January 14, 2005 1:57 PM PST

Microsoft: No flaw in Media Player

A set of video files available on peer-to-peer networks is piggybacking on Microsoft's antipiracy tools to trick viewers into downloading adware and spyware, security experts have warned.

Spanish security company Panda Software warned earlier this week that several companies are apparently using Microsoft Media Player's digital rights management (DRM) tool to fool people into downloading spyware and viruses. The existence of the files was confirmed by Harvard researcher Ben Edelman.

Microsoft responded Friday, saying that the security risk does not arise from a flaw in its rights management tool, although the issue is triggered by an apparently content-protected file. Content distributors can use Windows Media Player to pop up a Web page with information about a video or song, and in this case, that page was apparently loaded with automatic spyware download mechanisms.

The automatic downloads would be blocked on any computer running the Service Pack 2 release of Windows, Microsoft representatives said. People can also protect PCs running older versions of the operating system by turning up the security settings in Internet Explorer to "high," they added.

"There is no way to automatically force the user to run the malicious software," Microsoft said in an e-mailed statement. "This function is not a security vulnerability in Windows Media Player or DRM."

The appearance of the files on peer-to-peer networks marks a new twist in the old problem of "drive-by downloads," in which companies have used vulnerabilities in the Internet Explorer browser, or simply taken advantage of Web surfers' unfamiliarity with technology, to trick them into downloading abusive software.

The Federal Trade Commission has sued at least one company, run by former spammer Sanford Wallace, for distributing adware and spyware through this kind of Web page mechanism. This is the first time the Microsoft rights management tools have been publicly used to trigger the effect, however.

Panda Software said in an advisory that two versions of the dangerous files are being distributed. However, both are easy to spot once they have run. After connecting to the Internet, they display the message: "Thanks for downloading this file. Click Play to listen."

If someone clicks through the site, spyware is automatically downloaded to the victim's PC, Panda said.

Panda and Harvard researcher Edelman each have identified a small company called Protected Media and file-swap fighter Overpeer as responsible for the Trojan-like Windows Media Player files.

Protected Media did not immediately return calls seeking comment. Overpeer's chief executive officer, Marc Morgenstern, said his company was not responsible for sending any software to people's computers.

Overpeer is hired by record labels and music studios to distribute "decoy" files on file-swapping networks, hoping that potential downloaders will find a false version of the latest Britney Spears single, rather than the real one, for example. In some of those decoys, Overpeer does include code that pops up a Web page window, but Morgenstern said his company's pages simply direct users to an authorized digital song store.

"We're not delivering or serving spyware or viruses," Morgenstern said. "We don't know who did this thing that was mentioned, but it wasn't us."

A Microsoft representative said the software company was continuing to pursue the problem.

"We are concerned, because it is behavior inconsistent with what we would do with our DRM," said Mike Coleman, lead product manager for Microsoft's Windows client consumer division.

Microsoft is planning to release an update to the Windows Media Player that will shut down a file's ability to automatically pop up a Web page, unless the user turns that function on, a representative said.

Dan Ilett of ZDNet UK reported from London.

47 comments

Join the conversation!
Add your comment
Stupid Question Time
Why would anybody develop an operating environment where simply clicking on a type of file, not normally associated with opening a webpage, forces a browser to visit a webpage?

Oh...wait...we're talking about Microsoft, aren't we?
Posted by WarpKat (23 comments )
Reply Link Flag
For Convenience!
Not only tech savvy people use the Internet you know. If it were up to the "Anti-Microsoft religious zealots, the internet would still be a bunch of pimple faced kids in the parents basements. Opps, forgot, without Microsoft they could not afford a sparc station in their basements. (Linux would never have been developed.)
Posted by TheMidnightCoder (61 comments )
Link Flag
Internet hooks = normal for media player applications
Lots of media player applications have the ability to open a Web browser window and/or display Web content (HTML and/or XML) internally. The list includes Microsoft's Windows Media Player, Real's RealPlayer, Sony's SonicStage, and (gasp) Apple's iTunes. If you don't believe me about the last one, do a Google.com search on "itunes xml". There's nothing peculiar about Microsoft here.

Smart Windows users follow Microsoft's long-standing recommendation. It takes exactly five mouse clicks to set the security level for the Internet "Zone" to "High". Microsoft's 1-2-3 tutorial and 2-minute video explain how.

Some media player applications have additional, internal security/privacy preferences.

Computer users need to make up their minds. If you want the album cover to pop up when you play a new song, the media player has got to include hooks to the Internet.

Paul Marcelin-Sampson
Santa Cruz, California, USA

P.S.: By the standards of this latest complaint, we'll have to get rid of a lot of software. Check out Edit > Preferences > Trust Manager in Adobe Reader 6, for example.
Posted by rpms (96 comments )
Link Flag
I agree.....
If you notice, pretty much all player/viewer software that does this ends up having security issues related directly to this function.

The most secure software does NOT need to be connected to the net to work properly. For the ONLY exception of getting updates. and even that has a tendancy to create security issues.
Posted by Prndll (382 comments )
Link Flag
Well It may not be a flaw, but...
Ok, I will accept it's not a flaw, but it is a problem. Microsoft needs to address this problem quickley before it becomes a nightmare. Media Player is a very popular program. If it is not addressed I have no doubt that hackers will find a really devious way to exploit it.
Posted by System Tyrant (1453 comments )
Reply Link Flag
Their priorities are skewed
Why face the issues when you can deflect them by using inane definition arguments?

Classic MS.
Posted by (242 comments )
Link Flag
It was never a flaw....
This was by design. The ability for MS's media player was designed to access the net for the purpous of tracking and watching you. It can be argued that this function was intended to make the player get needed codecs and certain other information about the specific file being played. It is my view that the latter was given to cover the real meaning behind it's function. The problem is that MS did not foresee the ability of people to use this as a means of "hacking" into someones machine. It was meant to be used by MS only. This is why patches are issued and the function still exists.
Posted by Prndll (382 comments )
Link Flag
this is just crazy
Here we have a true error in iTunes

<a class="jive-link-external" href="http://www.macnewsworld.com/story/39690.html" target="_newWindow">http://www.macnewsworld.com/story/39690.html</a>

that 'can (be used) to crash the application and seize control of the computer by inserting Trojan code', and yet a minor issue with Windows Media Player grabs the headlines. Who is in charge here?
Posted by catchall (245 comments )
Reply Link Flag
Apple fixed it.
Well, I can't tell you why the news ignored the iTunes flaw, but they have fixed it with 4.7.1.

It may not be fair that every flaw Microsoft has is picked on, but then again we were all raised in a Microsoft world so fair isn't part of our vocabulary.

Yeah that was a cheap shot.
Posted by System Tyrant (1453 comments )
Link Flag
It's politics......
Apple with it's I-Tunes is just the system of controls that the entertainment industry has agreed to with them. MS did not create the media player for the RIAA or MPAA. The media player was created for MS. Apple will jump quickly on any flaw in I-Tunes because of the tie to the entertainment industry. The problem was fixed to keep people using it. MS is not bound by this (yet).
Posted by Prndll (382 comments )
Link Flag
Piggyback trojans
As to the source "It wasn't me". I think the R.I.A.A. is getting frustrated and they know they are loosing the battle. And they will go to any tactic possible. My 14 year old says "It wasn't me". If the R.I.A.A. traced a file download to a specific point wouldn't that end point be in court?????
Posted by stgoehn (11 comments )
Reply Link Flag
Keyboard Vulnerability
A university today uncovered a critical flaw in most keyboards. They found that by pressing the Delete button data or even files (depending on what the user is doing at the time) can be lost. Keyboards without the Delete button are being rushed to locations around the world, but until they are available users are recommended to exercise extreme caution.
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
Unworkable Work-Around
Microsoft's answer to I.E. security vulnerabilities is always "...turning up the security settings in Internet Explorer to "high"."

I have done this and it is a pain in the $%!@%. Many sites do not display content because they use scripting languages. In order for me to grant a site the necessary priviliges I must:

1) Copy current URL (root only) to clipboard
2) Click Tools
3) Click Internet Options
4) Click Security
5) Click Trusted Sites
6) Click Sites
7) Paste the URL
8) Mod the URL to *.domain (so subdomains works)
9) Click Add
10) Mod the URL to HTTPS
11) Click Add
12) Click OK
13) Click OK
14) Click Refresh

This is just nuts. If the 14 steps are not bad enough, it gets really bad if the site uses multiple domains to handle processing functions like ecommerce, security, etc. Sites like American Express use at least 3 different domains to get access to online "banking". It took me 15 minutes of tweaking Amex in IE to get it to work. And I have 20 years of IT experience. There should be a single-click option to just grant a site trusted access!!!

This shows how off-track Microsoft is, how they choose to spend their R&#38;D dollars on nonsense instead of fixing what is broke. Due to my frustration I have switched to Firefox, and use Realplayer whenever possible.

Keith
www.techcando.com
Posted by Stating (869 comments )
Reply Link Flag
Dynamic content is risky, no matter how you access it
Dynamic content poses risks, no matter how you access it. If people want the features afforded by scripting languages like Java, ActiveX and VBScript, they've got to put up with the security risks. On a fundamental level, accessing dynamic content involves retrieving code from the Web and executing on your system. On a fundamental level, the code has the same privileges that you do.

RealPlayer has been the subject of security alerts. It contains a specialized Web browser.

And how does Firefox avoid the risks inherent in dynamic content? By not supporting ActiveX or VBScript (<a class="jive-link-external" href="http://www.mozilla.org/support/firefox/faq#mozvsie" target="_newWindow">http://www.mozilla.org/support/firefox/faq#mozvsie</a>). The result is that many of your favorite Web sites don't work -- no matter what you do. I'd call that less capable, not more secure. At least with Explorer I can decide whether to allow dynamic content, on a site-by-site basis.

It makes sense to have different security and privacy settings for different Web sites. Otherwise, there are only two choices: allow everything or deny everything. I, for example, block pop-ups from newspaper and portal sites but allow them from online stores and airline booking engines that I use.

And yes, it does take time to move sites from one security zone to another, in Explorer. There is an inevitable trade-off between convenience and security. You are exaggerating the number of steps, however. For example, Explorer remembers the URLs of sites you've visited. They show up in the "Add this Web site to the zone" pop-up menu. Auto-complete also works there.

The point of this post is not to defend Microsoft, but to urge people to take a more rational approach to security. You can't have dynamic content without security risks. Some Web browsers don't support popular kinds of dynamic content, and others do. Obviously the ones that do will generate more security complaints from people who don't understand what dynamic content is: an invitation to run someone else's code on your computer.

Paul Marcelin-Sampson
Santa Cruz, California, USA
Posted by rpms (96 comments )
Link Flag
Just Keep Repeating
It's NOT a FLAW... It's a FEATURE.

It's NOT a FLAW... It's a FEATURE.

It's NOT a FLAW... It's a FEATURE.

That's what Microsoft, and their RABID-SUPPORTERS, keep doing.

Besides, you can always render the WEB virtually useless, in order to avoid the numerous 'BAD-DECISIONS' made in Microsoft's design/board rooms.

Or, you can ask why Microsoft seems so determined, for some reason, to refuse to allow reasonable computer-use, in a world not absolutely-controlled by Microsoft.

Makes you wonder...
Posted by Raife (63 comments )
Reply Link Flag
You're kidding, right?
A web page asks if you want to install software... you say yes, and a virus installs on your system.

And this is a flaw? Sure... a flaw in the user, maybe. Sounds like you got suckered into this one and are just bitter...
Posted by David Arbogast (1709 comments )
Link Flag
While using Media player its restarting my machine
When im using windows media player 9 after plsying 2-3 clips the machine will be restart automatically. This problem occurs only while using windows mediapleyr...all other players are working fine in my machine.
Posted by (2 comments )
Reply Link Flag
windows media player 9
<a class="jive-link-external" href="http://www.analogstereo.com/nissan_armada_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/nissan_armada_owners_manual.htm</a>
Posted by Al Johnsons (157 comments )
Link Flag
Good point...
On a side note... :-)

I've taken apart my car until it was only 15 cm high, and put it back together. I am also renovating my whole house... The only thing that keeps me from doing more is time...

But indeed there are no stupid users, only stupid developers that are not paying attention to their customers. M$ knew all along they were going after the non-tech users, so they should develop accordingly. However, they have only focused on usability, and completely overlooked the security side of things. (plenty more other examples: how about all those WIFI routers that are wide open)
And now this negligence has slapped them right in the face, and they are making a patchwork of their over-integrated "OS".
That is the difference with projects like Mozilla: having learned from M$ mistakes, they have worked on both: usability and security. And indeed only time will tell if Mozilla got it right, but they should also be granted the same chances as M$. M$ is trying for 8 years now (after win98) to make this work, and so far it looks it has only gotten worse. Let's see where Mozilla is in 8 years.
Posted by Steven N (487 comments )
Reply Link Flag
Reply to OK of Matthew Good
3 cm can make a hell of a difference...
Posted by Steven N (487 comments )
Link Flag
Indeed...
Mozilla did indeed get it right. While not a perfect product on its own, its security can not be criticized as much as Microsoft's can.

Mozilla builds browsers and internet-related software. Microsoft should have stuck to building just an operating system. I'm guessing that, by now, if they had kept focused on Windows, it would be at least half-decent in this day and age and perhaps not subject to as many flaws as it currently has.

Then again, Microsoft has a tendency to put more hands than it has into different aspects of computing society. Let someone ELSE specialize in media playing. Let someone ELSE specialize in browsers. Let someone ELSE specialize in e-mail clients. Let someone ELSE specialize in office applications.

The primary issue driving their continuous fumbling is pride - plain and simple.
Posted by WarpKat (23 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.