In an earlier post, I pointed to the fast-spreading but suspicious story alleging that a flaw in WMA files can plant spyware on your computer. This is a follow-up.
In the extended portion of this post, I provide details and screen grabs. I’m indebted to Eric L. Howes for his assistance. Thanks to Ben Edelman for posting a detailed report on his experiences with earlier operating systems and to Andrew Clover who provided a sample file that ultimately made its way to me.
Here’s a quick summary of what you need to know:
- The PC World story contained several errors and some misleading statements.
- I have not identified any circumstance in which this exploit can install software on a computer that has a properly patched version of Internet Explorer. The victim must specifically click a button to install the spyware.
- The programs in question are digitally signed and are from known companies. The terms of service make it clear what you’re getting. It takes one click and 10 seconds of reading to realize that the correct answer is no.
- The installation mechanism uses social engineering tricks that could fool a naive user. These are the same tricks that are used on Web pages (especially porn sites) to install spyware.
- You are most likely to acquire one of these “poisoned” WMA files from a peer-to-peer file-sharing network. The risk that you will get a file like this from a reputable music seller that uses digital rights management is as close to zero as it is possible to get.
- If you use Windows XP with Service Pack 2 and Windows Media Player 10, you are completely protected.
- If you have restricted ActiveX programs from being installed on your computer, you are completely protected. If you have assigned a program other than Windows Media Player to play back Windows Media content, you should be protected as well, although I didn’t test this scenario.
- Clearing the option to acquire software licenses automatically seems to have no effect on this exploit. [Update: A later update to WMP 10 changed this setting so that it now provides an extra warning before displaying the license acquisition dialog box.]
I copied the test file, which is a file in Windows Media Video (WMV) format, to two test systems. The actual content claims to be a porn file, which no doubt ensures that it will be widely spread. I have read reports that the same technique is used in Windows Media Audio files as well, and from a technical point of view this is absolutely true.
When you first try to play the file, WMP tries to acquire a license from protectedmedia.com (which is apparently a third-party licensing service designed for indie media providers to license content without having to own their own license server). As part of that action, it tries to load a popup and install an ActiveX control.
On a system with SP2 and WMP10, all the security features kick in immediately. Both of these actions are blocked by the security features in SP2. The Information Bar appears in the License Acquisition dialog box (which is a hosted instance of Internet Explorer). Here’s a screen shot:
Note that this dialog box is actually a hosted instance of Internet Explorer. See the Information bar at the top? That’s your sign that the popup and the ActiveX program has been blocked. The image in the dialog box is a Flash animation running on a Web page at protectedmedia.com. (You could bypass all this nonsense by just clicking the Play button at the bottom of the dialog box.) If you click the Info Bar, you can tell it to allow ActiveX programs to be installed. If you do that, a browser window opens with a pornographic Web page in it and you get a Security Warning dialog box where you can choose Install or Don’t Install (the default is Don’t Install). In this second dialog box, the Name of the software is listed as “You must agree to our Terms and Conditions.” When you click the link attached to that text, you go to a Web page that includes the Terms of Service for the software (SpiderSearch). It is digitally signed by the developer, Ultra Web Host LLC. If you click the link to read the terms of service, it clearly says it’s going to show porn ads on your computer.
Notice how the text tries to trick me into installing this software by claiming to be a “required update”? That’s the oldest trick in the book and one that SP2 has specifically been designed to avoid. (Remember that the only reason I am seeing this message is because I authorized ActiveX installations via the Info Bar.) I clicked Don’t Install and saw another message that a pop-up had been blocked. It then prompted me to install a second ActiveX control. This was another spyware program, iSearch. Again, I was presented with a security dialog box where I could choose Install or Don’t Install. The link to the terms of service called it a “Required Media Player Version 9 Browser Update” – a little social engineering. Clicking that link led to a page that was quite clear on what I would get:
By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to iSearch and/or it’s partners, in the form of pop-up ads, pop-under ads, interstitials ads and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from iSearch affiliates; and install Third Party Software.
The security features in SP2 worked. All pop-ups were blocked. To install the spyware, I would have to first click the Info Bar and allow ActiveX controls to be installed from that page. If I did that, I would then have to click Install on two separate dialog boxes, where I would have an opportunity to read the terms of service. A user who tried to play this file would have to blow past a lot of pretty serious warnings, and you would have to click several buttons that pretty clearly say you’re installing software, and the terms of service are pretty clear about what you’re getting. It’s worth noting that these are signed programs. If they were unsigned (I’ve never heard of a virus writer who has gotten a software-signing certificate that any version of Windows would trust) they would be rejected automatically and you would not be presented with an opportunity to install them. Anyone who would go past all these roadblocks has probably already been hit by every form of virus and spyware known to man.
What if you have never upgraded to Windows Media Player 10? With the default version of Windows Media Player 9 Series on Windows XP with SP2, the end result is similar but there’s a crucial difference: the Information Bar doesn’t block the attempt to install the two ActiveX controls. Instead, after I double-clicked the file and the License Acquisition dialog box appeared, I was presented with a Security Warning dialog box for the first ActiveX control. Again, I had to choose Install or Don’t Install, but this choice shouldn’t have been presented to me at all. After I clicked Don’t Install, the second ActiveX dialog box appeared. When I then clicked Don’t Install, I got three pop-ups and the clip began playing. These pop-ups appear regardless of SP2 pop-up blocker settings. (I believe the pop-ups are directly related to actions in the license acquisition process. One is associated with each ActiveX control and one is associated with the clip itself.)
It appears that the instance of IE that is being hosted in the WMP9 License Acquisition dialog box is not interacting properly with the security restrictions in SP2. However, the user still has to click the Install button to install the spyware, and the links to terms and conditions are all there. Nothing is installed automatically.
Initially, I thought that disabling the option to acquire licenses automatically would solve this problem. (In Windows Media Player, you do this by clicking Tools, Options. Click the Privacy tab and then clear the Acquire licenses automatically for protected content check box.) However, further testing reveals that this is not the case. Because these files are tagged as needing a license, the player is going to try to go out and get one. The whole point of this exploit is to bring you to a Web page, so the license is a red herring. In fact, a few seconds ago when I tried to acquire a license, the Flash file disappeared and was replaced with an “adults only” static image. If this were a reputable company, the License Acquisition dialog box would contain legitimate details about the track and the license you just acquired, such as when it expires or how many times you’re allowed to play the clip. [Update: A patch to Windows Media Player 10, released approximately a month after this report, changed the behavior of this option and does provice an extra warning before displaying the license dialog box.]
See how this dialog box tells me I’ve acquired the license and I can just click the Play button?
I don’t see this as a new and horrifying security risk, the way some observers do. This is yet another variation of the tried-and-true tactics that spyware providers have been using for years to push their crap: social engineering combined with ActiveX “push” installations. I urge Microsoft to patch this behavior for Windows Media Player 9, but anyone who is aware of current security practices shouldn’t fall for this stuff.
Update: For the most recent information on this issue, see the follow-up here.