Update: The original version of this post contained an error. According to my testing, the most recent version of Windows Media Player 10 does not include all of the fixes referred to in this article. The Windows Media FAQ offers this confusing explanation: “If you installed the latest update to Windows Media Player 10 (version 10.00.00.3802 or later), clearing [the Acquire Licenses Automatically] setting will potentially affect all protected files that you try to play, burn, or synchronize. If you have not installed the latest update to Windows Media Player 10, this setting will only affect certain types of protected files.” See the updated instructions below.
Microsoft has finally released an update that protects some users of Windows Media Player 9 Series from media files that try to install spyware/adware by exploiting a flaw in the license acquisition process. (For background on this issue, see How to fumble a security update.)
The procedure for fixing this issue varies depending on your Windows version and which version of Windows Media Player you’ve chosen to use. Microsoft has done a terrible job of getting out the word that an update is available, and as a result most Windows users are still unprotected. The full version of this post contains detailed instructions and is a must-read for any Windows user.
- If you run Windows XP and you have upgraded to Windows Media Player 10, download and install the update for Windows Media Player 10 from this page. (Update: I removed some instructions that refer to installing the most recent version of Windows Media Player 10. As it turns out, this update, despite Microsoft’s earlier assurances to me, does not necessarily provide the same functionality as the patch. If you want the latest version, which is identified as 10.00.00.3802, you can download it manually from this page.)
- If you run Windows XP and you have not upgraded to Windows Media Player 10, I recomend that you do so by clicking the link in the previous paragraph. If you choose not to update to WMP10, then scroll to the bottom of this page and download the patch for Windows Media Player 9 Series for Windows XP.
- If you run Windows 2000 or Windows Server 2003, make sure you are running the latest version of Windows Media Player 9 Series (this page should point you to the correct files). Then download and install the update for your operating system from this page.
You should make these changes even if you normally use another program to handle audio and video files. After making these changes, open Windows Media Player, click Tools, Options, click the Privacy tab, and clear the Acquire licenses automatically for protected content option. From this point forward, you will see a warning dialog box any time a Windows Media file tries to download a license. If the file comes from an untrusted source, you can click No and reject the Web page associated with the license, effectively blocking the attempt to install a spyware/adware program.
If you run Windows 98 or Windows Me, there is no patch for Windows Media Player 9 Series. If you are unable or unwilling to upgrade to Windows XP, I strongly recommend that you disable all downloads of signed and unsigned ActiveX controls.
Trying to get information out of Microsoft’s Windows Media team on this issue has been painful, to say the least. The program manager for this group ignored two e-mail messages I sent last week. Last Friday, I spoke with a representative of Microsoft’s PR agency handling this issue, Weber Shandwick. No response. The updates for Windows Media Player 9 Series were posted with no notice, and it wasn’t until a month later that the associated Knowledge Base article was updated. The fixes are not available via Windows Update or through the normal update process for Windows Media Player. The documentation that explains what additional settings need to be adjusted is buried in a lengthy FAQ. In other words, people who need this update are unlikely to find it, install it, and configure it correctly. So, Microsoft can truthfully claim that they’ve “fixed” this problem (at least for people using Windows 2000 / XP / Server 2003), but most customers won’t experience this benefit.
As a company, Microsoft has done a superb job in changing its approach to security over the past two years. When dealing with Windows vulnerabilities, the Security Response Center has been a model of transparency and quick response. However, the Windows Media group hasn’t got the message. Their response to this important security issue – or more accurately, their lack of response – has been pitiful.
Ed Bott 
I am running Windows XP and WMP 10.00.00.3646 and running the Update from inside WMP does not detect any updates. I am off to apply the manual fix.
Same thing for me, I have 3646 and the check for updates reveals that I have the “latest” version.
Manual update for me. This is the most pathetic security update release I have seen in some time…you would think Microsoft would be rushing to get this out quickly.
Same for me as well – 3646 and no automatic update.
My head’s about to explode from all the permutations of this stuff. I’ve just updated the post to reflect the fact that 3802 may not be sufficient. On some computers running Windows XP and WMP 10, the upgrade to 3802 seems to fix this issue, but on others it doesn’t. So go ahead and update if you want, but also download and install the 892313 patch.
It would be nice if this were properly documented, wouldn’t it?
Does anyone please have a WMV/WMA file that points to a safe website? (So I can check I’ve got it set up right.)
There are some sample files at this page, which is owned by a company that sells DRM packages. Click the Free sample, which will open in Windows Media Player. It’s a harmless media clip that displays a logo. Play the clip in WMP a couple times and you will eventually be prompted to acquire a license. If you see a dialog box first, you’ve successfully installed the patch.
Pathetic. I am experiencing the same problems as the others who have commented. I have 3646 too and the check for updates reveals that I have the “latest” version. It took me awhile to locate the patch. Typical Microsoft doesn’t make it very easy. They don’t know how to use Active Directory even though they actively promote it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;892313
The April Security newletter didn’t even mention this patch.
So do you uninstall 3646 to upgrade to 3802?
There is an error in your WMP April 18 posting.
In the paragraph
If you run Windows XP and you have upgraded to Windows Media Player 10, download and install the update for Windows Media Player 10 from this page. (Update: I removed …patch. If you want the latest version, which is identified as 10.00.00.3802, you can download it manually from this page.)
The two links (“this page”) are identical!!
(and both end with 34682 and lead to the
manual installation page)
As I write this, it is April 22, ca. 6pm MDT
yerubal
Many thanks for fixing the glitch (see my April 22 comment)! Now the two links are different and point to where they should.
yerubal, april 24
Thanks for pointing out the mistake! I was able to fix it very quickly once you made note of it.
Ed, I am using Win 98SE & WMP V 9.00.00.2980. In simple English for us computer dummies how do I “disable all downloads of signed and unsigned ActiveX controls”? Or forget it, and just uninstall it?. Thanks for your help.
Larry, follow the manual intructions here. If you’re willing to experiment with the script, you could try it as well, but I haven’t tested it on Windows 98 and don’t know whether it would work. I think it won’t.
Thanks Ed for getting back to me. I took the manual route. I feel a little safer now. It’s nice to find a site that (we) non technical people can use to answer our bazillon questions. I will recommend your site to all my non-tech friends (we are all “old dogs trying to learn new tricks”). Thanks again for your time…..
Hapy to help. And you should also check out the Windows XP Inside Out Forum…
I want to mention that when people upgrade Media Player using the patch, Media Player then becomes version 3901. So the patch must contain more functionality than just upgrading to version 3802 of Media Player unless the patch contains a bug in the version number since Microsoft has been known to do that with some of their product patches.
Windows Media Player 10, and even Intervideo player DVD5, at start up both show “not responding”. I used Registry Mechanic to clean out registry (after reading your tip Ed, wont do again)however, then they both worked. Later on, having a senior moment, decided to defrag, and now the players dont work !!! I assume from this that a defrag file needed for the players must be in the wrong file……..I restored all the registry cleaned, but still players dont work. Any further suggestions short of re-formating etc???? OS is XP prof. Thanx for anyhelp.
I would try a system restore. Also just reinstall Windows MediaPlayer and the InterVideo codec.
Navigatr1, are you running Media Center Edition? It gets a separate WMP version number…
I have windowsxp os installed in my computer. Due to its crash i want the upgrade the xp but it lead to incomplete installation. i like to uninstall or remove that incomplete installation from my computer. give me the tips.
My WMP 9 just updated and turned into WMP 10. I have no manual or tutorial for use. My videos attached to E-Mails play sound but no picture. That is all I want to use it for. I had same problem on WMP 9. Microsoft Knowledge Center had hundreds and hundreds of questions they wanted me to review first. They hae not answered. I play DVDs on my TV and CDs on my CD player. What am I doing wrong – and should I download your product to keep it updated?
Hi – I downloaded your Media Player 10 update. And I downloaded codecs from Microsoft. My problem, MP screen comes on as soon as my XP Home boots up. I have to close it before I can click Start and Internet or E-Mail. And short videos attached to E-Mails still play only sound with no picture. What else can I try? Thanks for your help.
KMullins, July 3, 2005 11:05 a.m.
K, I’m sorry, but I can’t offer tech support here in the comments. It sounds like you have a program or a file that’s trying to load when you start up your computer. If you use the search box on this site (top right corner) to search for startup, you’ll find some ideas, including this tip.
Best of luck to you.
I am new to computers,I have “microsoft autmatic updates” and some how I think it installed wmp 10 and now I CAN NOT WATCH MOVIES. I bought the computer 2 years ago and iI used to watch movies on my computer via dvd ram, I have windows xp and now when I want ot play a movie a small window says I most install a decoder, I HAVE IT ALREADY WHEN I BOUGHT THIS COMPUTER. I ask at the store and the tech says that maybe it was automatically erased when I installed wmp 10 please HELP