Avoid BIOS Information Probing – An Update

Seems like there were requests for more details behind the issue whereby Skype’s Plug-In Manager had the ability to read your BIOS and motherboard serial number. As a result Kurt Sauer, Skype’s Chief Security Officer, has expanded his post of yesterday with some additional explanation of how they ended up with this problem.

As a bit of background Skype has built into its Plug-In Manager flexibility in how users could license software from publishers who provide programs for the Extras Gallery. This involves selection by the publisher of Scope (Machine License or User License) and License Type (Trial period, One-Time Purchase, Periodic Renewal, Upgrade). I certainly experience these various options when keeping security software current (machine license, annual renewal) or upgrading applications such as WinDVD (User License, periodic upgrades), etc.

Kurt’s expanded post ends with:

To enforce these license agreements, the EasyBits framework attempts to uniquely identify what physical computer it’s running on. One way to do this identification is to simply read the serial number of the motherboard, which is often available through a public query to the BIOS.

It is quite normal to look at indicators that uniquely identify the platform and there is nothing secret about reading hardware parameters from the BIOS. The function calls to do this are public and are available to any software running on your computer. Of course, in line with our Privacy Agreement, Skype does not retrieve any of this data. It is only used by the EasyBits software to ensure that plug-in use complies with the appropriate license token or key.

Since we learned that EasyBits DRM did not perform well on some newer platforms, we updated the version of their framework with one that no longer attempts to read from the BIOS.

So it really seems that, in deciding to use a third party software module, someone forgot to check its capabilities against company policies. Sounds like a process issue in product management. Obviously once Skype personnel learned about this via a third party (isn’t that how Microsoft learns about many of their security issues?), they fixed it quickly such that it does adhere to company policy. And hopefully their product management process will now include a step to check against adherence to corporate policy.

In the meantime, update your Skype (for Windows) to version 3.0.0.216.

(I have had previous experience with some of these third party modules in the course of beta testing; it gets really interesting when the third party loses version control of what they put out, two independent publishers use different versions of the same software and the module publisher forgets about backward compatibility — whamo! — both applications are out of commission. Ran into that on a project a year ago in a couple of applications that address entirely different requirements in the healthcare field but both needed a scheduling module.)

Powered by Qumana

About Jim Courtney

Bringing over thirty years' experience in the sales, marketing and management of cutting edge technology businesses.

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.