Vista's DRM allegedly cracked
Alex Ionescu, co-developer of the Windows API clone ReactOS, says he has found a way to crack digital rights management (DRM) in the 64-bit version of [ticker:uk_84471 Windows Vista]. If so, it would be possible to read the high-resolution content of media protected by DRM without encryption. Unfortunately, in his blog Ionesco does not specifically describe how he managed to do this. He says that he is not willing to provide too many details because his method is "definitely" a violation of the Digital Millennium Copyright Act (DMCA), and he does not want a raft of lawyers on his back.
To protect high-definition content on PCs, Microsoft developed what it calls a Protected Environment (PE) for Windows Vista. The PE creates a Protected Media Path (PMP), a corridor in the operating system that cannot be "tapped". The PMP is designed to protect high-definition data on their path from the medium to the graphics card. Among other things, Vista encrypts communication via the device bus, which is accessible to users, so that they cannot grab and analyse any data. All device drivers for the Protected Environment have to be digitally signed by the vendor and Microsoft. If there is no signature, a "constriction mode" is activated that breaks movies down into standard resolution and stereo audio. Vista device drivers also have to ensure that they communicate with genuine hardware, not with an emulation.
Ionescu says he has now programmed a demonstration that loads arbitrary code into the kernel. The PMP thus appears to be intact to audio and video applications even though its security has been compromised. In the process, Ionesco says he also cracked the PatchGuard in the 64-bit version of Vista, which is designed to prevent code from being injected into the kernel. Ionescu explicitly writes that he neither used an unsigned driver nor loaded a driver in the test-signing mode (BCDEDIT -set testsigning on). In the test mode, Vista recognizes drivers signed with any certificate as valid, even self-made ones. Ionescu says he boots Vista with another flag, though he does not provide any additional details.
- Update on Driver Signing Bypass, Alex Ionescu's description