New hack simplifies high-definition video copying
Wednesday, February 14, 2007
A hacker claims to have discovered a cryptographic key that can be used to circumvent copy restrictions on HD DVD and Blu-ray movies. The key, which was published on the Doom9.org discussion forum, is a further step toward undermining the next-generation AACS (Advanced Access Content System) encryption system used to copy-protect high-definition media.
The hacker, going by the name of Arnezami, said he discovered the key by examining what was happening in his computer's memory while it processed an HD DVD video.
A spokeswoman for the group that sets the AACS specification, called the AACS Licensing Administrator, said Arnezami's claims were being investigated but declined to provide further comment.
In late December, a different hacker, named Muslix64, posted a software program that could decrypt high-definition movies. Users needed to first enter another type of encryption key, called the "volume key," for the software to work. More than 100 of these volume keys have since popped up, allowing users to freely copy such films as King Kong, Mission: Impossible and Jarhead.
The publication of this latest key, called a processing key, gives users a much easier way to figure out the volume keys they need in order to make movie copies with the HDDVDBackup software, according to Arnezami.
Introduced in April 2005, AACS is supported by media and technology companies such as Microsoft, Matsushita Electric Industrial Co. (Panasonic), Sony, Toshiba, The Walt Disney Co. and Warner Bros.
The encryption system is designed to be more robust than the CSS (content scrambling system) encryption scheme used by DVDs, which was completely cracked in late 1999.
Microsoft Patches 20 Security Vulnerabilities
Microsoft delivered its monthly batch of security updates on Feb. 13, delivering fixes for 20 individual problems in its products included in a dozen bulletins, six of which were dubbed as critical, the firm's most severe vulnerability rating.
Among the security updates issued by Redmond, Wash.-based Microsoft was a cumulative bulletin for the company's Internet Explorer browser which seeks to address three issues all ranked as critical by the software maker.
Included in the IE bulletin were fixes for a pair of COM (component object model) instantiation memory corruption vulnerabilities, and a fix for an FTP server response parsing memory corruption issue. The issues are rated as critical in versions of the browser previous to its current IE 7 iteration in which they rank as only "important" or "low."
In another cumulative bulletin, Microsoft issued patches for six individual problems in its Word products, five of which were rated as critical in the Office 2000 iteration of the product. Included in the update were fixes for a malformed strong vulnerability, malformed data structure flaw, malformed object drawing glitch, malformed function problem and a Word count issue, all of which received the critical designation in the Word 2000 version of the program.
An additional macro vulnerability and examples of the other five security problems present in later versions of Word were given the less severe ranking of important. However, all six of the Word vulnerabilities could lead to remote code execution by attackers if properly exploited, Microsoft stated.
In another Office-related bulletin, Microsoft distributed patches for two individual problems in the package, specifically detailing a malformed record memory corruption vulnerability in the product's PowerPoint presentation application, along with a malformed record issue discovered in the Excel spread sheet program. Both issues were ranked as critical in the Microsoft Office 2000 version of the productivity suite, and only as important in later iterations of the platform.
Among the other critical security bulletins issues by Microsoft was a fix for a problem in its HTML Help ActiveX Control software which ranked as critical in its Windows 2000 SP4 and Windows XP SP2 programs, and charted as only "moderate" in its Windows Server 2003 and Windows Server 2003 SP1 products. If exploited, the problem could allow affected computers to be taken over remotely by hackers, the company said.
Microsoft also moved to fix a well-publicized vulnerability in the Data Access Components element of its ActiveX software rated as critical that exists in its Windows 2000 SP4 and Windows XP SP2 products. The problem is also present in the firm's Windows Server 2003 package, but rated as only a moderate risk in that product.
Attempting to patch an embarrassing flaw in its own anti-virus software, Microsoft issued a patch for a critical problem in its Malware Protection Engine—which is an element of nearly all the company's security products, including its Windows Live OneCare, Antigen for Exchange 9.x, Antigen for SMTP Gateway 9x, Windows Defender, and Forefront Security packages.
Like the other flaws addressed by Microsoft, the security product issues could also allow for remote code execution of affected computers, the company said.
Included in the six bulletins ranked by Microsoft as only important were fixes for problems in the company's step-by-step interactive training program, with related vulnerabilities cited in the firm's Windows 2000 SP2, Windows XP SP2 and Windows Server 2003 products.
Other important bulletins were shipped to address issues in the Windows shell technology, Windows image acquisition service and Windows OLE (object linking and embedding) dialog system. The company issued important patches for issues in its MFC (Microsoft Foundation Class) library technology in Windows, and its Visual Studio products, as well as to fix a problem in the RichEdit function of its Windows and Office programs.
Security researchers highlighted Microsoft's move to shut down at least six product vulnerabilities that have been used in so-called zero-day attacks, or malware threats aimed at flaws previously unrecognized by the software maker.
"Today Microsoft patched six vulnerabilities that were previously used in recent targeted zero-day attacks," Dave Marcus, security research and communications manager with McAfee's Avert Labs, said in a report.
"This continues the trend of malware authors targeting widely deployed Microsoft business applications and services. Malware authors continue to find unknown or unpatched vulnerabilities in popular applications and services which are then used in zero-day attacks, putting both business and consumer data at risk."
While Microsoft tied its record for its greatest number of security bulletins, having shipped another dozen of the updates in August 2006, the February 2007 release fell short of the company's record for the most individual patches, as some 23 individual issues were addressed in the August '06 shipment.
However, the February 2007 shipment does establish a high-water mark for critical patches released by the software vendor in one month as Microsoft addressed only 10 issues earmarked as critical in the August '06 batch of patches, while the February '07 release seeks to fix a total of 11 critical security problems.
Vista to bite into Apple's Mac market share
The launch of Microsoft Corp.'s Windows Vista operating system will have a negative effect on Apple's share of the personal computer market over the next several months, according to checks performed by research and investment firm PiperJaffray.
In a research note released to clients on Wednesday, Sr. Analyst Gene Munster said that while a survey of 50 Best Buy retail stores around the country found that Vista sales have not met expectations, PC sales have still risen as a result of the software roll-out.
"Of the 50 stores we surveyed, 80 percent of Best Buy stores indicated that they have sold less copies of Vista than they had expected," the analyst wrote. But at the same time, he said, 72 percent of the stores saw an increase in Windows PC sales since the software launched.
Munster, who attributes the surge to pent-up demand for PCs with Vista pre-installed, is forecasting for a spike in Windows PC sales during the March calendar quarter, which "could put downward pressure on Mac market share." More specifically, the analyst expects Mac market share to decline from 2.5 percent in December to 2.3 percent in March.
"Historically, from December '04 to March '05, Mac units increased by 2.3 percent and the market share increased by 0.3 percent," he wrote. "During the Intel transition, from December '05 to March '06 Mac units fell by 11.3 percent and market share was flat."
Still, Munster said he remains confident that Apple in 2007 will gain share overall, helped from the industrywide shift toward portables where it currently excels. The analyst also sees potential for Apple to seize the opportunity presented by the launch of Vista to gain mind share with consumers.
"The company views this season of Vista-related computer purchases as an opportunity to sell more Macs," he wrote. "Around the time of the consumer Vista launch, Apple initiated several strategies to attract Vista customers toward the Mac."
For instance, in an email to registered iPod owners with PCs, Apple asked customers: "Upgrading to Vista? Think Mac." The Cupertino-based firm also launched national TV ad campaigns in the US, UK, and Japan criticizing Vista's difficult installation process and frustrating security features. Furthermore, recent reports suggest that Apple's retail stores will also be used in an effort to monetize the Vista opportunity with employees are emphasizing the fact that Macs run both Mac OS X and Windows.
"Although many features of Vista are already available on Apple's current operating system, 10.4 Tiger, Apple is preparing 10.5 Leopard for a Spring release," Munster told clients. "With the release of Leopard, Mac market share will benefit from upward pressure from slight pent-up demand."
The analyst said the release of Leopard will also mark a turning point for investors, who will shift their focus back on the Mac chapter of the Apple story. The launch of Tiger in April 2005 added $100m in revenue to the company's June quarter, he said, with 2 million copies shipping in the first month of availability.
Since Tiger's release, which went on to sell 7 million copies in its first year on the market, the Mac OS X installed base has grown 25 percent from 16 million users to about 20 million users, Munster said. Similarly, he expects that 40 percent of Mac users to upgrade to Leopard in the first year of availability.
"Assuming a late April launch, this would lead to Leopard sales adding $130 million to the June '07 quarter, shipping 2.6 million copies in the first month of availability and adding $456m to [fiscal 2007], shipping about 9 million copies in the first year," he wrote.
