Home > Articles > Plug a Windows XP Copy Protection Hole

Plug a Windows XP Copy Protection Hole

Plus: Fix Firefox stability problems, and snag Apple's Mac OS X megapatch.

Microsoft reports "limited" attacks on Windows XP systems via an unexpected path exploiting a security hole in a copy protection program that comes with XP. (Windows Vista is not at risk.)

The program that attackers are leveraging is Macrovision's SafeDisc, optical-disc copy prevention software for Windows applications and games. The flaw is located in a system driver file called secdrv.sys. Microsoft immediately issued a Security Advisory.

Macrovision released a patch; at press time Microsoft was still testing the patch and was not yet distributing it via its automatic updates.

A successful attack could lead to a complete takeover of your PC, but such a success is harder to pull off than with most garden-variety "critical" bugs. Regardless, grabbing the patch is a good idea: You never know when some unscrupulous hacker will tweak the exploit code to make it far more dangerous.

Microsoft finally produced the long-awaited patch for the "URI Handler" bug that I wrote about last month. If you are running Internet Explorer 7 on Windows XP, you're vulnerable and you need the patch. If you are running IE 7 on Windows Vista, though, you're safe.

Attacks "in the wild" based on this flaw have already occurred. This assault, however, requires interaction with third-party programs such as the Mozilla Firefox browser or Adobe Acrobat to work. Luckily, those software makers patched their products quickly, while everyone waited for a more complete fix from Microsoft. If you have automatic updates enabled on your Windows XP system, you should have the patch by now. Otherwise, be sure to get your hands on the patch.

Keep Up With Firefox Versions

Mozilla has released an update that, for once, doesn't directly involve security bugs. Instead, the patch fixes some stability problems that ironically resulted from the previous security update.

One of the new annoyances caused Windows Vista to prevent Firefox from loading Java applets, for instance. Mozilla's developers quickly issued the second update, which corrected the self-inflicted problems.

If you already have Firefox 2.x installed and have updates turned on (the default), you'll receive the revised version, 2.0.0.9, automatically. If not, you can get it manually by selecting Check for Updates from the Help menu. If you have a version later than 2.0.0.9 (2.0.0.11 was the latest at press time), you're covered. You can find more information at Mozilla's site.

Apple has issued another massive update for OS X that any Mac user will want. The update, available for both client and server versions of OS X 10.3.9 and OS X 10.4 through 10.4.10, fixes a total of 41 security vulnerabilities--17 of which I'd classify as critical.

Stuart J. Johnston



Subscribe to PC World Magazine