February 16, 2005 4:15 PM PST

Microsoft fixes potential antipiracy hole

Microsoft said Tuesday that Japanese hackers had discovered a potential weakness in its copy protection technology but that the software company fixed the flaw before it was widely used.

The Redmond, Wash., giant on Tuesday introduced an update to its Windows Media Player, which included changes aimed at blocking the Japanese hackers' work, as well as a security update.

"No DRM is perfect. This is another example of somebody finding a way around the technology that we didn't think about."
--David Caulton
Manager, Windows Media

The copy protection changes mark the first time in nearly four years that Microsoft's digital rights management (DRM) protections have been publicly broken, even if largely in theory. As in an earlier case, the company says it was able to update its software before the flaws advanced much beyond the theoretical stage.

"No DRM is perfect," said David Caulton, group product manager in the Windows Media division. "This is another example of somebody finding a way around the technology that we didn't think about. We hear about it, and we effectively get a fix out to users before there's a widely distributed tool for removing digital rights management from files."

The update comes as renewed evidence that hackers and other independent programmers are scrutinizing Microsoft's Windows Media Player, as well as the Internet Explorer browser, for flaws or programming loopholes. Microsoft has released repeated security fixes for its Web-browsing software over the past year, as new risks for surfers continue to appear.

The Japanese hack emerged several weeks ago, when programmers on a public online bulletin board were found to be discussing ways to strip the copy protection off Windows Media files. The actual software that purportedly performed the trick was taken offline after a Japanese magazine wrote about the hack, but Microsoft said the company was able to identify the potential flaw.

The new update also addresses a problem exposed a month ago, in which the Media Player and its digital rights management software could be used to show ads--or even to lure unsuspecting Web surfers into downloading harmful software onto their hard drives, security researchers said.

The process exploited a feature of the Media Player content protection, which allows protected files to pop up a Web page with information about a video or song license. In such a case, that page could be loaded with automatic spyware download mechanisms, Spanish security company Panda Software said.

The new update to the Media Player software contains a setting that allows consumers to request that they be notified any time their computer is going onto the Internet to obtain a content license. By default, this option will be turned off, but computer users can turn it on, Caulton said.

With the associated security issues, however, once the computer does launch the online license acquisition process, a Web page could still be popped up--even with the update in place. That risk is shared by anyone surfing online, Caulton said, but it could be virtually eliminated by using the latest spyware blockers and Windows operating-system updates, which block automatic downloads of software.

The new Windows Media Player is available now on Microsoft's site and may be distributed to consumers through the company's automatic software update function in the future.


Join the conversation!
Add your comment
Amazing display of misplaced priorites
It's amazing how quickly Microsoft can patch a non-security related "flaw" in Media Player's DRM, and yet, take months to address known security flaws in their products!

I think Microsoft needs to understand that the purpose of the "Trustworthy Initiative" is to create trust for the reliability and security of their products with end users (customers who PAID for their products and expect them to work) - rather than paying attention to minor nuisances.

Nobody cares if a DRM gets hacked. People however, do care if an unpatched flaw is exploited , and causes billions of dollars of damage.
Posted by Tex Murphy PI (165 comments )
Reply Link Flag
Amazing display of ignorance about project development
People in corporations are arranged in groups that are each responsible for a product or a few products so it shouldn't be surprising at all when one group can quickly create a patch for their product while other groups take longer.

You also fail to account for the fact that some flaws are relatively simple and have solutions that as easy to create and implement while other flaws go deep into the entire design of the software product and may require rewriting a significant part of the product in question, not to mention the need to test that extensive fix to make sure it doesn't introduce new flaws.
Posted by Not Bugged (195 comments )
Link Flag
DRM gets hacked
<a class="jive-link-external" href="http://www.analogstereo.com/mercedes_sl_class_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/mercedes_sl_class_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
DRM on a PC, a non-runner
Because of the variety of sounds cards and MPEG-4 Video cards, Microsoft Windows provides for third party device drivers to talk to these cards. Since the cards have no encryption or rights management on them, the information sent to the drivers is raw and unencumbered. What is stopping someone, in theory, from writing a driver that makes a copy of the raw data?
Posted by cifs (8 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.