Crackers Tune In to Windows Media Player

jamshedji writes "Crackers are using the newest DRM technology in Microsoft's Windows Media Player to install spyware, adware, dialers and computer viruses on unsuspecting PC users."

Solution

[Anonymous Coward]

Use the excellent - and free - VLC media player [videolan.org]

Re:It's a bit like IE and activeX except..

[RpiMatty]

No, in this case WMP asked to go download and install the codec needed to play the video file.
When the user clicks yes, then their system becomes infected.
So if you don't trust the video source, or set WMP to not download codec you will be safe

Re:It's a bit like IE and activeX except..

[dewke]

You can turn the "feature" off. The spyware is installed when the player claims it needs a license. The settings for this are on the privacy tab.

Re:Unsuspecting???

[Zocalo]

Last time I checked Firefox opened WMP on Windows machines

Well, to be precise it opens which ever media player is associated with the media file you are trying to open. You can also override this on a per-filetype basis by specifiying a different handler for the file under the "Downloads" section of the Options box - the section titled "File Types". Whether your motivation for switching to Firefox was security, features, web standards or because it's FOSS, then the same motivation should apply to WMP too. Certainly on my Windows boxes none of the primary media types are associated with the DRM and security hole infested WMP.

Re:No logic

[DavidD_CA]

If you RTFA, you'd understand that Windows Media Player attemps to connect to the Internet when a file is played that it doesn't have a valid license for.

In theory, if you download an MP3 with DRM enabled, Windows Media Player will search your computer for the license. If it doesn't find it, it will go to the URL specified in the MP3. This is part of the DRM spec.

"Hackers" are just taking advantage of this, creating fake MP3s/MOVs and making those URLs go to junk-infested sites.

In WMP's defense, it *does* ask you first if you want to go out and hit the site for the DRM license. And once you get there, if you're running SP2 then security is no different than any other mailious website you may visit.

SP2 should block the popups, and give you a much more informative warning if the site tries to push software onto your computer.

Better replacement for WMP

[m50d]

http://sourceforge.net/projects/guliverkli/ [sourceforge.net]

Windows media player like it should be. Low resource usage, plays dvds and any file you have the codecs for installed, without any network access at all. (Unless you're playing a stream or course)

Re:Unsuspecting???

[frodo from middle ea]

Why use WMP at all ? why not use Media Player Classic [sourceforge.net]

Seriously I haven't felt the need to install any AV player after MP Classic and mega codec pack from kazza-lite. Also use real player alternative and quicktime alternative much less resouce use and no phoning back to home.

Re:It's a bit like IE and activeX except..

[notasheep]

Actually, it has nothing to do with codecs. It has to do with acquiring a license to play a video file. And you can turn this off if you'd like in WMP. The problem is that most folks have it set to automatically acquire licenses by default.

Re:It's a bit like IE and activeX except..

[1u3hr]

No, in this case WMP asked to go download and install the codec needed to play the video file.

Nothing to do with codecs. From TFA:

When Windows Media Player encounters a file with certain "rights management" features enabled, it opens the web page specified by the file's creator. This page is intended to help a content providers promote its products -- perhaps other music by the same artist or label. However, the specified web page can show deceptive messages, including pop-ups that try to install software on users' PCs.

Am I missing something?

[d_jedi]

It sounds like (after RTFA) all this does is direct a user to a website - supposedly to get a "license" to play the content.. and once on that website, spyware is downloaded.

So.. isn't this just a new way to get people to visit spyware websites.. which exploit flaws in IE? Meaning, there is no new flaw in WMP here?

As long as WMP uses your default browser to check for licenses (can someone confirm this?) I'm safe :-> (now, to download some more porn off eDonkey!)

Re:Unsuspecting???

[JimFromJersey]

VideoLAN, plays just about everything.

Re:This is why I use Linux..

[boule75]

The issue is: if one does not run Windows with administrator privilieges, one cannot install a huge number of drivers and software, they cannot either use them.

From printers to scanners and CDRom burning tools, there are loads of MS-related stuff that has never been tested -and which does _not_ work- on a properly configured Windows box.

The solution? An improperly configurend Windows box, with full rights for the malware...

Re:No logic

[mindriot]

I guess the question is, why is it even possible that downloading a _DRM license_ (which to me is just a piece of data in a certain format) allows downloading and installing of malicious _executables_ at all?!?

The only thing downloadable should be a valid DRM license. A simple data file basically. Why is it even possible to let it download executables?

Re:I know this is a very pro linux forum but

[peragrin]

Actually MSFT is the probelm. Forget being pro-linux(i am not currently running it). MSFT doesn't know security. It doesn't know how to design security. MSFT first builds features and then tries to figure a way to secure them. Your supposed to work the other way around.

Also Why does WMP default open IE eve if your default web browser is something else?

MSFT programs that were designed wrong to begin with

IE, WMP, Outlook, Active X, Windows Scripting, MS word macros, MS excel Macros(yes they are close).

The fact is MSFT has designed lot's of software and duplicated functionality first, then thought about if what they were doing could cause a probelm.

No OS or software is perfect, but MSFT puts stupid obvious holes in their software and dismisses those who complain. there is no reason why Active x should be designed to take advantge of the entire system. How about Macro's? IE, WMP, Outlook are basically ONE program. That is how tightly they are tied together. Is there a reason why?

Re:Trusted Computing Will Make It Worse

[bigberk]

Issues like this are killing Windows. I learned my lesson a few years ago that almost no shareware or freeware can be trusted. This makes Windows a lot less useful and is one of the many reasons why I usually run linux on my desktop.

Check out the new cleansoftware site [cleansoftware.org] for free windows software that is free from spyware, adware etc. Not unsurprisingly, most of the software listed there is open source (making a future transition to a UNIX platform much easier). So at least while Windows is dying you can still use proper software when you need to still need to boot Windows once in a while ;)

Re:Unsuspecting???

[mzwaterski]

This should not be modded insightful. What garcia didn't process is that WMP will open the default browser to process the DRM license. If Firefox is your default browser it will be opened and presumably the webpage will not be able to use IE exploits to install malware. This of course is due to the fact that the issue is with security holes in IE and not WMP. The issue with WMP is that it is accessing IE.

Someone need to explain this

[alexislashdot]

It seems that 99% of slashdotters didn't understand the article. The article author also has no idea about the subject. Even the "research note" is not perfectly clear.

This is not a security breach in Windows Media Player.

Here is what happens. A wma/wmv DRM protected file needs a license to be played. When WMP plays a file that does not have a license it will open a dialog with a web browser control inside and navigate to the "license store url" that was written inside the file. This feature is called "superdistribution" and it is present in other DRM enabled players as well.

That is all that Windows Media Player does. At most WMP can be acused of not displaying more information about why the dialog was opened. If even the slashdot crowd has problems understanding this, imagine the rest of the computer users.

Once the IE opens the web page it is no different than going to that url yourself in IE.