Crackers Tune In to Windows Media Player

jamshedji writes "Crackers are using the newest DRM technology in Microsoft's Windows Media Player to install spyware, adware, dialers and computer viruses on unsuspecting PC users."

It's like sun on your wedding day?

[garcia]

"It's pretty ingenious," said Patrick Hinojasa, chief technical officer at Panda Software. "To take an anti-piracy feature and use it to feed spyware is extremely ironic."

Not quite ingenious but certainly not ironic. Perhaps if they were loading copyrighted materials such as movies and music onto your machine while you were attempting to download the license for DRM *then* it would be ironic.

The sad thing is that 99% of Windows users are likely telling WMP to install these licenses automatically when they try to play a media file. It's the "popup addiction" at work. People can't stand popups and anything to get them out of the way for good is they way they want to go.

This is going to become yet another excuse for trusted computing and single codec repositories. "Look! You are being infected by those bad sites on the Internet! Want protection? Use trusted computing and you'll never have a problem again! Just sign here, here and here. Pay here and connect here. Ahh, isn't that better?"

It's a bit like IE and activeX except..

[Ckwop]

this time.. we probably wont have the ability to turn it off.

This will become the new ActiveX.. I can see it already..

Simon.

No logic

[MarkRose]

One has to wonder why an application whose primary purpose it is to just display data is such a huge vector for infection. What was Microsoft thinking when they made it possible for movies to automatically open URL's and install stuff? Perhaps someone can explain the logic to me.

Re:Unsuspecting???

[garcia]

For those who still don't suspect, you might try Firefox.

What does Firefox have to do with ending Spyware via WMP? Absolutely nothing. Last time I checked Firefox opened WMP on Windows machines when you attempted to play a media file.

Hmm.

Now maybe if you had suggested some little known media player that didn't automatically install codecs after you clicked "don't ask me again, just install" then maybe your post would have been worth something.

At least RTFA.

Surprise surprise...

[tommertron]

Remember when media files used to be safe? When we only needed to worry about files with .exe and .zip and a few others containing viruses or malware? Even before the DRM stuff in Media Player, MS added the ability for video clips to launch web pages. Gee, great idea. Did they never think that people could have exploited that?

Is it really worth sacrificing the safety of media files so that video players could launch web pages and other code? Another example of Microsoft trying to add usability, whlile sacrificing security. There's no way they couldn't have known about this security flaw.

Re:Hackers, not Crackers.

[DrinkingIllini]

Because as /.ers we know the difference, and these are most certainly crackers, not hackers.

Someone's got to say it

[Bronz]

They aren't using Windows Media Player to install spyware. They are using WMP to get users to click on a link that takes them to a webpage where, presumably, the user's browser is compromised.

Give the proliferation of spyware *without* this new fishing technique, I don't understand the significance of this. People find spyware all by themselves, they don't need any help.

Re:No logic

[garcia]

What was Microsoft thinking when they made it possible for movies to automatically open URL's and install stuff?

To make it easier for users to watch movies. Codecs to watch movies are available all over the place but a generally dumb Windows user wouldn't have the faintest idea where to get that.

Microsoft was attempting to make their media viewing a bit easier by telling them the codec wasn't installed (rather than displaying their famous acid-trip screen saver) and that WMP could attempt to install it for them.

It's partly the users' fault for clicking on "stop bugging me about this in the future and just install everything known to man without asking."

...so, when did Firefox become...

[lxt]

...a media player? It's a flaw in Windows Media Player, not (unusual as it is) Internet Explorer.

So, in other words - use VideoLAN :)

Re:It's like sun on your wedding day?

[Squatchman]

I can't remember WMP ever asking me for a license before. Maybe I'm just not using the right features, but it plays just about any media file I throw at it without any bitching(codecs being installed). Something like this could REALLY wreck hell if it was written to work with iTunes. A good number of those people buy their music from the service.

Re:Surprise surprise...

[DrSkwid]

Remember when media files used to be safe? When we only needed to worry about files with .exe and .zip and a few others containing viruses or malware?

Presumably that was before you learned things.

All data is safe, processing untrusted data is potentially dangerous, particularly if it is automatic.

Email is just plain text but look how many buffer overflows various email clients have had just parsing it

http://www.google.co.uk/search?q=email+parsing+buf fer+overflow [google.co.uk]

and is has nothing to do with OSS/CSS they have all been vulnerable in various ways over time.

Re:No no no, all wrong

[RPoet]

I like the variant term Richard Stallman likes to promote: Digital Restrictions Management.

True, but sad.

[Penguinoflight]

I agree with your trusted computing satement, if Microsoft does acknowlege this incident there will only be more problems. Microsoft has been doing this kind of thing for years, so I dont expect their announcements to suddenly be more honest. I'd be even more surprised if the mass media found the real story instead of propogating microsoft garbage speak. Microsoft has been loosing credibility for several years now, in the future I look for "non-trusted computing" to be EASIER, and more trusted. When consumers see a open market that meets these requirements (and it's already impressive), they'll seriously consider a new platform.

Re:You know my solution.

[jfengel]

Thing is, this is one of those cases that hits Windows more because of the monoculture than directly due to the inherent security flaws or the DRM problem.

In general "advanced" formats will require downloading software. The fact that the "advance" here is DRM is almost immaterial, except perhaps for the fact that some people believe they're downloading a license rather than software. But Windows asks explicitly if you want to download and install the software. You get a warning, you have to say, "Yeah, I want that piece of malware." The message may not be clear enough, and since there are cases where you do want it you're asking a naive user to make a fairly sophisticated security judgment, but it is there, and the malware can't bypass it. It doesn't need to.

To my knowledge Linux doesn't have a good solution to that problem, either. If you need software to play that movie/music, it's up to you to verify that the software isn't malware. Linux users escape this problem largely because there aren't enough of them to make it worth the malware writer's effort (as well as the fact that Linux users tend to be better educated and would answer "Hell no!" to the question if asked).

What's needed here is a security sandbox. Download the codec but don't give it permission to do anything except take stuff from one place in memory and dump it to another, or access a limited direct-to-video API. No network access, no disk access. I'm not aware of any particular Linux security sandbox.

Microsoft does have its own, in its C#/CLR, though clearly that hasn't made it to the point of writing codecs yet. And it may not, since these are performance-intensive apps and virtual machines impose overhead. I've seen codecs written in Java, and they're tolerable but not what you'd choose.

Re:You know my solution.

[cgranade]

On the other hand, so much of this could be avoided by at least not tying DRM into the lowest levels of the OS. Same issue as I have with MSIE. Comprimise Firefox, and you've comprimised an application. Comprimise MSIE, and you've comprimised Windows itself. Furthermore, since all lusers have admin privliges by default, any damage done by even an application can be severe. Hence, my reommendations. First, move the DRM layer out of the OS. Second, don't allow an admin to run the DRM-encrusted software.

Trusted Computing Will Make It Worse

[ftzdomino]

Trusted computing will make current spyware and worm problems a lot worse.

As soon as a bug is found in a trusted computing architecture, which WILL happen, things will get a whole lot worse for the average user. Spyware will be created which your hardware refuses to allow you to remove, even with a boot disk or safe mode. Your computer will refuse allow you to install anti-virus and spyware cleaning tools. The spyware will install a certificate with high trust levels for spyware vendors.

Even if no bug is found, companies like AOL have proven they're willing to sell out their customers by bundling adware with AIM without disclosure. This will likely create an initial hole which can be opened up much wider.

Issues like this are killing Windows. I learned my lesson a few years ago that almost no shareware or freeware can be trusted. This makes Windows a lot less useful and is one of the many reasons why I usually run linux on my desktop.

IMHO, trusted computing will only hurt Windows' usability by the average user.

This automatic downloading has got to stop

[Animats]

It's all Microsoft's fault. They put backdoor IE invocations in everything. And now we're paying the price.

If you have to run Microsoft, one solution is to back off to Windows 2000. You run Windows 2000. Windows XP runs you. Many corporate installations refuse to go with XP for that reason.

It's not just Microsoft, either. Remember that DRM-protected CD that changed the firmware on Apple CD drives so the machine would never work again? (And remember Apple refusing to fix it under warranty?)

Re:It's like sun on your wedding day?

[krgallagher]

Here is another quote:

"In this case, they're using technology meant to secure content. It just shows that the more bells and whistles you add to the technology, the more you open doors for the bad guys,"

To me this just proves that trusted computing is a bad deal. The more control you take away from the end user, the more control you give to the people who would hurt you.

Re:It's a bit like IE and activeX except..

[Glonoinha]

That's the problem - trusted computing implies that you trust the computer and all of a sudden it is making those decisions for you (and screwing you in the process, it appears.)

Re:Simple rule of thumb

[droleary]

I have done exactly the same as your first line... by using virtually nothing but Microsoft products. The difference is, I have a tiny bit of a brain and I don't traverse warez sites and I don't install every program from every jackass on the planet.

Well good for you, but how does your policy help the other 99% of Windows users who don't have a tiny bit of a brain?

What I have gotten is a ton of work done using top of the line tools and software.

I thought you said you were using Windows? You don't get a 95% market share by being top of the line, you get it by appealing to the lowest common denominator. You've gotten the "good enough" experience, which is nothing to brag about.

Re:No logic

[99BottlesOfBeerInMyF]

Microsoft was attempting to make their media viewing a bit easier by telling them the codec wasn't installed (rather than displaying their famous acid-trip screen saver) and that WMP could attempt to install it for them.

You are incorrect. This exploit has nothing to do with fetching codecs. It is a feature that will open a web page specified by the creator of the movie or song file, that is intended to allow the user to buy a license to use the media. Basically it is a "feature" whereby media player will see a movie, notice you don't have a DRM key for it, and open a web page so that you can buy said DRM key. Unfortunately, like usual MS was completely blinded by dollar signs and did not consider that arbitrary files could direct the user to any old web page, and since IE is full of holes, this makes it pitifully easy to use a media file as a trojan.

I have not looked at this exploit more than superficially so I am unsure if the media player will always open the page in IE, or if setting Firefox as your default browser will save you. I also do not know with what privilege level IE connects, at a guess I would think it is as you with the lowest security setting for that page, but it could be your default, or connect as "root." Someone also mentioned that there is a setting to disable this, but it does not seem to work.

It's partly the users' fault for

...expecting their computer to be reasonably secure by default, and not silently install programs from anyone who can lure you to a particular web page. Also for assuming that the computer equivalent of a stereo and VCR will not connect you to random places on the internet and randomly install programs. If Sony made it's consumer appliances like this, when you put a VCR tape in from your neighbor you would have to worry that it might make extra ads appear in the middle of your TV screen from that point on.

Re:It's like sun on your wedding day?

[jemfinch]

Not quite ingenious but certainly not ironic.

I'm getting so amazingly tired of Alanis Haters Anonymous getting on everyone's case for not understanding the word "irony," when in fact, ironically, they themselves do not understand it.

Irony [reference.com] is an "incongruity between what might be expected and what actually occurs." When companies use anti-piracy "features" to install Spyware, it's ironic, because no one expects that DRM will be used to install Spyware.

And, while we're at it, it's unexpected (and thus ironic) when you find a black fly in your chardonnay. It's unexpected (and thus ironic) when it rains on your wedding day. Yes, there are some lines in "Ironic" that aren't themselves ironic, but that fact itself makes the song ironic! So members of AHA are screwed both ways: if they complain that the lyrics do not describe irony, they show by their very complaints that the song itself is ironic.

Take that.

Jeremy

Re:It's like sun on your wedding day?

[SpecBear]

It's not that it's being exploited by genius so much as it was implemented by arrogance. The very nature of DRM software is to conspire with a content provider to use Joe User's computer against him in a way that he cannot circumvent.

Any DRM implementation is more likely to be exploitable in ways such as this. DRM is more likely to be insecure from the user's standpoint because it's designed from the ground up with somebody else's security as the highest priority. And once the software has been exploited, it has the potential to be highly troublesome because the malicious code now has access to a system that was designed to prevent the owner of the computer from tampering with it. The more effective the DRM is, the more dangerous it is to the user.

Perhaps I'm being overly paranoid, but I find this to be quite alarming.

Re:Someone need to explain this

[Steve B]

This is not a security breach in Windows Media Player.
Here is what happens. A wma/wmv DRM protected file needs a license to be played. When WMP plays a file that does not have a license it will open a dialog with a web browser control inside and navigate to the "license store url" that was written inside the file.

A program that can be directed to navigate to a URL listed in some file without asking for user verification is "not a security breach"?

What is a "security breach" in your world?