the control was still present after the XCP uninstallation was complete, and that its methods (including one
that rebooted the computer) were scriptable from any web page without further browser security warnings.
We found that the
InstallUpdate
and
Uninstall
methods have an even more serious flaw. Each
takes as an argument a URL pointing to a specially formatted archive that contains updater or uninstaller
code and data files. When these methods are invoked, the archive is retrieved from the provided URL and
stored in a temporary location. For the
InstallUpdate
method, the ActiveX control extracts from the
archive a file named
InstallLite.dll
and calls a function in this DLL named
InstallXCP
.
Like the MediaMax ActiveX control, the XCP control does not validate the download URL or the
downloaded archive. The only barrier to using the control to execute arbitrary code is the proprietary format
of the archive file. We determined the format by disassembling the control. The archive file consists of
several blocks of gzip-compressed data, each storing a separate file and preceded with a short header. At
the end of the archive, a catalog structure lists metadata for each of the blocks, including a 32-bit CRC. The
control verifies this CRC before executing code from the DLL.
With knowledge of this file format, we constructed an archive containing benign proof-of-concept ex-
ploit code. The most difficult detail was the CRC, which is computed with an apparently proprietary algo-
rithm that proved tedious to reverse engineer. We saved the trouble by having the ActiveX control compute
the CRC for us. The control checks the CRC by computing a CRC for the file data in the archive and verify-
ing that it matches the CRC specified in the archive catalog. We inserted a break point where the comparison
occurs and ran the control on an archive containing code we prepared. We then took the CRC computed by
the control and placed it in the archive catalog. Thus modified, the archive passed the CRC check and the
ActiveX control executed our code. (This illustrated why digital signatures, rather than CRCs, must be used
to validate code from untrusted sources.)
This procedure would allow a malicious web site to execute arbitrary code on the user's machine. Like
the MediaMax uninstaller flaw, it is especially dangerous because users who have completed the XCP unin-
stallation may not be aware that they are still vulnerable.
Obviously, these vulnerabilities could have been prevented by careful design and programming. But they
were only possible at all because the vendors chose to deliver the uninstallers via this ActiveX method rather
than using an ordinary download. We conjecture that the vendors made this choice because they wanted to
retain the ability to rewrite, modify, or cancel the uninstaller later, in order to further their platform building
strategy.
9
Compatibility and Software Updates
Compared to other media on which software is distributed, compact discs have a very long life. Many
compact discs will still be inserted into computers and other players twenty years or more after they are first
bought. If a particular version of DRM software is shipped on a new CD, that software version may well try
to install and run decades after it was developed. The same is not true of most software, even when shipped
on a CD-ROM. Very few if any of today's Windows XP CDs will be inserted into computers in 2026; but
today's music CDs will be, so their DRM software must be designed carefully for future compatibility.
The software should be designed for safety, so as not to cause crashes or malfunction of other software,
and may be designed for efficacy, to ensure that its anti-copying features remain effective.
9.1
Supporting Safety by Deactivating Old Software
Safety is easier to achieve, and probably more important. One approach is to design the DRM software to
be inert and harmless on future systems. Both XCP and MediaMax do this by relying on Windows autorun,
which is likely to be disabled in future versions of Windows for security reasons. If the upcoming Windows
23