Over at Broadband Reports, Eric L. Howes has some more details on the issue of “poisoned WMA files” that I’ve been writing about for the past few days. (See this entry and the follow-ups here and here.) His post, WMP Adware: A Case Study in Deception is enlightening for its depth, and it gives a real insight into how this sort of infection lands on a user’s machine. I agree with most of Eric’s conclusions, but I think he’s missing the forest for the trees in a few instances. Let’s start with this paragraph:
Contrary to Ed Bott’s assertion that this is not a “new and horrifying security risk” the installation practices that users are forced to deal with when attempting to play these rogue Windows Media Player files are so confusing, deceptive, and coercive that regular users are at high risk for unwittingly consenting to the installation of spyware and adware, with potentially dire consequences for their computers, to say nothing of their privacy and security.
My statement that this is not “new and horrifying” reflects the simple reality that these are the exact same techniques that purveyors of crapware have been using from Web sites for years. The ActiveX dialog boxes Eric posted are identical in every respect to those that users see when they visit Web pages that push the same software. This is merely a new variation on an old theme.
When I read the original PC World article, which was long on breathless assertions and short on detail, I was worried that this was a “zero-day exploit” that used a previously unknown vulnerability to install software on a user’s computer without any action required on their part. A reasonable person reading the original article might assume that their machine could get infected simply by playing a music or video file. Similar exploits have happened in the past, and it would be truly horrifying if this was new exploit that could sneak past even a sophisticated user. But that’s not the case. Everything in this exploit could just as easily be accomplished (and in fact is being done every day) by Web pages that open the exact same ActiveX dialog boxes. I hate the fact that these programs exist, and I’m certainly not defending them. But I don’t see much that’s new here.
Eric goes on to write:
The installation practices combine and exploit a dangerous combination of circumstances and qualities to bamboozle users into believing that they are consenting to the installation of software required to view media files. Among those circumstances and qualities are:
- a legitimate, required Windows Media Player “Security Upgrade” that conditions users to expect the installation of required software;
- ActiveX Security Warning boxes that users find inherently confusing because of the vague and inadequate information provided;
- ActiveX installation prompts for software deliberately named to give the impression that it is yet another required Windows Media Player upgrade;
- repeated, insistent pop-ups designed to coerce users into consenting to the installation of software;
- murky, confusing End User License Agreements that fail to disclose the installation of third-party software as well as the functionality and privacy practices of that software.
With one exception, every item on that list describes exactly how spyware makers push software onto a naive user. The first item on the list is unique to Windows Media Player, but this is a dialog box that appears one time only. As Eric notes, the social engineering tactics that these folks are using are deliberately designed to fool users into thinking that the programs are required updates.
Eric continues:
What we need from Microsoft is a swift fix for the problems summarized here, not attempts to minimize and pooh-pooh the risk or to subtly suggest that users are the problem for not upgrading to XP SP2 and for clicking through installation prompts. As I stressed in an earlier post here at DSLR, it is absolutely inexcusable that media files should have ever become a vehicle for pushing spyware and adware on unsuspecting users. Media files should simply not be a vehicle for adware installations. Period. That there are preventative measures for this unwelcome behavior and functionality is no excuse for the problem itself. It should have never existed in the first place.
Just for the record, I am not trying to minimize this, nor am I blaming this on the user. In fact, I have specifically said the exact opposite. My original remarks were directed at people who regularly visit this site and who read the forums on Broadband Reports. Those people are most likely to be expert users who would be deeply suspicious of dialog boxes like these and who are likely to be running modern, fully patched operating systems. Sadly, they’re the minority in the larger computing world.
The reason that spyware and viruses are epidemic is that older versions of Windows make it easy for people to push this crap, and as Eric correctly notes, the confusing interfaces make it easy for naive users to be fooled by basic social engineering.
I think it’s important that we focus on the forest, not the trees. The biggest problem of all right now is finding a way to protect users of older Windows versions from agreeing to this stuff, regardless of where it comes from. If you fix the ActiveX problem in Internet Explorer, you fix it in Windows Media Player. As I noted, the security features in SP2 worked to prevent this exploit from confusing innocent users. There needs to be an equally effective way to make that protection work for users of older operating systems.
Eric says I’m “blaming the user” because I wrote this:
But really, isn’t that the real problem here? People running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything? … But how likely is it that the type of user Suzi is describing will download and install that patch?
I stand by that remark. Eric is demanding that Microsoft patch this vulnerability. I agree that that should be done. But the reason that viruses and spyware spread is because no matter how hard we try, many people simply don’t install patches after they’re released. I get virus-infected e-mail messages every day. In most cases the people who are infected with those viruses would have been protected if they had installed a patch that was released three or four years ago. If someone hasn’t installed that patch, why would they install a new one to fix this vulnerability?
As I’ve said since Day One, I believe that this is a security flaw and that Microsoft needs to issue a patch to Windows Media Player 9 and release it as a Critical Update. I would hardly call that an “attempt to minimize and pooh-pooh the risk.”
I have also reported this issue to security@microsoft.com. That’s an important first step in getting a patch written and released.
Ed Bott 