I know many of you are aware of reports of hacks that attempt to exploit our OEM BIOS based activation. We’re aware of this type of hack and I wanted to take a minute to describe how these work and how we plan to respond.
First, what is OEM BIOS based activation?
Here’s a little more information on how OEM BIOS based activation works. This form of product activation is also known as OEM Activation or just OA, which is how Microsoft refers to it and how I will refer to it in this post. Back at the launch of Windows XP when Microsoft introduced Windows Product Activation, we recognized that as easy as end-user activation is, it still represented an extra step. In an effort to reduce the impact of even that extra step but maintain the overall effectiveness of product activation, Microsoft worked with OEMs to develop an implementation that would work best for them and their customers while keeping the goals of product activation clearly in focus. As we looked to develop a solution, it was important to ensure that product activation technology could still deliver an acceptable degree of protection, while at the same time, reduce the need for an extra step by the end user. A couple of key factors stand out as enabling the OA 1.0 solution that was delivered in Windows XP.
Large OEMs tend to ship large numbers of PCs with Windows preinstalled. They also have the ability during their manufacturing processes to identify systems that will ship with Windows pre-installed.
Also, because of the direct relationship Microsoft has with those OEMS, the company has a higher degree of confidence that a genuine COA will be attached to each PC and that there will be accurate reporting of the number of units shipped preinstalled with Microsoft Windows.
These factors lead Microsoft and the major OEMs to place a marker in the BIOS of the OEM’s motherboard to identify OEM systems that were to be pre-installed with licensed copies of Windows XP. This marker, which is added to a specific location in the BIOS of the motherboard, enables a copy of Windows XP to look for that known value in the BIOS of the motherboard and, when found, confirm it was booting on a PC that was sold by a specific OEM and licensed to boot Windows.
Not the first time
Over the years we’ve seen examples of BIOS editors that, with some work, allowed people to make an edited BIOS appear to be an OEM BIOS. In Windows XP this kind of BIOS editing wasn’t as difficult as it is in Windows Vista and frankly, because there were easier ways to pirate Windows XP, I don’t think much attention was ever paid to it. However, because Windows Vista can’t be pirated as easily as Windows XP, it’s possible that the increased pressure will result in more interest in efforts to hack the OEM Activation 2.0 implementation.
Windows Vistas OEM Hacks
There appear to be two primary variants of OA 2.0 hacks circulating. One is similar to the XP approach I described above where actual editing of the BIOS on the motherboard is done to make the motherboard appear to be from an OEM. It is a pretty labor-intensive process and quite risky. If you mess up editing the BIOS of any motherboard, you can quite easily render it permanently useless. So while this method works today, it’s potentially hazardous and really doesn’t scale well to large numbers of systems, which makes it less of a threat.
The second variant does not change anything in the BIOS itself, but uses a software-based approach to fool the OS into thinking it’s running on OA 2.0-enabled hardware. And while this method is easier to implement for the end user, it’s also easier to detect and respond to than a method that involves directly modifying the BIOS of the motherboard.
I do want to say something here about how we plan our responses. As I’ve said in the past, we focus on hacks that pose threats to our customers, partners and products. It’s worth noting we also prioritize our responses, because not every attempt deserves the same level of response. Our goal isn’t to stop every “mad scientist” that’s on a mission to hack Windows. Our first goal is to disrupt the business model of organized counterfeiters and protect users from becoming unknowing victims. This means focusing on responding to hacks that are scalable and can easily be commercialized, thereby making victims out of well-intentioned customers.