Antipiracy flub for Microsoft

The software giant announced WGA 1.0 on Monday. WGA requires users to verify that they have a legitimate copy of the operating system before they can download add-ons for Windows XP.

But within days of the software's release, a number of Web sites, including the popular Boing Boing blog, were posting details about how to bypass WGA.

According to several Web sites, a bypass is easily accomplished through any of several means, including pasting a JavaScript command string into the Internet Explorer browser.

For Microsoft, this marks another episode of people finding a way to bypass its WGA software. In the spring, during WGA's pilot phase, a security researcher outlined a method for bypassing the software using another Microsoft tool called GenuineCheck.exe.

Microsoft is investigating the new claims and will take appropriate actions, a company representative said.

"Because of the high value we are providing to genuine users, we are not surprised hackers would try a number of methods to circumvent the safeguards provided by WGA," the representative said. "It is important to note that this issue is not a security vulnerability, nor does it put any customers at risk. Windows users are not in danger."

Johannes Ullrich, the chief research officer at Internet Storm Center, said the JavaScript bypass method does not pose a security threat.

"It prevents the Windows WGA tool from being installed," he said, noting that he conducted tests on the workaround and found it could be easily applied.

For users who purchase computers with Windows preinstalled, Ullrich noted, some may be surprised to find that they have a pirated copy on their computer.

"Sometimes it's hard for users to determine if they have a pirated version. Some buy computers from less-reputable resellers or buy a CD off the street and may have trouble determining if they have a pirated version," Ullrich said.

Microsoft has estimated that roughly a third of the Windows copies installed worldwide are pirated.