Microsoft Corp. on Tuesday pushed its WGA program over the Internet, hoping to thwart users running illegal or pirated copies of Windows XP and Windows 2000.
However, online enthusiast sites reported on Thursday that the verification method had been broken in 24 hours.
According to one site, the hack is simply a short JavaScript string that is pasted into the address bar of Internet Explorer before users make a choice in one of the Windows Update screens.
WGA certifies that a users system is running a genuine and legal copy.
This certification is now needed before users can receive non-security updates from Microsofts Windows Update, Microsoft Update and Download Center sites.
The Windows Genuine Advantage program targets Windows XP Professional, Windows XP Home, Windows XP Tablet editions and Windows 2000 systems. According to Microsoft, about 80 million Microsoft Windows customers use these services monthly.
Examples of popular applications covered under the Genuine Advantage program include Windows Media Player, DirectX for gaming and the new Windows anti-spyware products.
Microsoft uses an ActiveX control to validate users software automatically. It is able to identify a genuine system by doing several checks. The text string entered into the browser appears to defeat the scan and allow updates.
A Microsoft spokesperson stressed expressed concern that users might mistake this issue as a security vulnerability rather than one of piracy.
“WGA differentiates genuine Windows software from counterfeit software enabling customers to enjoy the capabilities they expect, confidence that their software is authentic and [take advantage of] ongoing system improvements that help them do more with their PCs, including over $450 in software and discounts only available to genuine users,” the spokesperson said. “Because of the high value we are providing to genuine users, were not surprised hackers would try a number of methods to circumvent the safeguards provided by WGA.”
According to the spokesperson, the company was investigating the claims at this time and would take action in response as appropriate. “As the validation system is updated from time to time, we will address this and other issues that may arise,” he continued.
“Keep in mind, our objective with WGA is to empower users who are victims of piracy and counterfeiting by enabling them to receive genuine Windows. Over 40 million people chose to participate over the past 10 months, which tells us that customers value what our program has to offer,” he concluded.
The latest reports follow on the heels of an earlier workaround uncovered by a security researcher in May.
In that case, a private vulnerability analyst published a detailed proof-of-concept demonstration that showed how the WGA validation check could be defeated by generating new WGA key codes.
Editors Note: This story was updated to include comments from a Microsoft spokesperson.