Still more on WMA and spyware

Security 1 Minute

Andrew Clover adds a comment to my original post with some interesting observations. Worth reading.

One correction to Andrew’s note. He writes:

I did get one ActiveX download box from MS for the DRM stuff immediately prior to the two bogus downloaders, which looked almost identical.

That’s not an ActiveX download. That’s an automatic update from Windows Media Player. It’s not served up as HTML, and it looks completely different. Yes, a user (even a sophisticated one like Andrew) may be confused into thinking this is the same thing. But ultimately, IMO, this is the saving grace for Microsoft.

Because Windows Media Player has an auto-update feature, Microsoft should release a WMP patch that disables all ActiveX functionality in the instance of Internet Explorer that is hosted by the License Acquisition dialog box. They should then push this patch out as a required update via Critical Updates and through the auto-update feature in Windows Media Player. That step would go a long way toward solving this problem.

Update: In a comment, Andrew insists that the DRM update looks exactly like the spyware installers. I went back and snapped some screens so you can compare. I’ve got the details in the extended portion of this post.

In both cases, this prompt for an update appears the first time you try to play a DRM-enabled Windows Media file. Here’s the one from a box running Windows XP with SP2 and WMP 10:

DRM_dialog_SP2.jpg

And here’s what you see if you’re running Windows XP RTM (“stock”) with Windows Media Player 9 version 8, the basic version included with the original release of Windows XP:

DRM_dialog_XP_RTM.jpg

Compare those with the images in my original post of the spyware installers.

2_Popup_and_ActiveX_blocked.jpg

The DRM updates are actual Windows dialog boxes with buttons that link to Microsoft Web pages. The installers are HTML-based. I can see the difference, but I’ll concede that if a sophisticated researcher like Andrew has difficulty distinguishing them, there’s a problem.

Unknown's avatar

Published by Ed Bott

Tech journalist. Author of 25+ books. ZDNET Contributing Editor since 2006. Contact info: https://edbott.com/contact-me/

Published

5 thoughts on “Still more on WMA and spyware

  1. That’s an automatic update from Windows Media Player. It’s not served up as HTML, and it looks completely different.

    Maybe under SP2 (haven’t managed to test this; probably SP2 already has the required DRM stuff concerned built-in), but in my test with stock-XP the automatic update confirmation box was exactly the same design as the ActiveX download box.

    Microsoft should release a WMP patch that disables all ActiveX functionality in the instance of Internet Explorer that is hosted by the License Acquisition dialog box.

    I agree. It would have to cover any pop-ups opened from the hosted box too (not sure if this would happen by default).

  2. SP2 does not have the DRM stuff built in. This is a feature of WMP. I’ll take some screen shots to show the difference.

    As for “stock XP” versus SP2, anyone who has not installed SP2 is simply asking for trouble. The improvements are so profound and far-reaching that the only excuse for not installing this update is if you are in a coporate environment that is adequately protected by other measures and has compatibility issues with mission-critical applications.

    With SP2 installed, any pop-ups opened by the License Acquisition dialog box would be subject ot all the security protections I listed earlier, including blocking of ActiveX controls.

    As far as I am concerned, no one running Windows XP should even think about using a P2P file-sharing service without SP2 installed. (Of course, I don’t think any sane person should use Kazaa or Grokster at all, but that’s a topic for another day.)

  3. Hmm… that WMP9 dialogue is not the box I was talking about. I think it was actually a downloader for the WM9 codecs (as I was using stock XP it only had WMP 7), which is the normal style of ActiveX downloader window.

  4. My mistake. I put WMP 9 in the text without checking. That was a clean install of Windows XP RTM, which actually includes Windows Media Player 8 for Windows XP (version 8 was never released for any other Windows version, IIRC). I’ve corrected the post. I didn’t get prompted to download any additional codecs when testing this file.

    There are actually three different styles of ActiveX downloader. The first came with XP RTM, the second (cleaner, easier to read) with SP1, and the third with SP2.

    I honestly don’t see the point of testing any of these infected files on a version of Windows XP with no service packs installed. In that configuration you can be infected by all sorts of viruses and worms, in the preview pane of a message window or even over an open Internet connection a la blaster. Anyone who’s running without SP1 or SP2 will be infected with something before too long.

Comments are closed.