VeeshanVault

Hackers found a way around Microsoft's Windows Genuine Advantage (WGA) anti-piracy system last week, only a day after the system went into effect.

WGA requires Windows users to verify they are using a genuine copy of Windows before they are allowed to download certain software updates. Security patches aren't covered by the system, and remain available to any Windows user, legitimate or not.

The system asks users to download an ActiveX control, which scans Windows to determine whether it is legitimate. If the software checks out, the control installs a key allowing future downloads. The system went into place on Monday.

But by Tuesday, a simple JavaScript hack was already circulating, it emerged late last week. All users had to do was paste a JavaScript URL into the Internet Explorer browser window at the beginning of the process; this turned off the key check, according to users.

To carry out the hack, users simply needed to insert the following line into Explorer's address bar before the WGA authentication check was carried out:

javascript:void(window.g_sDisableWGACheck='all')

Microsoft said it was investigating the hack but didn't consider it a security flaw. The company said that it may not take immediate action to fix the problem. "As the validation system is updated from time to time, we will address this and other issues that may arise," a Microsoft spokeswoman said.

There are other ways of getting around WGA as well, none of them particularly complicated, say users, which raises the question of how seriously Microsoft is intending to enforce its updating policy.

Another workaround involves disabling the Explorer add-on that enforces WGA. A third method involves changing an Explorer cookie. None of the hacks involves anything particularly technical.

Keller wrote that he did not have much luck with Microsoft support technicians, so he found a way to bypass the validation process on his own and moved along with the update. He accomplished this by disabling the Windows Genuine Advantage add-on within his browser's Internet Options. By clicking on Tools/Internet Options/Programs/Manage Add-ons, Keller disabled the WGA add-on. He then exited Internet Explorer and was able to do a Windows Update without the validation ste

Microsoft said it was investigating the hack but didn't consider it a security flaw.

Voronwë wrote:MS has always had very curious definitions of "security flaws".

just look at the history of IIS 7 or so years ago.

IIRC, Cisco was using that shit for the browser interfaces on some of their network devices. It's a bad fucking day when a stupid virus is able to crash your core router

Microsoft gives up on upgrade ban

Pirates sunk our cunning plan


By Nick Farrell: Tuesday 09 August 2005, 07:58

MICROSOFT'S attempts to stop people who have pirated copies of its software from getting upgrades has run aground.
A few weeks ago, Vole announced that a program called "Windows Genuine Advantage" (WIG) would scan users' PCs to see if they had a genuine licence key before letting them have any updates.

Of course within a few hours of WIG going into action hackers had torn it apart using a fairly simple hack. This was transmitted across the Interweb and made the whole thing useless.

A Microsoft spinster told the Sydney Morning Herald this morning that Vole had sent its designers back to the drawing board on WIG.

However, he added that WIG was not designed to catch counterfeiters or prevent hacks anyway.

So why bother? According to the Spinster WIG was to help innocent customers realise "the full value of authentic Windows software while protecting investments made by our partners".

So, in other words, hackers and pirates will be allowed to get away with nicking software for the foreseeable future. While the rest of us will have to pay for it.