Andrew Clover adds a comment to my original post with some interesting observations. Worth reading.
One correction to Andrew’s note. He writes:
I did get one ActiveX download box from MS for the DRM stuff immediately prior to the two bogus downloaders, which looked almost identical.
That’s not an ActiveX download. That’s an automatic update from Windows Media Player. It’s not served up as HTML, and it looks completely different. Yes, a user (even a sophisticated one like Andrew) may be confused into thinking this is the same thing. But ultimately, IMO, this is the saving grace for Microsoft.
Because Windows Media Player has an auto-update feature, Microsoft should release a WMP patch that disables all ActiveX functionality in the instance of Internet Explorer that is hosted by the License Acquisition dialog box. They should then push this patch out as a required update via Critical Updates and through the auto-update feature in Windows Media Player. That step would go a long way toward solving this problem.
Update: In a comment, Andrew insists that the DRM update looks exactly like the spyware installers. I went back and snapped some screens so you can compare. I’ve got the details in the extended portion of this post.
In both cases, this prompt for an update appears the first time you try to play a DRM-enabled Windows Media file. Here’s the one from a box running Windows XP with SP2 and WMP 10:
And here’s what you see if you’re running Windows XP RTM (“stock”) with Windows Media Player
9 version 8, the basic version included with the original release of Windows XP:
Compare those with the images in my original post of the spyware installers.
The DRM updates are actual Windows dialog boxes with buttons that link to Microsoft Web pages. The installers are HTML-based. I can see the difference, but I’ll concede that if a sophisticated researcher like Andrew has difficulty distinguishing them, there’s a problem.