Windows Media Player Vulnerability Info (MUST READ!!!)

Spyware Warrior Blog ^ | 12/31/04 | Eric L. Howes

[goldstategop]

Hi All:

PC World has a pair of articles about a potentially dangerous new development on the spyware/adware front: WMA (Windows Media) files being used to install adware and spyware. See:

Risk Your PC’s Health for a Song? http://www.pcworld.com/news/article/0,aid,119016,00.asp

Protect Yourself From Audio Adware http://www.pcworld.com/news/article/0,aid,119063,00.asp

In short, the well-known copyright management/protection firm Overpeer has figured out how to install adware through Windows Media files. The technique exploits features of the Windows Media DRM functionality to launch special Internet Explorer windows that display popup ads and that also attempt to download and install adware/spyware. This happens when the user opens the Windows Media file for playing.

Some might be tempted to dismiss this new method for distributing adware and spyware as a risk only for those using P2P networks. That snap judgement would be a mistaken and misguided one, though. The P2P file sharing angle on this story is a red herring.

The problem here involves the DRM features of Windows Media, and those features create a new and potentially very effective means for adware vendors to push unwanted software on unsuspecting users who have no interest whatsoever in using P2P networks to trade unauthorized music files.

I should caution readers that the PC World article, while detailed, is still short on specifics and that we still need more information. That said, users should be advised to take the usual steps to protect themselves against adware and spyware. At a minimum that involves:

locking down Internet Explorer (esp. ActiveX controls, Java applets, and scripting); installing spyware prevention utilities such as SpywareBlaster and SpywareGuard; installing at least two reputable anti-spyware scanners and keeping them updated; keeping your system updated through Windows Update. In addition to the above, PC World recommends tweaking the settings for Windows Media Player:

said by PC World:

* Change windows Media Player setting to give you more warning. Select Tool, Options, Privacy and turn off ‘Acquire licenses automatically for protected content’. A dialog box then will warn you each time a protected file attempts to get a license, and it will display the URL from which the file intends to request the license. If you have any doubts about the site, choose ‘No.’ Changing this setting in Windows Media Player will affect any other players you use that support Microsoft’s DRM scheme.

Also, it appears that merely switching your default browser to something other than Internet Explorer will not be sufficient to eliminate the threat, as Windows Media Player uses the Internet Explorer engine to open browser windows that function as dialog boxes. Even if you’re not actively using Internet Explorer, you should lock it down to prevent its being exploited by rogue WMA files.

If and when more information becomes available, I’ll post it to this thread.

Best,

Eric L. Howes

To supplement the advice from PC World, you might want to take the following measures:

locking down Internet Explorer (esp. ActiveX controls, Java applets, and scripting); Either lock down the Internet zone (https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm ), use Enough is Enough ( https://netfiles.uiuc.edu/ehowes/www/resource6.htm ), or use IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm ).

installing spyware prevention utilities such as SpywareBlaster and SpywareGuard; http://www.javacoolsoftware.com/spywareblaster.html http://www.javacoolsoftware.com/spywareguard.html

installing at least two reputable anti-spyware scanners and keeping them updated; http://spywarewarrior.com/asw-features.htm#rec

keeping your system updated through Windows Update. http://windowsupdate.microsoft.com/

See screenshot below for privacy settings in Windows Media Player 9

For Windows Media Player 10, see these screenshots.

If you have questions about adware, spyware or Windows security, you can post in the Spyware Warrior forums. Please do not post help requests in the blog comments.

Thank you.

[Howlin]

Oh, the Help........never use it....LOL> Thanks.

[Ernest_at_the_Beach]

???? Why did they put Help in a Microsoft package????

*******************************************

Somewhat related item:

Intel Boosts Investment in the Digital Home

I included a link to a Toms Hardware Guide article that reviews all Intel and AMD processors from 1994 to today and benchmarks them.....A trip thru memory lane.... just incredible how far we have come!!!!

[TechJunkYard]

I'm at a loss to why anyone would use Microsoft's software.

Agreed. Using Microsoft protocols (particularly the DRM crap) will come back to bite you.

You can't pull this kind of stuff using MP3s.

[KoRn]

The only Windows media player I use is a hacked version of the Media Player classic.

Comes with the ever so handy k-lite codec pack. Aslo includes real and quicktime alternatives.

http://www.free-codecs.com/download/K_Lite_Codec_Pack.htm

[Sea Mac]

If I ran Windows I'd Recommend AntiVir® Personal Edition for Windows Me (Me&98&95) and XP (XP&2000&NT) (FREE for Personal Use).

If I ran Macintosh System 10 I'd Recommend ClamXav - Free (Donationware: give whatever it's Worth to You).

If you Run Any of these Platforms: AIX, BeOS, Debian, FreeBSD, Interix, MacOS X, Mandrake, MS Windows, OpenBSD, OSF, PLD Linux Distribution, RedHat - Fedora, Slackware, Solaris 8 SPARC, Solaris 9 SPARC 64bit, or SuSE, I'd Recommend you Get your Free Virus Scanner Here: Clamav - Free Open Source Virus Scanner!

[Paul C. Jesup]

The latest on this is the company that created the program that uses this exploit is funded by the RIAA; http://www.dslreports.com/shownews/58692

I sense both a DMCA and civil lawsuits in the RIAA's future.