Microsoft Reverses Plan, Will Patch Media Player By Ryan Naraine January 18, 2005 http://www.eweek.com/article2/0,1759,1752247,00.asp
Microsoft will patch its Windows Media Player after all. One week after saying it had no plans to change the way WMP (Windows Media Player) handles the download of DRM licenses, Microsoft now says it will release an update in the next 30 days to help thwart the threat of spyware infection. The about-face comes amid reports that malicious hackers are rigging .wmv files and using the anti-piracy mechanism to infect computers with spyware, adware, dialers and computer viruses. PointerRead more here about hackers tuning in to Windows Media Player. "While this issue is not the result of any exploit of Windows Media DRM, we do recognize it may cause problems for some of our customers," the company said in a statement. "To help mitigate these problems, Microsoft is committed to providing an update to Windows Media Player in the next 30 days that would allow the end-user more control over when and how any pop-ups display in the license acquisition process." The software company urged customers to treat DRM license downloads like any other Web page attempting to install malicious software. "If they are on Windows XP, install Service Pack 2 [SP2]. If they're not running Windows XP, they can install a pop-up blocker and tighten the security settings in Internet Explorer to not allow the automatic installation of Active X controls," Microsoft added. But Ben Edelman, a Harvard University student who tracks the spyware scourge, said Microsoft's statements that SP2 users are not at risk are misleading. "That's just not true. Computers with both SP2 and Windows Media Player 10 would block those pop-ups. However, a computer with SP2, but without WMP10, would display the pop-ups as usual," Edelman told eWEEK.com. "What about those SP2-but-not-WMP10 users? I fear they actually are at extra risk of being confused here. For one, they think they're protected generally‹due to so much SP2 hype," Edelman added. Edelman also called on VeriSign to revoke digital certificates used by any company found to use this misleading installation tactic. "ActiveX pop-up installers only display if they are signed by a valid certificate. If VeriSign revokes a company's certificate, then none of that company's ActiveX installers are displayed," he said. eWEEK.com Special Report: Internet Security It is likely that Microsoft's WMP update will cause the WMP's license-retrieval window to always use the Restricted Sites zone. The company also could change the default settings for the "acquire licenses automatically for protected content" feature. When a user tries to play a DRM-protected file, that feature automatically triggers an Internet Explorer browser session and walks the user through the installation process. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
