Microsoft’s response to the current flap over “poisoned” Windows Media files is a case study in how not to respond to a security issue. On February 15, Microsoft issued two updates to Windows Media Player 10 – a comprehensive roll-up that changes the version number from 3646 to 3802, and a smaller patch that reportedly adds “additional integrity checks to the DRM [digital rights management] system.” Members of the company’s public relations team then made the rounds of the mainstream PC press announcing that the problem was solved.
No, it wasn’t. Based on my analysis, the current “fix” is inadequate, and many if not most Windows users remain unprotected from an important security flaw.
Ben Edelman and I installed the new Media Player release and discovered that it had no changes in behavior for this issue. I’ve since been in contact with Marcus Matthias, a Product Manager for Microsoft’s Windows Digital Media Division. After several e-mails, we determined that I had not enabled the new security feature in WMP 10 version 3802. He noted that the update adds “another layer of protection” for SP2 users, but only if you click Tools, Options, click the Privacy tab, and then clear the Acquire licenses automatically for protected content check box.
After making this change, I tried to play a file that I knew would load a Web page and try to install a group of spyware/adware programs via the License Acquisition dialog box. Windows Media Player blocked the operation and displayed this dialog box instead.
It’s worth noting that this is a major change in the behavior of this check box, which previously had no noticeable effect on playback of DRM-protected files. Nothing in the documentation I had seen up to that point told me that this was a new security feature. No dialog box or readme file recommended that I change my configuration settings to make my copy of Windows Media Player more secure. For that matter, I still haven’t found any explanation of what’s new in the 3802 build of WMP10. (Last night, Marcus pointed me to question 9.4 on the Windows Media Player FAQ page. Earlier in the day I had checked this page and hadn’t seen any changes. The change log at the bottom of the file confirms that the new content was posted on March 1, more than two weeks after the patch and the new WMP10 version were released.)
So, how likely is it that everyday Windows users – the ones who are most likely to be fooled by the social engineering techniques in these Web pages – will make the necessary security changes? Not very.
- First, you have to install a new build of Windows Media Player. The only way to find this update is to go to the Windows Media home page; it’s not available through Windows Update.
- Next, you must clear a check box on the Privacy tab of the Options dialog box, the behavior of which has changed since the previous version. This requirement isn’t explicitly documented anywhere. You have to find it near the bottom of a FAQ page that contains nearly 18,000 words and more than 120 questions.
The combination of SP2 and WMP10 already offered reasonable protection from this issue, as I documented back in January. And given how deeply this change is buried, the people who are most likely to need the change are the ones who are least likely to make it.
In his initial e-mail to me, Marcus wrote:
When this issue first cropped up, we mapped out a plan to address it for our users. This plan entailed updating Windows Media Player 10 first. … We do realize that not all users are using Windows XP, and since Windows Media Player 10 is not available for earlier versions of Windows we are currently working on an update for Windows Media Player 9 Series, (which is available on earlier Windows versions). We will update you as soon as this update is available.
While it may be true that the plan has always been to help users of Windows Media Player 9 as well, I find it odd that the stories posted by eWeek, Betanews, and News.com in mid-February, all based on interviews with “a Microsoft spokesperson,” made no mention of this plan. In addition, based on my discussions with Microsoft representatives that began last week, I am convinced that the people in charge of communicating this change didn’t understand the problem.
The Windows Digital Media Division insists that this is not a “security vulnerability,” because code cannot be installed inadvertently – the user has to click a dialog box and agree to install a Trojan horse program that masquerades as an innocent browser update or even a required update for Windows Media Player. I am afraid we’re splitting hairs here in a way that is not in the best interests of Microsoft’s customers. The whole point of the Information Bar introduced in SP2 was to enhance security and protect customers from being duped into installing deceptive and potentially damaging software. The Information Bar, a key security enhancement in SP2, does not work properly on a computer running Windows Media Player 9. That is a bug, and I cannot find any other way to classify it except as an important security issue.
I thought the whole point of Trustworthy Computing was to tip the scales back in favor of the customer. It seems like a big step backward for us to argue over exactly how to label a clearly demonstrable security flaw like this one. It’s an even bigger step backwards for Microsoft to dig in its heels and try to spin this important issue instead of simply fixing it.