Microsoft: No flaw in Media Player

By Dan Ilett
Posted on ZDNet News: Jan 14, 2005 9:57:00 PM

Spanish security company Panda Software warned earlier this week that several companies are apparently using Microsoft Media Player's digital rights management (DRM) tool to fool people into downloading spyware and viruses. The existence of the files was confirmed by Harvard researcher Ben Edelman.

Microsoft responded Friday, saying that the security risk does not arise from a flaw in its rights management tool, although the issue is triggered by an apparently content-protected file. Content distributors can use Windows Media Player to pop up a Web page with information about a video or song, and in this case, that page was apparently loaded with automatic spyware download mechanisms.

The automatic downloads would be blocked on any computer running the Service Pack 2 release of Windows, Microsoft representatives said. People can also protect PCs running older versions of the operating system by turning up the security settings in Internet Explorer to "high," they added.

"There is no way to automatically force the user to run the malicious software," Microsoft said in an e-mailed statement. "This function is not a security vulnerability in Windows Media Player or DRM."

The appearance of the files on peer-to-peer networks marks a new twist in the old problem of "drive-by downloads," in which companies have used vulnerabilities in the Internet Explorer browser, or simply taken advantage of Web surfers' unfamiliarity with technology, to trick them into downloading abusive software.

The Federal Trade Commission has sued at least one company, run by former spammer Sanford Wallace, for distributing adware and spyware through this kind of Web page mechanism. This is the first time the Microsoft rights management tools have been publicly used to trigger the effect, however.

Panda Software said in an advisory that two versions of the dangerous files are being distributed. However, both are easy to spot once they have run. After connecting to the Internet, they display the message: "Thanks for downloading this file. Click Play to listen."

If someone clicks through the site, spyware is automatically downloaded to the victim's PC, Panda said.

Panda and Harvard researcher Edelman each have identified a small company called Protected Media and file-swap fighter Overpeer as responsible for the Trojan-like Windows Media Player files.

Protected Media did not immediately return calls seeking comment. Overpeer's chief executive officer, Marc Morgenstern, said his company was not responsible for sending any software to people's computers.

Overpeer is hired by record labels and music studios to distribute "decoy" files on file-swapping networks, hoping that potential downloaders will find a false version of the latest Britney Spears single, rather than the real one, for example. In some of those decoys, Overpeer does include code that pops up a Web page window, but Morgenstern said his company's pages simply direct users to an authorized digital song store.

"We're not delivering or serving spyware or viruses," Morgenstern said. "We don't know who did this thing that was mentioned, but it wasn't us."

A Microsoft representative said the software company was continuing to pursue the problem.

"We are concerned, because it is behavior inconsistent with what we would do with our DRM," said Mike Coleman, lead product manager for Microsoft's Windows client consumer division.

Microsoft is planning to release an update to the Windows Media Player that will shut down a file's ability to automatically pop up a Web page, unless the user turns that function on, a representative said.

Dan Ilett of ZDNet UK reported from London.

Spanish security company Panda Software warned earlier this week that several companies are apparently using Microsoft Media Player's digital rights management (DRM) tool to fool people into downloading spyware and viruses. The existence of the files was confirmed by Harvard researcher Ben Edelman.

Microsoft responded Friday, saying that the security risk does not arise from a flaw in its rights management tool, although the issue is triggered by an apparently content-protected file. Content distributors can use Windows Media Player to pop up a Web page with information about a video or song, and in this case, that page was apparently loaded with automatic spyware download mechanisms.

The automatic downloads would be blocked on any computer running the Service Pack 2 release of Windows, Microsoft representatives said. People can also protect PCs running older versions of the operating system by turning up the security settings in Internet Explorer to "high," they added.

"There is no way to automatically force the user to run the malicious software," Microsoft said in an e-mailed statement. "This function is not a security vulnerability in Windows Media Player or DRM."

The appearance of the files on peer-to-peer networks marks a new twist in the old problem of "drive-by downloads," in which companies have used vulnerabilities in the Internet Explorer browser, or simply taken advantage of Web surfers' unfamiliarity with technology, to trick them into downloading abusive software.

The Federal Trade Commission has sued at least one company, run by former spammer Sanford Wallace, for distributing adware and spyware through this kind of Web page mechanism. This is the first time the Microsoft rights management tools have been publicly used to trigger the effect, however.

Panda Software said in an advisory that two versions of the dangerous files are being distributed. However, both are easy to spot once they have run. After connecting to the Internet, they display the message: "Thanks for downloading this file. Click Play to listen."

If someone clicks through the site, spyware is automatically downloaded to the victim's PC, Panda said.

Panda and Harvard researcher Edelman each have identified a small company called Protected Media and file-swap fighter Overpeer as responsible for the Trojan-like Windows Media Player files.

Protected Media did not immediately return calls seeking comment. Overpeer's chief executive officer, Marc Morgenstern, said his company was not responsible for sending any software to people's computers.

Overpeer is hired by record labels and music studios to distribute "decoy" files on file-swapping networks, hoping that potential downloaders will find a false version of the latest Britney Spears single, rather than the real one, for example. In some of those decoys, Overpeer does include code that pops up a Web page window, but Morgenstern said his company's pages simply direct users to an authorized digital song store.

"We're not delivering or serving spyware or viruses," Morgenstern said. "We don't know who did this thing that was mentioned, but it wasn't us."

A Microsoft representative said the software company was continuing to pursue the problem.

"We are concerned, because it is behavior inconsistent with what we would do with our DRM," said Mike Coleman, lead product manager for Microsoft's Windows client consumer division.

Microsoft is planning to release an update to the Windows Media Player that will shut down a file's ability to automatically pop up a Web page, unless the user turns that function on, a representative said.

Dan Ilett of ZDNet UK reported from London.