IT experts say they were not surprised that Windows 7’s product activation system has been hacked just a month after the product’s official release.
“The RemoveWAT utility – also known as ChewWGA – exploits at least one of several probable security flaws on Windows 7 to allow a user to bypass the Windows Genuine Advantage registration procedure,” said Richard Kirk, European director of application vulnerability specialist Fortify.
“This type of crack appeared shortly after Windows Vista went on sale in January 2007 and was solved when Microsoft issued an update. Similar utilities for Windows XP also started appearing in the summer of 2005, shortly after the Windows Genuine Advantage system was made mandatory in July of that year,” he added.
Reason for flaws
According to Kirk, the reason these flaws exist – which Microsoft promptly patches after they appear in the wild – is the millions of lines of program code that go into a modern operating system, which makes it extremely difficult to ensure security.
And, he said, whilst the code-security flaws and potential loopholes are a headache for software vendors, they are an even worse problem for operating system developers, simply because of the scale of the coding structures involved.
The only real solution to the problem is for software vendors to exhaustively test and retest the security of the code from the earliest stages in the software’s development stages. Specialised tools can help automate this process, enabling efficient scanning and accurate detection.
Code security auditing and testing, Kirk explained, is a highly specialised industry that can help organisations avoid revenue and data losses when software is cracked, as has clearly happened with Windows 7.
Unlikely to reoccur
“Will it happen again? I doubt it, as Microsoft will now almost certainly retroactively re-engineer Win7 to prevent any registration loopholes from being exploited,” he said.
“More than anything, this highlights the fact that the sheer size of programs these days means that code loopholes will slip through the net unless you are scrutinising them regularly from the moment they are written, whether designed in-house or commercially. Our advice is check, check and keep checking for flaws. You can’t ever rest on your laurels.”
By John Kennedy
Photo: A desktop shot of Windows 7.
