Microsoft: WGA to Require Revalidation
A mechanism used by Microsoft to validate genuine copies of Windows and weed out counterfeiters has been bypassed, but Microsoft says the method is ineffective due to required revalidation and expiring keys.
Security researcher Debasis Mohanty produced a proof of concept technique that circumvents Microsoft's Windows Genuine Advantage (WGA) piracy check by using an alternate tool provided by Microsoft for customers without ActiveX support in their Web browsers.
Mohanty, a security researcher based out of India, contributed his findings to the Full Disclosure security mailing list on Monday. Using a secondary validation program called "GenuineCheck.exe," unscrupulous users may generate legitimate product keys to validate Windows installations.
But the technique is far from fool proof and Microsoft appeared to be unfazed, telling BetaNews that the keys generated by GenuineCheck expire quickly and that the system will check to revalidate on a regular basis.
This means that even if a reseller sold a machine after doing this, the end user will still be prompted to re-enter a key when they attempt to download more content. "We have no plans to make any changes based on the concept's lack of scalability and the keys expiring rapidly," a Microsoft spokesperson said.
Windows Genuine Advantage is a carrot and stick approach toward reducing counterfeiting that requires users to validate their Windows license in exchange for special perks at the Microsoft Download Center, such as Windows AntiSpyware, and full access to updates from Windows Update. Microsoft asserts that WGA protects customers by ensuring the security and integrity of Windows installations, and also protects resellers by reducing the number of competitors that practice counterfeiting.
The program was initially opt-in in, but Microsoft will make WGA mandatory in the United States this summer. Other markets will follow suit.
Microsoft is compensating customers that come forward and report counterfeited copies of Windows with genuine copies of Windows or a value price product key. For more details on WGA, see the extensive BetaNews interview with David Lazar, Director of Genuine Windows at Microsoft.