Three months after promising to update its flagship Windows Media Player software to block a well-known spyware infection vector, Microsoft has still not provided security for the majority of its users.
The software giants inability to ship a timely update for users of its Windows Media 9 Series has triggered new questions about Microsoft Corp.s handling of a legitimate security threat to consumers.
Back in January, when security researchers discovered that malicious hackers were distributing rigged “.wmv” files to trick users into downloading malicious software programs, Microsoft originally brushed aside the warnings and insisted the attack vector did not exploit a vulnerability in the software.
One week later, the company did an about-face and promised updates within 30 days to modify the way the media player handled the download of copyright-protected media files.
On Feb. 15, Microsoft pushed out two WMP updates which, according to officials, covered the malware infection scenario.
Even the language in Microsofts update pointed to the addition of “integrity checks to the DRM system.”
However, during subsequent tests, researchers quickly discovered that a fix for users of WMP9 was not available.
Microsoft would later acknowledge that the WMP9 fix was not yet available, and another promise was made to have the protections back-ported.
“When this issue first cropped up, we mapped out a plan to address it for our users. This plan entailed updating Windows Media Player 10 first,” Microsoft program manager Marcus Matthias said at the time.
“[We are] currently working on an update for Windows Media Player 9 Series…We will let you know as soon as this update is available.”
Six weeks later, the WMP9 fix is not yet available and no one at Microsoft can explain the delay.
A disconnect in Redmond
Ed Bott, a best-selling author who has written extensively on the Microsoft Windows platform, said the hemming-and-hawing from Redmond represents a disconnect between the Windows Media team and the MSRC (Microsoft Security Research Center).
“First, they issued the patch for WMP10 but they did nothing to publicize it. They buried one question on a FAQ page a full week after the new version was released and only after we started making noises,” Bott said in an interview with eWEEK.com.
“The way they handled this has been baffling. What strikes me as odd is that the Windows Media division seems to have a different philosophy toward security than other divisions at Microsoft,” Bott said.
“When youre dealing with the MSRC, theres a fairly high degree of transparency in acknowledging [a problem] and releasing a fix.”
“This would have been a non-issue if they had dealt with it in an upfront manner three months ago,” Bott said, adding that it was unacceptable for Microsoft to take three months to provide protection for a large user base.
“The last thing you want to do is clean up a mess after it occurs. Any vector for the distribution or spyware should be taken seriously,” he said, pointing out that Microsoft has already outlined plans to enter the anti-spyware software market.
Eric Howes, an anti-spyware activist who provides consulting services for Sunbelt Software, echoed Botts thoughts. “Since January, Microsoft couldnt get its act together. Throughout this episode, they couldnt even put out a correct story about whats going on and what theyll do to correct it.”
Howes said it was always optimistic to expect Microsoft to provide comprehensive fixes within 30 days but said it was “inexcusable” to take three months to provide the necessary protection.
“We know these [rigged] files are still being distributed. This is an installation vector that is ripe for abuse, and the spyware writers vendors have figured that out. Its still a very serious problem,” said Howes.
Anti-spyware researcher Ben Edelman said Microsoft should be commended for agreeing to provide a WMP9 patch. “Microsoft doesnt always “back-patch” its older products, and it wouldnt have been unprecedented for them to decline to do so here. But having said theyd provide a patch, it does seem like they need to go forward with doing it. The delay has certainly been striking,” Edelman said.
“I think its commendable that Microsoft agreed to provide a WMP9 patch—important given the serious deception trickery that the current WMP9 allows, but honestly not something I was expecting,” Edelman added.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.