Microsoft Security Advisory (892313)
Default Setting in Windows Media Player Digital Rights Management Could Allow a User to Open a Web Page Without Requesting Permission
In March 2005, Microsoft issued an update to Windows Media Player to address the issue discussed in this advisory. Microsoft was made aware that malicious attackers can potentially create media files that could then trigger the launch of a Web site without further user interaction. This Web site could potentially then try and trick the user into downloading and executing malicious software add-ons, such as spyware. This social engineering attack abuses a by-design feature in Microsoft Windows Media Player Digital Rights Management (DRM) technology that requires users to have a license to playback a media file.
This issue does not automatically cause malicious software to run on a user’s computer. However, as a result of the malicious attacker’s actions, users may be persuaded to install malicious software if they are redirected to a malicious web page when acquiring a license.
An update to the Windows Media Player is available that allows users to modify the functionality involving automatic license acquisition in order to help prevent such attacks. Specifically, this update lets users configure Windows Media Player so they are prompted when the player accesses a web page to acquire a license. This update is available immediately through the Microsoft Download Center for users of Windows Media Player 10 on Microsoft Windows XP or Windows 2003 SP1 and for users of Windows Media Player 9 Series on Windows XP, Windows 2000 or Windows Server 2003.
Also, Internet Explorer for Windows XP SP2 helps prevent downloads from starting automatically and warns users about potentially harmful activities. Users who have installed Windows XP SP2 and turned on the Pop-Up Blocker feature have an added layer of defense from any attempt to deliver malicious software.
- You can provide feedback by completing the form at the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
The information provided in this document is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- May 10, 2005: Advisory published