Microsoft Reverses Plan, Will Patch Media Player

Microsoft will patch its Windows Media Player after all.

One week after saying it had no plans to change the way WMP (Windows Media Player) handles the download of DRM licenses, Microsoft now says it will release an update in the next 30 days to help thwart the threat of spyware infection.

The about-face comes amid reports that malicious hackers are rigging .wmv files and using the anti-piracy mechanism to infect computers with spyware, adware, dialers and computer viruses.

Read more here about hackers tuning in to Windows Media Player.

“While this issue is not the result of any exploit of Windows Media DRM, we do recognize it may cause problems for some of our customers,” the company said in a statement.

“To help mitigate these problems, Microsoft is committed to providing an update to Windows Media Player in the next 30 days that would allow the end-user more control over when and how any pop-ups display in the license acquisition process.”

The software company urged customers to treat DRM license downloads like any other Web page attempting to install malicious software. “If they are on Windows XP, install Service Pack 2 [SP2]. If they’re not running Windows XP, they can install a pop-up blocker and tighten the security settings in Internet Explorer to not allow the automatic installation of Active X controls,” Microsoft added.

But Ben Edelman, a Harvard University student who tracks the spyware scourge, said Microsoft’s statements that SP2 users are not at risk are misleading.

“That’s just not true. Computers with both SP2 and Windows Media Player 10 would block those pop-ups. However, a computer with SP2, but without WMP10, would display the pop-ups as usual,” Edelman told eWEEK.com.

“What about those SP2-but-not-WMP10 users? I fear they actually are at extra risk of being confused here. For one, they think they’re protected generally—due to so much SP2 hype,” Edelman added.

Edelman also called on VeriSign to revoke digital certificates used by any company found to use this misleading installation tactic. “ActiveX pop-up installers only display if they are signed by a valid certificate. If VeriSign revokes a company’s certificate, then none of that company’s ActiveX installers are displayed,” he said.

It is likely that Microsoft’s WMP update will cause the WMP’s license-retrieval window to always use the Restricted Sites zone. The company also could change the default settings for the “acquire licenses automatically for protected content” feature.

When a user tries to play a DRM-protected file, that feature automatically triggers an Internet Explorer browser session and walks the user through the installation process.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.