According to a report at eWeek.com, Microsoft has no plans to fix a security flaw that affects Windows Media Player. (I’ve written extensively about this earlier; see this entry and the follow-ups here, here, and here.) This quote, if accurate, is wrong on many levels:
Microsoft officials stressed that the latest attack scenario does not exploit a vulnerability in the software.
“Not every problem comes with an automatic technology solution. In this case, the priority is to educate users and get them to understand the importance of not downloading files from untrusted sources,” said Mike Coleman, lead product manager with Microsoft’s Windows division.
“If strangers are trying to entice you to open a file, chances are they’re setting you up for a bad experience. We need to continue our work on getting people to understand what’s going on and get them to develop better download habits,” Coleman told eWEEK.com.
Mr. Coleman doesn’t get it. In a narrow sense, it is true that this does not represent a vulnerability that can cause software to be automatically installed. However, there are at least two security issues that need to be addressed here:
-
Windows Media Player 9 is able to bypass crucial protective mechanisms in Service Pack 2 and display ActiveX download dialog boxes that force the user to make a decision about installing software. As Microsoft’s official white paper on changes to functionality in SP2 states: “Providing add-on install prompts in the Information Bar rather than a dialog box reduces the occurrences of users inadvertently installing code on their computer.” As I documented earlier, Windows Media Player 10 behaves properly. This is a bug and should be fixed.
-
In all versions of Windows, an attacker can misuse a feature of Windows Media Player 9 that is designed to provide information about licenses to the user. The HTML code called by WMP 9 opens in the Internet security zone. This is unsafe. Several years ago, Microsoft redesigned Outlook Express so that all code in HTML-formatted messages runs in the Restricted zone. They should do the same with Windows Media Player. This step wouldn’t restrict the functionality of informational messages or the Windows Media Guide, but it would eliminate the ability of attackers to exploit the connection between the browser and the player.
A reporter from ZDNet UK got a similar response from a Microsoft source:
“This Trojan appears to utilise a function of the Windows Media DRM designed to enable licence delivery scenarios as part of a social engineering attack,” said Microsoft in an emailed statement.
“There is no way to automatically force the user to run the malicious software. This function is not a security vulnerability in Windows Media Player or DRM.”
But Microsoft didn’t say whether Windows XP SP2 fully protected users from unwanted downloads.
“Internet Explorer for Windows XP SP2 helps prevent downloads from automatically launching. Users who have installed Windows XP SP2 and turned on the pop-up blocker have an added layer of defence from this Trojan’s attempt to deliver malicious software,” said Microsoft.
As I noted before, this is incorrect. The pop-up blocker and SP2’s Information Bar don’t work properly if Windows Media Player 9 is installed. People who have chosen not to upgrade to WMP 10 (which is classified by Microsoft as an optional update) are at risk.
I’d like to see a response from someone on the security team at Microsoft. I’m hoping that someone who truly understands this issue is already working on the fix.
Update: It appears that Microsoft may actually be working on this after all. CNET News reports:
A Microsoft representative said the software company was continuing to pursue the problem.
“We are concerned, because it is behavior inconsistent with what we would do with our DRM,” said Mike Coleman, lead product manager for Microsoft’s Windows client consumer division.
Microsoft is planning to release an update to the Windows Media Player that will shut down a file’s ability to automatically pop up a Web page, unless the user turns that function on, a representative said.
Read additional comments by Eric L. Howes at Broadband Reports (“Blaming the User: MS & WMP Adware Installations”) and Suzi at Spyware Warrior (“Microsoft’s Totally Inadequate Response”).
Ed Bott 