An update on the Windows Media Player security snafu

eWeek’s Ryan Naraine has an excellent update on the “poisoned Windows Media files” controversy that I’ve been covering here for the past few weeks. (See this post for a roundup of the confusion over the WMP10 update; and see “Someone at Microsoft doesn’t get it,” which I posted on January 14, for details on the problem itself and Microsoft’s response.) Ryan writes:

Redmond has hemmed and hawed on its response to the threat and the circumstances of the latest admission isn’t sitting well with security researchers.

When the first red flag was raised in early January, Microsoft made it clear that the use of rigged .wmv files to exploit the DRM (digital rights management) mechanism was not a software flaw.

A week later, the company reversed course and promised new versions of WMP within 30 days. “While this issue is not the result of any exploit of Windows Media DRM, we do recognize it may cause problems for some of our customers,” the company said in a statement. To help mitigate these problems, Microsoft said the software would be tweaked to “allow the end-user more control over when and how any pop-ups display in the license acquisition process.”

I’ve just re-tested some samples of the infected Windows Media files using the latest build of Windows Media Player 10. I can’t see any difference in behavior. Meanwhile, as Ben Edelman has already documented, anyone using Windows Media Player 9 Series is still at risk, and the Windows Media Player 10 update is not listed as a Critical Update. Microsoft now says they will issue a “down-level patch” for Windows Media Player 9 users. No word on when it will be available.

Ben and I are quoted extensively in this story. As I told eWeek, I can’t figure out why no one from Microsoft bothered to call or e-mail Ben, Eric L. Howes, or me, back in January, when all of us had conducted extensive tests and published our findings. I’m also baffled that Microsoft’s Security Response Center hasn’t taken ownership of this problem. As I told eWeek, “If Windows Media Player is going to be a part of the operating system, it has to play by the same rules as the rest of the Windows team.” That means taking reports like this one seriously and making sure the update actually fixes the problem.