Nearly two months after promising to update its media player software to block the threat of malware infection, Microsoft Corp. on Tuesday admitted that users of its Windows Media Player 9 Series remain at risk.
Redmond has hemmed and hawed on its response to the threat and the circumstances of the latest admission isnt sitting well with security researchers.
When the first red flag was raised in early January, Microsoft made it clear that the use of rigged .wmv files to exploit the DRM (digital rights management) mechanism was not a software flaw.
A week later, the company reversed course and promised new versions of WMP within 30 days. “While this issue is not the result of any exploit of Windows Media DRM, we do recognize it may cause problems for some of our customers,” the company said in a statement. To help mitigate these problems, Microsoft said the software would be tweaked to “allow the end-user more control over when and how any pop-ups display in the license acquisition process.”
On February 15, Microsoft rolled out two WMP updates which, according to officials, covered the malware infection scenario. Even the language in Microsofts update pointed to the addition of “integrity checks to the DRM system.”
However, security researchers quickly discovered that the WMP update did not solve the problem. Harvard University researcher Ben Edelman told eWEEK.com he tested the updated WMP9 on Windows XP SP2 (Service Pack 2) and found that the spyware infection threat remained. “Regrettably, and quite surprisingly, the update does not seem to solve the problem,” Edelman said.
Ed Bott, a best-selling author who has written extensively on the Microsoft Windows platform, confirmed Edelmans findings and said the absence of documentation with the Microsoft updates caused even more confusion.
On Monday, a spokesman for Microsoft first claimed the Edelman and Bott were testing the wrong WMP update and pointed eWEEK.com to a separate February 15 update to the WMP 10 software.
The problem with that, as explained by Edelman and Bott, is that WMP 10 is only available as an optional update for users of the Windows XP operating system. “Its quite clear that there is major confusion at their [Microsofts] end,” Bott said. “To suggest that the WMP 10 update fixes this problem is obviously inaccurate.”
“The problem, prior to installing the patch, was that users were still receiving a pop-up inviting them to install [malicious] software, without requiring users first to affirmatively request the installation by clicking in an Information Bar style of display. In my testing, that problem remains in effect,” Edelman added.
Next Page: Microsoft confirms the threat exists.
Windows Media Player Update Fails Spyware Infection Test – Page 2
On Tuesday morning, Microsoft program manager Marcus Matthias confirmed that users of WMP 9 remained at risk. “When this issue first cropped up, we mapped out a plan to address it for our users. This plan entailed updating Windows Media Player 10 first,” Matthias said in a statement released to eWEEK.com.
“The new version of Windows Media Player 10 will not allow pop-up of any IE/HTML pages but instead will notify users that Windows Media Player is going out on the Internet to retrieve a license, show the URL it will be accessing, and ask permission to continue or not – all via a pop-up dialogue (no IE pop-up involved),” he explained.
He said Microsoft was “currently working on an update for Windows Media Player 9 Series,” which is the only media player from Microsoft thats available for earlier Windows versions. “We will let you know as soon as this update is available,” he added.
Bott, who has written books for the Microsoft Press brand, said the confusion pointed to a bigger problem at the software giant. “This whole episode illustrates how difficult it is to get the right persons attention when a security issue arises. And even after you get noticed, you have to get a decision-maker to recognize that the problem exists, understand the exact nature of the security issue, and force the organization to get out the right fix, right away,” he said.
“In this case, Bott said the biggest breakdown was that the people in charge didnt bother to talk to the independent researchers who actually identified the problem. “No one from Microsoft called Ben Edelman, Eric L. Howes, or me to discuss the issue. If they had, they would have been able to get the fix out weeks ago instead of spinning their wheels.”
“If Windows Media Player is going to be a part of the operating system, it has to play by the same rules as the rest of the Windows team and it has to involve the Microsoft Security Response Center,” Bott said.
Edelman also criticized Microsofts overall approach to addressing a legitimate concern for end-users. “All in all, its quite annoying. [It] feels like theyre trying to give us the slip more than trying to actually be helpful to end users,” he said.
“The poor labeling and documentation of the patches — that we had to go to this length to find out what the patch was supposed to do, so we could figure out whether or not it was even working as expected — makes it all the harder to think they actually care about solving users problems here,” Edelman argued.
Even with the WMP 10 update, Edelman pointed out that the default for the automatic license retrieval was still turned off, meaning that users still have very little control over how the software downloads DRM licenses.
Microsofts Matthias confirmed the default setting remained “off” but explained that the updated WMP 10 allows for the option to toggle on. “This helps consumers who download a lot of legitimate content from trusted license sources avoid a situation where they get prompted with a dialog box every time they try to download a purchased track – while providing them with the option of being prompted if they so desire,” he added.
Matthias defended Microsofts response to the issue, insisting the company “maintained a clear position that we planned to offer an additional level of protection within 30 days.”
” I believe we delivered on that for Windows XP users, who can upgrade from Windows Media Player 9 to Windows Media Player 10 with the added update. And for down-level operating systems, we plan to offer an update as well,” he added.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.