Late in 2004, computer experts noticed that a popular Windows Media Player video file was actually a silent delivery mechanism infecting millions of PC users with spyware.
On Jan. 3, 2005, security researcher Ben Edelman revealed what was happening to people who played this video file in WMP. After clicking the OK button on a single, legitimate-looking "browser update" dialog box, "My computer quickly became contaminated with the most spyware programs I had ever received in a single sitting," he said.
Edelman counted an amazing total of 31 programs that had silently been installed, without even displaying a license agreement. These included adware from 180solutions, CoolWebSearch, Ezula, ISTbar, and many other adware companies, he said. (By the way, I reported on July 14 that Microsoft’s AntiSpyware beta program, to the dismay of spyware experts, has stopped recommending the removal of programs by 180solutions, Ezula, and some other adware companies.)
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!
How the trick works: Media files that are played using recent versions of Windows Media Player, such as 9.0 and 10.0, can invoke Microsoft’s Digital Rights Management system. This DRM scheme allows multimedia files, among other things, to open a Web page and display information to the user.
Allowing audio and video files to open new windows is not such a good idea in the first place. Even worse, however, is how DRM was implemented by Microsoft.
Left: Playing a video file in Windows Media Player can launch a dialog box that looks official but installs spyware. Enlarge image in context
DRM-protected multimedia files, when played in WMP, can make a dialog box appear, such as the one shown above that Edelman diagnosed. (This image is reproduced with Edelman’s permission.) In this case, the dialog box tells the user to click the Install button to get what was supposedly a Required Media Player Version 10 Browser Update.
Most Windows users, of course, see dialog boxes like this all the time. For example, legitimate audio and video files commonly require the download of a particular compressor-decompressor, or codec. That perfectly ordinary situation displays a very similar codec-update dialog. (I discuss, below, a safe way to update codecs.)
In the case shown above, the message does say Security Warning, but so do many other alert boxes. It’s very natural for Windows users to click OK on boxes such as this one, and huge numbers of people have done so. After all, the dialog box says the download is required! (For details, see Edelman’s original report.)
Microsoft’s response to the outcry over this unacceptable behavior was pathetic. For at least a week, the company initially said the misleading dialog boxes were using a "by-design feature" of WMP, which wouldn’t be changed. The company then reversed course, telling eWeek in January that a patch would be available by mid-February.
Patches that allowed WMP 10 users to switch off the deceptive behavior were in fact released by then. But no patches were made available for WMP 9, which is used by more people, according to an April 14 eWeek article.
Microsoft finally released security advisory 892313 and the related Knowledge Base article 892313 on May 10. These articles described the problem and linked to an update for WMP 9 that had been posted a few days earlier.
Unfortunately, the WMP 9 patch is available only for users of Windows 2000 and 2003, not users of Windows 98 or Me. Worse, neither the advisory nor the KB article tells WMP 9 and 10 users that they must change a setting to turn the protection on after installing the upgrades. Finally, as far as I can determine, neither Windows Update nor the newer Microsoft Update bothers to inform users of the need for these upgrades.
What to do: Users of Windows XP with Service Pack 2 (SP2) who also have Windows Media Player 10 installed are not vulnerable to the problem. For everyone else, I’ve put together the following steps to make you immune.
WMP is “integrated” into Windows and you can’t easily remove it. For this reason, I urge you to upgrade WMP’s components to the latest version available for your OS, even if you never use it. Then apply patches as described in the steps below. WMP 10 will run only on Windows XP. WMP 9 will run on Windows 98 SE, Me, 2000, and 2003 as well as XP.
Users of Windows XP: First, if you don’t have SP2 installed, I recommend that you install it now, using the XP SP2 page or the new Microsoft Update (requires Internet Explorer). While you’re at it, use Microsoft Update to get the latest security patches for XP. Then, if you don’t have WMP 10, get it from Microsoft’s download center. Once WMP 10 is installed, read security advisory 892313 and install the update for WMP 10 using the link in KB article 892313. Finally, read section 9.4 of Microsoft’s WMP FAQ. Follow the instructions in bullet point 4 to turn off auto-acquisition. To do this in WMP, right-click the title bar, then click Tools, Options, Privacy, then turn off Acquire licenses automatically for protected content.
Users of Windows 2000 or 2003: First, use the new Microsoft Update (requires IE) to get the latest security patches for your OS. Then, upgrade to the latest version of WMP 9 using Microsoft’s download center. Once the updated WMP 9 is installed, read security advisory 892313 and install the update for WMP 9 using the link in KB article 892313. Finally, read section 9.4 of Microsoft’s WMP FAQ. Follow the instructions in bullet point 4 to turn off auto-acquisition. To do this in WMP, right-click the title bar, then click Tools, Options, Privacy, then turn off Acquire licenses automatically for protected content.
Users of Windows 98 SE and Me: WMP 9 will run on these OS versions, but 98 SE and Me are so old that Microsoft no longer supports them and I don’t recommend them. There’s no patch for WMP 9 on these operating systems. If you have a PC that’s running 98 SE or Me, check whether it meets the hardware requirements for XP using Microsoft’s upgrade center. If so, I urge you to upgrade to XP SP2 and WMP 10, even if you have to pay money for a retail copy of XP.
All users: Upgrading to the latest Windows security patches, which I recommend above as step one, eliminates other security holes that affect WMP. For example, being current with all patches stops WMP 9 from being infected by poisoned PNG images, as described in MS05-009. Also, Windows Update may already have installed patch 828026, which dates back to September 2003. Administrators should use the three Registry values described in the related KB article 828026 to stop WMP 9 from responding to URL script commands.
Note that even taking the steps above may allow some media files to display dialog boxes, which you must take care to answer correctly. As far as I’m concerned, no video is important enought to answer Yes to any dialog box a strange file opens, if WMP is the media player. (If you need an updated codec, download it separately from a legitimate source, such as the ones recommended by Microsoft in “How do I find a codec?“)
If you’re running XP SP1 or higher or 2000 SP3 or higher, you can restrict access to WMP, although you can’t easily remove it. You do this using Windows’ Set Program and Access Defaults feature. Follow the instructions in section 2.4 of the WMP FAQ.
By the way, don’t bother using KB 190990, entitled “How to determine the version of Windows Media Player,” to determine your version of WMP. Despite being revised as recently as Mar. 24, 2005, the article shows the wrong current version numbers for WMP 9 and 10.
After you’ve upgraded and patched WMP, you may also wish to install one of the third-party media players mentioned later in this article. Let the new player associate multimedia file extensions with itself so WMP never runs. That’s the best you can do to keep audio and video files from automatically launching WMP. When security holes are discovered in the future, my guess is that other vendors will fix their problems quicker than Microsoft will.
iTunes isn’t safe just because it’s Apple
Apple software doesn’t suffer from security flaws as often as Microsoft’s does, but problems aren’t unheard of. You need to stay abreast of Apple updates, especially for its popular iTunes media program, just as you do with Windows apps.
A flaw in iTunes was announced by Apple as recently as May 9, 2005. The problem allows a hacked MPEG4 file (.mp4) to silently install a Trojan horse on a computer. This wouldn’t affect an iPod or other specialized MP3 player. Nor would it likely affect Apple’s OS X operating system, which protects users from installing software unknowingly. But it would be a big problem in Windows, which by default runs with administrator privileges all the time, allowing viruses to quietly install themselves.
Fortunately, Apple released an upgrade, iTunes version 4.8, on May 9 to correct the problem on Windows 2000 and XP and OS X 10.2.8 or higher. Even better, Apple released iTunes version 4.9 on June 28, which is the first version that supports podcasting. You should upgrade iTunes to 4.9 immediately.
What to do: First, read the description of the MPEG4 problem provided by SANS and Apple. Then, upgrade to iTunes 4.9 using Apple’s download page.
QuickTime can play more than videos
QuickTime is another Apple program, this one primarily used to display short videos. The application runs on both Windows and Mac and often comes preinstalled on PCs. It’s also widely downloaded by people who want to view movie trailers provided by Hollywood studios and other content.
QuickTime was found in September 2004 to be hackable if it was used to display, of all things, a still-image bitmap file (.bmp). If you happened to load a poisoned bitmap, it could silently take over your PC while the image was being displayed as though nothing was wrong.
Apple released QuickTime 6.5.2 on Oct. 27, 2004, to correct the problem. Since that date, it’s released QuickTime 7.0. But that version was found to allow media files to send data from your computer back to a hacker’s Web server. The company released QuickTime 7.0.1 on May 31, 2005, to patch this.
What to do: Read Apple’s descriptions of the problems corrected by QuickTime 6.5.2 and 7.0.1. Then upgrade to QuickTime 7.0.1 using Apple’s download page.
Music and movies can hack RealPlayer
RealPlayer is one of the most popular media players on the market, with hundreds of millions of downloads of its free player and more than 2 million paying subscribers, according to a company statement.
But RealPlayer and other products made by RealNetworks have had a troubled history with security holes and privacy issues. The company lists on its security page more than a dozen patches that have been required for its media products, including RealPlayer and RealOne Player, in the past 2-1/2 years.
In addition, RealNetworks’ software raises security issues for both companies and individuals. RealPlayer and RealOne Player are configured by default with Internet-access features that allow RealNetworks and its partners, such as NASCAR and CNN, to install additional software, according to WatchGuard Technologies.
Most recently, RealNetworks released patches for its software — including RealPlayer, realOne Player, RealPlayer Enterprise, and Rhapsody — on June 23, 2005. These programs, if unpatched, can let hackers access a PC if the user plays a hacked MP3 audio file or AVI video file, or even visits a Web site that plays multimedia content.
What to do: Read the descriptions of the latest security hole provided by eEye Digital Security and RealNetworks. Then review any patches that may apply to you on RealNetworks’ security page.
Finally, upgrade any RealNetworks software you may have to the latest version that’s safe. For example, RealNetworks’ June 23 bulletin says these versions are not at risk: RealPlayer 10.5 (build 220.127.116.112) and Rhapsody 3 (build 0.1141).
Winamp falls victim to sneaky MP3s
Winamp is such a widely used media player that it’s listed as the 32nd most popular file at CNET’s Download.com. Unfortunately, like the other player apps, Winamp, too, has had its share of programming blunders that exposed users to danger.
In the latest case, merely playing an MP3 file in Winamp can cause hacker code to silently run. This can potentially plant a Trojan horse on a computer, according to a July 14 analysis by a security research group in Croatia named LSS (Laboratorij za Sustave i Signale).
Winamp released a new version on July 19 that fixes the flaw.
What to do: Read the analysis by LSS, then upgrade to Winamp 5.094 using Winamp’s download page.
C’mon, get it together, developers
Of all of the Windows applications we use, media players that simply play audio or video clips should be risk-free. It isn’t asking too much for developers of these programs to subject them to thorough security audits and neutralize any possible threats.
Enjoying podcasts should be a simple matter that doesn’t expose users to serious risks. We’re not there yet, so — until that day comes — you need to give your media player periodic patches in order to use podcasts safely.
You might think that a podcaster would never risk losing audience share by including a virus in a regularly scheduled show. But a podcaster’s PC might inadvertently get infected, adding a hidden virus to a file without anyone noticing until it had gone out to thousands of people.
In addition, viruses these days don’t seek to erase a PC’s hard drive. Instead, they aim to quietly take over the PC’s bandwidth, and big dollars are at stake. Podcasters have already received financial offers to distribute adware within podcatching software, according to a public warning by Nick Bradbury, the developer of FeedDemon. We all have to keep our guard up against this threat.
To send us more information about podcasting, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.
Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.