TechWeb

Microsoft Investigates Reported Hack of Windows Authenticity Check

Jul 28, 2005 (12:07 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=166403491


"Does it matter if your copy of Windows is genuine?" Microsoft asks, knowing full well the impact of illegally copied software on its bottom line. "Yes, if you want the confidence of knowing that your software is legitimate and fully supported. And only genuine Windows customers can receive product downloads, Windows updates, and special offers."

That was true yesterday, but today hackers have come up with a way to disable Microsoft's online validation check. As noted in popular blog Boing Boing and elsewhere, by pasting a single line of JavaScript code into their Web browsers during the Windows Genuine Advantage validation process, users of counterfeit copies of Microsoft Windows can bypass the authenticity test, enabling them to receive product downloads, Windows updates, and special offers, just like paying customers.

Also, a Slashdot thread on the subject suggested several readers had tried it for themselves successfully.

No doubt Microsoft will disable this hack shortly, if it hasn't already. "The hack as far as we can tell is not a security vulnerability nor does it put customers at risk," a Microsoft spokesman said. "We're investigating the claims now, and we're going to take action in response to those as appropriate."

The irony here is that the validation process relies on an ActiveX control, a small executable code package that users of Internet Explorer can download and run on their computers. Computer security organizations like the CERT Coordination Center have recommended disabling ActiveX as a way to defend against security flaws in Internet Explorer.