Why was Media Player updated?

Updated March 2…

eWeek is out with a news story headlined “Microsoft Updates Media Player to Thwart Spyware Threat”. As far as I can tell, this story is almost completely inaccurate.

Microsoft Corp. has released an update for its flagship Windows Media Player to protect users from a known threat of spyware infection.

Microsoft said the update … installs two components on end users’ computers and will add “additional integrity checks to the DRM [digital rights management] system.”

The company made no mention of a spyware infection, but a spokesperson confirmed the new version of the player was released after Microsoft confirmed that malicious hackers were using the copy-protection mechanism to install spyware, adware, dialers and computer viruses on unsuspecting PC users.

The article refers to the Update for Windows Media Digital Rights Management-enabled players (WindowsMedia-KB891122–x86). I’m still testing, but I see nothing in the KB article that documents this fix that would indicate there is any protection for users. It appears that the spokesperson is in error and the reporter simply accepted the inaccurate statement.

To make matters more confusing, an update to Windows Media Player 10 was also released this week, without any documentation of what was changed. Yesterday, Ed Oswald at BetaNews talked with a Microsoft spokesperson who said that this update was the promised fix to the spyware/adware issue:

Microsoft on Wednesday issued an updated Windows Media Player 10 to correct a potential security issue that could allow an attacker to mislead users into downloading malware or viruses instead of a license to playback DRM content.

A spokesperson for Microsoft confirmed that the new WMP release, marked build 3802, was the promised update to take care of issues related to the player’s digital rights management functions.

Needless to say, at least one of these stories is just plain wrong, and I strongly suspect that both are wrong.

CNET News.com has a slightly expanded story that contains similar assertions:

The Redmond, Wash., giant on Tuesday introduced an update to its Windows Media Player, which included changes aimed at blocking the Japanese hackers’ work, as well as a security update.

[…]

The new update also addresses a problem exposed a month ago, in which the Media Player and its digital rights management software could be used to show ads–or even to lure unsuspecting Web surfers into downloading harmful software onto their hard drives, security researchers said.

The process exploited a feature of the Media Player content protection, which allows protected files to pop up a Web page with information about a video or song license. In such a case, that page could be loaded with automatic spyware download mechanisms, Spanish security company Panda Software said.

 

The new update to the Media Player software contains a setting that allows consumers to request that they be notified any time their computer is going onto the Internet to obtain a content license. By default, this option will be turned off, but computer users can turn it on, Caulton said.

I’ve installed the Digital Rights update on a test PC and compared its options to those on a computer without the update. I can’t find any option in Windows Media Player 10 that matches the description in this story. If it’s there, it’s well hidden. It may be that the option is only available in Windows Media Player 9, but I’ll need to do further testing to see whether that’s the case.

[Update: In a comment to this post, Ben Edelman notes that he has tested the patch with WMP9 and found that it does not change the behavior observed before installing the patch. Ben’s comment includes links to a screen shot and a video of his results showing exactly how the exploit can deceive a naive user. Warning: The end of the video contains explicit sexual content that some viewers may find offensive.]

[Update, March 2: For a follow-up on this story, see “How to Fumble a Security Update.”]