Magix blocks exploit publication
According to correspondence seen by heise Security, The H's associates in Germany, Magix has, with the support of lawyers, taken action to block the publication of a proof of concept exploit which demonstrates a security vulnerability in its Music Maker 16 software. As a result, the discoverer of the vulnerability, Swedish security researcher 'acidgen', has omitted the exploit from his advisory.
The letter from Magix' lawyer starts out politely enough by thanking the researcher for finding the vulnerability: "I have to point out that my client appreciates your efforts to examine the Music Maker, and MAGIX will use this information to improve its products", but in a rapid change of tone, the correspondence continues, "MAGIX does not appreciate that you are intending to publicly release the Exploit and to cause irreparable harm. As you may be aware it is illegal to release software which is intended to commit computer sabotage." This is followed by a reference to German anti-hacking legislation (Section 202c of the German Criminal Code).
In issuing such a warning, the company's lawyer is very clearly placing himself at odds with the German Federal Constitutional Court's interpretation of this legislation. The constitutional court rejected a legal challenge to the legislation, arguing that the rules only apply to programs developed with illegal intent. According to the court, the suitability of a program for hacking purposes alone is not sufficient to make its use illegal. Proving illegal intent for an exploit which merely runs the calculator and, furthermore, has been utilised by the vendor, could be tricky.
After the researcher first got in touch (and before getting its lawyers involved), Magix exchanged a number of emails with the researcher via its forum. Magix asked the researcher for details of the security vulnerability, the proof of concept exploit and possible attack scenarios – for which it offered its thanks and noted that the company wished to discuss the problem internally. Following more than a month of apparent inaction, the researcher asked Magix whether it had succeeded in resolving the problem and whether it could give him a release date for the patch.
Magix was given to understand that he was intending to publish an advisory that would include the exploit once Magix had resolved the problem – an entirely normal way of going about things. He also offered his assistance in plugging the vulnerability – a fact that Magix' lawyer then used against him. "In addition this announcement together with your offering to have the vulnerability fixed by your company may be considered as an attempted extortion." maintained Magix' lawyer.
This was followed up with the thinly veiled threat: "You may rest assured that MAGIX will enter into all necessary and appropriate legal steps in this regard". Magix was also keen to warn the anti-virus software vendor that "new viruses based on your code could be released." In a statement to heise Security, Magix spokesman Dr. Ulrich Hepp defended the company's hard-nosed approach: "We are of course unable to conclusively determine whether and to what extent this 'security researcher' is pursuing honest objectives. His insistence on publishing the 'proof of concept exploit' gave rise to a reasonable concern that this 'exploit' could be used to create viruses or suchlike."
Magix does not consider its correspondence to have been threatening: "We have merely detailed the legal position and made clear that we will take legal steps if the publication results in financial losses." acidgen believes Magix' approach is the result of a failure to understand how security researchers operate. He notes that it was never his intention to publish the exploit online before the vendor had released a patch or to damage Magix or its customers.
According to Magix, the vulnerability in Music Maker 188.8.131.52 (which can only be exploited if the victim opens a crafted file using the program) has now been fixed in the English and German language versions of the program. Version 17 of the music software, which also closes the vulnerability, has since been released.