Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Windows Media Player 9 Series
|Windows Media Worldwide
Microsoft PlayReady

Freeme Software Fix

Freeme.exe Fix Communication to Content Owners and Service Providers

Situation
Microsoft has evaluated the Freeme.exe software posted October 19, 2001 on The Register Web site, and has verified that for users who have purchased or licensed content that is protected by Microsoft Windows Media Digital Rights Management version 7 (including 7.1), the Freeme software can be applied to breach the Digital Rights Management (DRM) protection of the content. It is important to note that this breach does not pose any privacy threat to users personal information on their computers. Also, this breach only affects content protected with Windows Media Rights Manager version 7 Software Development Kit (SDK), not version 1.

Microsoft has also verified that this breach is predicated upon obtaining a valid license, which means you cannot circumvent the security for content that has not been licensed or purchased by a user, because if content is protected with Microsoft Windows Media DRM, the user acquires the license separately from the content.

Microsoft takes any DRM breach very seriously. Ensuring that our products remain secure from hackers remains a top priority, now and in the future. Because any DRM system can potentially be compromised, Microsoft designed the Windows Media DRM system to support dynamic updates, should a security compromise like this occur. This update mechanism, referred to as security renewal, does not require a new release of the Windows Media Player or the Windows Media Format Software Development Kit.

Microsoft has released the fix for the Freeme software and we have included additional security to make it more difficult for future attackers to leverage information already published.
Summary of fix
The solution to this Windows Media DRM breach is renewability, a process by which a compromised Windows Media security componentspecifically the DRM subsystems protected content module (or blackbox)is replaced with a new, secure one. From a consumer perspective, this means the user will need to update security components before they will be able to play secure content downloaded from a content owner or distributor. However, this process is designed so that no identifiable personal information or information regarding the users usage of content is sent.

The fix for the Freeme breach involves:
  • Packaging new content or repackaging already-encrypted content to require a renewed security component
  • Updating license servers to trigger the renewal process and serve licenses to renewed components, and
  • Renewing the security component in the Media Player when users acquire protected content

To perform this update to the Windows Media DRM system, the following three steps must be completed:
  1. Update the Content Header When packaging new content or repackaging existing content, add or modify the security component version identifier (technically known as "individualization version number") in the content header to trigger an update of the security component.
  2. Update the License Server Update the certificate on the license server to enable a license server to issue licenses to the new security components.
  3. Trigger the renewal Trigger update of the security component when a client makes a request to a license server.

Back to the top of this page Back to the top

Implementation Details:
It is imperative to execute the following steps to neutralize the Freeme software breach. Either content owners or license issuers might perform the first step of updating the content header, whereas the license issuers must perform the second and third steps. Content owners are strongly encouraged to repackage all their content with the highest security component version number 2.2 in order to ensure protection of their content.

1. Update the Content Header
This procedure is performed by the organizations that package content. In this step the content packager will add an attribute, or change an attribute if it is already using "Individualization," to the header of the protected Windows Media file. Note that this is NOT the same as re-encrypting the content.

To update the header please follow the instructions below:
Set WMRMHeader.IndividualizedVersion to "2.2" in the header of protected content. This property, WMRMHeader.IndividualizedVersion, indicates the lowest version of the Windows Media DRM security component that is required to play back this content. If this property is set to 2.2, the client will call the DRM subsystem to check whether the client has the correct version of the security component. If the subsystem has an individualized security component with the version number 2.2, the license server can issue a license bound to the public key of the new security component.

2. Update the License Server(s)
Each license issuer must update its license server configuration to ensure that:
  • It does not issue licenses to users who have the compromised security component on their PCs
  • It can issue licenses to users who have updated the security component on their PCs.

The configuration can be updated as follows:
  1. From the machine on which the license server is running, go to: http://licenseserver.windowsmedia.com/
  2. Click on the Download the latest License Server information link on this page to automatically update the configuration of your license server

Alternatively, the license servers configuration can be manually updated as follows:
  1. Create a new registry key that is named "2.2.0.1" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WM Rights Manager\LicenseServer\VerificationKeys

  2. Set the value of this newly created registry key to "WRZPSd6hM7Q9ZakF9NO3ydZA7UN888SR*!j!cH!wrd18zsbXVdR4fw=="

  3. Change the value of the registry key "2.1.0.0" underHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WM Rights Manager\LicenseServer\VerificationKeys to "WRZPSd6hM7Q9ZakF9NO3ydZA7UN888SR*!j!cH!wrd18zsbXVdR4fy=="

  4. Change the value of the registry key "2.1.0.1" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WM Rights Manager\LicenseServer\VerificationKeys to "WRZPSd6hM7Q9ZakF9NO3ydZA7UN888SR*!j!cH!wrd18zsbXVdR4fy=="

NOTE: this will prevent the license server from issuing licenses to old security components.

NOTE: if the license server is not updated (with the steps above) and an updated client (a client that has been updated with the new security component) makes a request to the license server, the license server will fail and generate an error to the client. It is important to update your (or have your designee) license server to ensure updated clients are able to receive licenses .

3. Trigger update of the new security component on the server side
This step updates the license server so it can detect the version number of the DRM security component that is making the license request, and redirect it to an upgrade Web page if the security component version is less than "2.2.0.1".

When a Media Player requests a license for content, it sends information about the hardware to the license server. No identifiable personal information or information regarding the users usage of content is sent. Contained in that information is the ClientAttribute property (WMRMChallenge.ClientAttribute) called SECURITYVERSION. This property specifies the security version of the DRM security component. If the value of the SECURITYVERSION attribute is less than "2.2.0.1", then the license server should redirect the client to a Web page which is hosted by Microsoft (http://drmlicense.one.microsoft.com/Indivsite/indivit2.htm) that can update the DRM security component on the users machine.

Note: Even if the protected content calls for silent license delivery, the users acquiring the licenses will still be notified that they need a new security component, and their consent is required in order for the new security component to be installed.

Note: Sample script for updating content with the new Individualization version number and upgrading content license from v1 to v7.1can be found in the WMRM SDK v7.1.

Back to the top of this page Back to the top

User Experience
If the security version number that is specified in the content header is higher than the security version number of the machines protected content module, the license server will redirect the user to the Microsoft Individualization Service to update the DRM subsystem with the new security component. If the user is using Windows Media Player, he or she will see the following Individualization dialog box. The user has the choice to upgrade or not.

Freefix

If the user clicks on Learn More, he or she will be directed to the Web page: http://www.microsoft.com/windows/windowsmedia/player/windowsxp/privacy.aspx where he or she can find out more about Microsofts privacy policies.
  • If the user chooses not to upgrade, he or she will not able to acquire or playback new content that requires the higher security version.
  • If the user chooses to upgrade, the Individualization service will download a new protected content module (containing the fix approximately 110K in size) to the users machine. The license server can then issue a license that is bound to the public key of the newly downloaded protected content module.

Back to the top of this page Back to the top

Best Practices
In addition to the procedures described above, we recommend following the best practices described in the Windows Media Rights Manager Software Development Kit. Specifically:
  1. Encrypt each piece of media content with its own unique key.
  2. Periodically change the seed.
  3. Issue Windows Media DRM v7.1 licenses only.
  4. Use dynamic headering for content to enable quick updating of content in the future.

Back to the top of this page Back to the top



© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement
Microsoft