Windows Media Player Update Fails Spyware Infection Test - Page 2

By Ryan Naraine  |  Posted 2005-03-01 Print this article Print

On Tuesday morning, Microsoft program manager Marcus Matthias confirmed that users of WMP 9 remained at risk. "When this issue first cropped up, we mapped out a plan to address it for our users. This plan entailed updating Windows Media Player 10 first," Matthias said in a statement released to

"The new version of Windows Media Player 10 will not allow pop-up of any IE/HTML pages but instead will notify users that Windows Media Player is going out on the Internet to retrieve a license, show the URL it will be accessing, and ask permission to continue or not – all via a pop-up dialogue (no IE pop-up involved)," he explained.

He said Microsoft was "currently working on an update for Windows Media Player 9 Series," which is the only media player from Microsoft thats available for earlier Windows versions. "We will let you know as soon as this update is available," he added.

Bott, who has written books for the Microsoft Press brand, said the confusion pointed to a bigger problem at the software giant. "This whole episode illustrates how difficult it is to get the right persons attention when a security issue arises. And even after you get noticed, you have to get a decision-maker to recognize that the problem exists, understand the exact nature of the security issue, and force the organization to get out the right fix, right away," he said.

"In this case, Bott said the biggest breakdown was that the people in charge didnt bother to talk to the independent researchers who actually identified the problem. "No one from Microsoft called Ben Edelman, Eric L. Howes, or me to discuss the issue. If they had, they would have been able to get the fix out weeks ago instead of spinning their wheels."

"If Windows Media Player is going to be a part of the operating system, it has to play by the same rules as the rest of the Windows team and it has to involve the Microsoft Security Response Center," Bott said.

Edelman also criticized Microsofts overall approach to addressing a legitimate concern for end-users. "All in all, its quite annoying. [It] feels like theyre trying to give us the slip more than trying to actually be helpful to end users," he said.

"The poor labeling and documentation of the patches -- that we had to go to this length to find out what the patch was supposed to do, so we could figure out whether or not it was even working as expected -- makes it all the harder to think they actually care about solving users problems here," Edelman argued.

Even with the WMP 10 update, Edelman pointed out that the default for the automatic license retrieval was still turned off, meaning that users still have very little control over how the software downloads DRM licenses.

Microsofts Matthias confirmed the default setting remained "off" but explained that the updated WMP 10 allows for the option to toggle on. "This helps consumers who download a lot of legitimate content from trusted license sources avoid a situation where they get prompted with a dialog box every time they try to download a purchased track – while providing them with the option of being prompted if they so desire," he added.

Matthias defended Microsofts response to the issue, insisting the company "maintained a clear position that we planned to offer an additional level of protection within 30 days."

" I believe we delivered on that for Windows XP users, who can upgrade from Windows Media Player 9 to Windows Media Player 10 with the added update. And for down-level operating systems, we plan to offer an update as well," he added.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel