand characters in this box…”). For an example of a step people take to avoid buffer overflows, read the man pages or Wikipedia articles for “gets” and “fgets” – there are plenty of parallels for other languages and functions.
  
  Also, “denial of service” means a lot of things other than DDoS (which is, presumably, what you are talking about when you say that all networked components are vulnerable) – if you read the article, you’ll see that in this case, software can be made to crash remotely, which is by no means a universal problem.
  - foobar
    
    It’s possible to write code without buffer overflows in the same way that it’s possible to drive a car without crashing. We can expect most people not to crash their cars most of the time, but we can never hope to eliminate car crashes altogether.
    - Nadreck
      
      That’s a bad analogy. MicroSquash is in the position of someone building a car, not driving it. They should design, build, and test it so that the gas tank doesn’t explode in a 5 mph parking lot collision.
      
      Writing any size program so that it provably does not contain any buffer overflow possibilities is not all that hard if you have a commitment to QA and security from the beginning. I’ve done so with at least one hundreds-of-thousands-of-lines-of-code application and that was in a company with a programming staff of 12 and 3 QA people. In addition, it would hardly matter if you did have buffer overflows if your hardware didn’t allow execution of instructions on the Heap: as used to be the case.
      
      It’s the same thing with memory leaks. There are numerous systems that are built with the design criterion that memory leaks are unacceptable: the system must run for years without restart of the application or reboot of the machine. I’ve personally worked on one 3.5 million lines of code industrial application that often ran for 2 or 3 years of 7/24 usage without halt: the hardware wore out faster. Yet most programmers today would say that that can’t be done even on a little rinky-dink program like Windows.
      
      Having said that, the comment that “all managed code eventually calls unmanaged code” is a very good one: especially in networked situations.
- Anonymous
  
  Exagerate much ? Most people that are interested in causing mischief try to do so remotely on other people’s machines, and therefore target the (very few) applications that actually connect to the Internet on a regular and widespread basis, i.e. web browsers, IM, and email apps. So, in reality, only a handful of applications need to be bullet-proofed in such a manner and the damage would be severely curtailed.
  
  As for managed/un-managed code, you do realize that all managed code ends up calling un-managed code at some point, don’t you ?
orwellian

Can I be the first ‘try Linux!’ fanboy?
- Anonymous
  
  You can, but you’d be completely insane to think that Linux is any better.
fergus1948

Not me, Cory, I’m using a ‘proprietary and closed system that puts blocks and hurdles in the way of creators in the name of “good user experience” and legal compliance.’
Rider

Oh my god DRM evil. How about all the Microsoft accessibility files that have security vulnerabilities. Are those also evil?

So tired of irrationality.
- Cowicide
  
  How about all the Microsoft accessibility files that have security vulnerabilities. Are those also evil?
  
  Microsoft as a whole is evil and so are its parts. So, yes, those are evil too. Evil, evil, evil.
- Ben Morris
  
  I presume the point is that DRM, like any pointless bloat, increases the attack surface without doing anything useful.
  
  Accessibility tools actually add something that is useful to the user. (It should, of course, be easy to remove accessibility stuff that you don’t use, since in that case, it does act as bloat.)
  
  Also, DRM-related things seems to have a history of having an atypically large number of exploits, presumably because their workings are often intentionally obfuscated and because they often intentionally include mechanisms to allow (specific) people to do stuff the user doesn’t want them to do (for an example, see the viruses that exploited the Sony BMG rootkit to hide themselves).
- Anonymous
  
  > How about all the Microsoft accessibility files that
  > have security vulnerabilities. Are those also evil?
  
  No, the accessibility files are there to *help* people with disabilities to access things. DRM files are there specifically to *restrict* access to things.
  
  Vulnerabilities are bad no matter where they are, but DRM with vulnerabilities like these are a case of adding insult to injury. Think of it as, “Not only are we going to hobble you from using the stuff you bought, but at the same time we’ll let the hackers bend you over and bone you for fun and profit!”
  
  > So tired of irrationality.
  
  Yeah, you’re so tired you can’t think straight.
brianary

I guess some detractors owe an apology to Peter Gutman (and others).

http://www.exploit-db.com/exploits/15061/
- brianary
  
  Wrong link.
  
  Peter Gutman: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
Anonymous

“crooks and vandals” = MPAA and RIAA?
CuriousDave

I’d like to see Bill and crew start to expend as much concern for their users as they do for the DRM Crowd. I can’t copy a dvd that I PAID FOR with media player, but nearly any yahoo with some smarts and time can hack my computer.
Bill has always been hell on copyright violations. I wish he’d become hell on those who violate his users.
brianary

Wait, how do I tell the difference between one group assuming ownership of my computing hardware to interfere with my reasonable and legitimate use of my property to prop up their otherwise impossible business model, and the other?
Anonymous

So as a consumer I get something added to my system that prevents me from making backups of my DVD’s or storing them on my HD for easy playback. Now I find out it also adds yet another security hole without providing ANY benefit to me at all. If you has asked me 25 years ago if I would buy software that restricts what I could do on MY hardware I would have thought you were insane.

The security problem with DRM is just insult to injury.

Oh, and it also slows your system down. Great, I buy faster hardware so MS can protect the interests of the big media companies. The sad part is it doesn’t even work. The Big Chinese copy factories still churn out fakes, the hackers still copy everything, but the user gets the shaft and PAYS for it.

I have three systems a Vista laptop(that collects dust), a Windows XP desktop(that I play games on) and a multi boot Windows7 / Linux desktop that I use for most everything else.
Anonymous

I’ve been saying Microsoft DRM was a gigantic security hole since Windows XP came out; I’m not the only person who’s been saying it, and it’s one of the varied reasons that Windows 2000 held on so long, especially among those to whom it wasn’t their first operating system.
I would say that only blatant Microsoft apologists would say otherwise, but I have to leave room for those who simply don’t care, or are just unaware of the details.
Anonymous

I’m With Ben Morris on this one:

“DRM-related things seems to have a history of having an atypically large number of exploits, presumably because their workings are often intentionally obfuscated and because they often intentionally include mechanisms to allow (specific) people to do stuff the user doesn’t want them to do (for an example, see the viruses that exploited the Sony BMG rootkit to hide themselves).”

Yeah, there’s some ‘DRM is teh Evil’ posturing here but the DRM components of the operating system really are a special case: they are intended to control what you can do with your computer and they have more rights than the machine’s nominal owner – the user. In a sense, they are a preinstalled rootkit and the scope for malicious misuse must – surely! – have been an issue when these subsystems were developed and tested.

Or maybe there is no concern whatsoever for security in Redmond – or, at best, an idea that security is an extra, a bolt-on, a cause for protest and resentment when the tedious busybodies in QA come back with nitpicking and irrelevant objections.

It’s telling that these exploits against the consumer are so easy: bypassing or subverting the DRM to the detriment of the rights-holders in the media content industry is much, much harder. Security was designed-in for them! But then, the media owners are Microsoft’s ‘customers’ in a way that software buyers and computer owners do not seem to be.
AirPillo

People have known for years that even though ActiveX was designed for legal purposes, the vast majority of its’ actual usage is by malware.

ActiveX is like drilling a hole in the keel of every seafaring ship and placing a bilge pump right next to it. Sure if everything is working right the pump balances it out, and your ship doesn’t sink, but it’s probably better to just not drill holes in the hull.
- Rob
  
  Umm, no.
  
  Do you know what ActiveX is? It’s an array of function pointers and required function implementation. It’s really only the expression of one possible implementation of C++ inheritance.
  
  There’s absolutely nothing wrong with ActiveX. A lot of the OS uses it internally. The problem is that the browser can use it.
Anonymous

I’m using Linux, so.. no any kind of M$ drm/malware/spyware here. Thank you.
Freddie Freelance

The reason this is so dangerous is that this DLL is invoked every time you read a media file that contains DRM, so a fake media file or scripted invocation of the DLL that sends a malformed response to the “GetLicenseFromURLAsync” function could crash IE and run scripts on your computer as if it were coming from IE.
Anonymous

The Peter Gutman paper interleaves nicely with Dan Greer’s paper, Cyberinsecurity: The Cost of Monopoly.

http://cryptome.org/cyberinsecurity.htm

I think everybody knows by now that Dan was fired in 2003 from consulting at @stake for this paper. http://en.wikipedia.org/wiki/Dan_Geer

However, according to Wikipedia, his points were sufficiently valid to get Microsoft to fix some issues in Vista.
PNutts

A quick glance at the SANS vulnerability summary this week shows this isn’t the only or most imporant vulnerability out there. Secunia notifications paint a far worse picture of open platforms.

Windows 3
Third Party Windows Apps 4
Mac Os 1
Linux 7
Novell 1
Cross Platform 15
Web Application – Cross Site Scripting 9
Web Application – SQL Injection 7
Web Application 19
Network Device 4
Anonymous

To be fair, though, what Windows component hasn’t suffered from multiple remote vulnerabilities over the last 15 years?
- Anonymous
  
  Maybe Microsoft Bob?