Microsoft claims its Windows Media DRM has no security flaw

Recently
there were warnings about opening WMA/WMV files from non trusted sources in case
they exploit
Microsoft's DRM to display pop-ups and attempt to install Adware or Spyware

on the user's PC.  Now Microsoft has responded claiming that this is not a
flaw in its rights management tool or media player.  They say that Windows
XP Service Pack 2 will automatically block any attempted software downloads and
those running earlier versions of Windows can also prevent automatic software
downloads by upping their Internet Explorer's security level to high.

According to Microsoft, the pop-ups are no more
risky than an inexperienced user landing on a similar website and being tricked
into downloading dodgy content.  Panda software announced in an advisory
warning about two dangerous Windows Media files, but can easily be spotted as
they display a message thanking the user for the download and to click 'Play' to
listen on the website.  Instead of playing the track, it actually downloads
Spyware to the user's PC. 


As expected, Panda identified Overpeer as one
culprit, a known company for fighting piracy by flooding P2P networks with fake
content.  However Overpeer's chief executive office denied responsibility
for delivering software to consumer's PCs, although they do admit their fake
content does display a pop-up to divert the user to a legal music download
store.  Another small company 'Protected Media' was also involved. 
Microsoft announced that they will continue working on the problem and
are planning to release an update that prevents Windows Media files from
displaying a web page unless the user enables an option to do so.


Spanish
security company Panda Software warned earlier this week that several
companies are apparently using Microsoft Media Player's digital rights
management (DRM) tool to fool people into downloading spyware and viruses.
The existence of the files was confirmed by Harvard researcher Ben
Edelman.


Microsoft responded Friday, saying that
the security risk does not arise from a flaw in its rights management
tool, although the issue is triggered by an apparently content-protected
file. Content distributors can use Windows Media Player to pop up a Web
page with information about a video or song, and in this case, that page
was apparently loaded with automatic spyware download mechanisms.


The automatic downloads would be blocked
on any computer running the Service Pack 2 release of Windows, Microsoft
representatives said. People can also protect PCs running older versions
of the operating system by turning up the security settings in Internet
Explorer to "high," they added.


"There is no way to automatically force
the user to run the malicious software," Microsoft said in an e-mailed
statement. "This function is not a security vulnerability in Windows Media
Player or DRM."


Read the full article here.


Even though Windows XP SP2 may prevent automatic downloads and pop-ups, there
are still quite a lot of consumers out there running earlier versions of Windows
or XP SP1.  Also as long as the content can display a webpage tempting the
user to download a file, then there is a high risk of users getting
infected.  For example if the page displays 'This media file requires a
newer Windows Media codec, please download and install the following update and
try again…"  Many inexperienced users would believe whatever the pop-up
says and follow any given steps.


Interestingly, even though Microsoft encourages media companies to use its
audio format and rights management software, it seems that they are getting well
aware that consumers do not like having their content protected, especially when
they encode it themselves.  For example in earlier versions of Windows
Media Player such as version 9, copy protection was enabled by default for
ripping CDs and a warning would be displayed if the user tried turning this
option off:



However, once the user installs Windows Media Player 10 (Windows XP only) and
goes back to the CD rip options, the 'copy protect' tick is gone:


Source: C|net News - Software flaws

No posts to display