Sunday 09 January 2004

Adware and Windows Media Files

Seems Windows Media Player can now serve as the vehicle for spyware and adware installations.

According to Eric L Howes in his write up on the Broadband Reports Forum:

The problem here involves the DRM features of Windows Media, and those features create a new and potentially very effective means for adware vendors to push unwanted software on unsuspecting users who have no interest whatsoever in using P2P networks to trade unauthorized music files.

Eric advises the usual procedures in locking down Internet Explorer:

  • locking down Internet Explorer (esp. ActiveX controls, Java applets, and scripting);
  • installing spyware prevention utilities such as SpywareBlaster and SpywareGuard;
  • installing at least two reputable anti-spyware scanners and keeping them updated;
  • keeping your system updated through Windows Update.

But warns that:

Also, it appears that merely switching your default browser to something other than Internet Explorer will not be sufficient to eliminate the threat, as Windows Media Player uses the Internet Explorer engine to open browser windows that function as dialog boxes. Even if you're not actively using Internet Explorer, you should lock it down to prevent its being exploited by rogue WMA files

In addition, PC World advises

Change windows Media Player setting to give you more warning. Select Tool, Options, Privacy and turn off 'Acquire licenses automatically for protected content'. A dialog box then will warn you each time a protected file attempts to get a license, and it will display the URL from which the file intends to request the license. If you have any doubts about the site, choose 'No.' Changing this setting in Windows Media Player will affect any other players you use that support Microsoft's DRM scheme.

However, according to Ed Bott, those exploits don't work on PCs with Windows XP Service Pack 2 and Windows Media Player 10 because the upgrades were designed to block stuff like this. But how many of us uses the latest and greatest?

Ed Bott also reports that the WMP restrictions proposed by the PC World article doesn't appear to work on WMP 9:

Initially, I thought that disabling the option to acquire licenses automatically would solve this problem. (In Windows Media Player, you do this by clicking Tools, Options. Click the Privacy tab and then clear the Acquire licenses automatically for protected content check box.) However, further testing reveals that this is not the case. Because these files are tagged as needing a license, the player is going to try to go out and get one. The whole point of this exploit is to bring you to a Web page, so the license is a red herring. In fact, a few seconds ago when I tried to acquire a license, the Flash file disappeared and was replaced with an "adults only" static image. If this were a reputable company, the License Acquisition dialog box would contain legitimate details about the track and the license you just acquired, such as when it expires or how many times you're allowed to play the clip.

Ben Edelman also carried out his own tests and confirms that:

User with all the latest updates (Windows XP Service Pack 2 plus Windows Media Player 10) won't get these popups. But with older software, confusing and misleading messages can trick users into installing software they don't want and don't need - potentially so many programs that otherwise-satisfactory computers become slow and unreliable

However, he notes the following (he didn't confirm the specs of the test pc):

On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs: 180solutions, Addictive Technologies, AdMilli, BargainBuddy, begin2search, BookedSpace, BullsEye, CoolWebSearch, DealHelper, DyFuca, EliteBar, Elitum, Ezula, Favoriteman, HotSearchBar, I-Lookup, Instafin, Internet Optimizer, ISTbar, Megasearch, PowerScan, ShopAtHome Select, SearchRelevancy, SideFind, TargetSavers, TrafficHog, TV Media, WebRebates, WindUpdates, Winpup32, and VX2 (DirectRevenue). (Most product names are as detected by Lavasoft Ad-Aware.) All told, the infection added 58 folders, 786 files, and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer.

Based on his initial observations and followup posts from both Ed Bott and Ben Edelman, Eric has written another article on the Broadband forums which rounds up all known observations and paints a worrying picture of Microsoft's DRM Technology.

I think Eric's final roundup deserves to be read in full so I haven't provided any excerpts.

Related Reading

Related Categories