Microsoft Security Advisory (892313)
Default Setting in Windows Media Player Digital Rights Management Could Allow a User to Open a Web Page Without Requesting Permission
Published:
In March 2005, Microsoft issued an update to Windows Media Player to address the issue discussed in this advisory. Microsoft was made aware that malicious attackers can potentially create media files that could then trigger the launch of a Web site without further user interaction. This Web site could potentially then try and trick the user into downloading and executing malicious software add-ons, such as spyware. This social engineering attack abuses a by-design feature in Microsoft Windows Media Player Digital Rights Management (DRM) technology that requires users to have a license to playback a media file.
This issue does not automatically cause malicious software to run on a user’s computer. However, as a result of the malicious attacker’s actions, users may be persuaded to install malicious software if they are redirected to a malicious web page when acquiring a license.
An update to the Windows Media Player is available that allows users to modify the functionality involving automatic license acquisition in order to help prevent such attacks. Specifically, this update lets users configure Windows Media Player so they are prompted when the player accesses a web page to acquire a license. This update is available immediately through the Microsoft Download Center for users of Windows Media Player 10 on Microsoft Windows XP or Windows 2003 SP1 and for users of Windows Media Player 9 Series on Windows XP, Windows 2000 or Windows Server 2003.
Also, Internet Explorer for Windows XP SP2 helps prevent downloads from starting automatically and warns users about potentially harmful activities. Users who have installed Windows XP SP2 and turned on the Pop-Up Blocker feature have an added layer of defense from any attempt to deliver malicious software.
General Information
Overview
Purpose of Advisory: Notification of the availability of the update to help protect against this potential threat.
Advisory Status: Knowledge Base Article and associated update were released.
Recommendation: Review the referenced Knowledge Base Article and apply the appropriate update for increased security.
| References | Identification |
|---|---|
| Knowledge Base Article | 892313 |
| Related Software: |
|---|
| Windows Media Player 9 |
| Windows Media Player 10 |
Frequently Asked Questions
What versions of Windows Media Player are associated with this advisory?
This advisory pertains to Windows Media Player 9 and Windows Media Player 10.
Is this a security vulnerability that requires Microsoft to issue an update?
Although this is not a security vulnerability, this update was issued to provide additional warning for users who could be deceived into visiting a malicious Web site.
What is the scope of the advisory?
The scope of this advisory is to inform Windows Media Player users that an update has been released to reduce the risk of users being deceived into visiting a Web site.
What causes this threat?
An attacker could create a social engineering attack that abuses a function of the Windows Media DRM system designed to allow common license delivery scenarios. It does not automatically cause malicious software to run on the user’s computer.
What might an attacker use this function to do?
An attacker can create media files that could use this function to trick users into visiting a malicious Web site. This Web site could then try and trick the user into downloading and executing malicious software add-ons, such as spyware.
What does this feature do?
This feature let users specify whether they want to have Windows Media Player automatically acquire licenses to play protected content, or whether they would prefer to be prompted when a license is required.
Suggested Actions
Users should make sure their Windows Media Player software is current with the latest updates, which were released in March, 2005.
- Update Windows Media Player
Windows Media Player users can install the update from Microsoft Knowledge Base Article 892313.
- Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Other Information
Resources:
- You can provide feedback by completing the form at the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this document is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- May 10, 2005: Advisory published