Microsoft says it will patch versions of Windows Media Player to prevent users from inadvertently downloading viruses, adware and spyware when opening copy-protected media files. The update will be available within 30 days, the company says.
Meanwhile Microsoft is urging users of Windows Media Player versions 9 and 10 to be cautious when opening Windows Media Audio files downloaded from peer-to-peer file sharing services.
The problem stems from the way Windows Media Player 9 and 10 automatically acquire licensing information for copy-protected content, a technology known as digital rights management, or DRM. Microsoft's DRM technology acts as an antipiracy measure, ensuring that copy-protected digital files aren't mass-distributed over peer-to-peer networks.
The company also suggests that users change some system settings until the updates to Windows Media Player 9 and 10 become available.
Security experts confirm that hackers and distributors of adware are using a loophole in Microsoft's DRM license acquisition process to display advertising, initiate the download of adware to PCs and distribute viruses.
"People should always use caution when downloading any file off the internet," says David Caulton, group product manager for Microsoft's Windows Digital Media Division. "We are giving our customers more control over their choices when it comes to accessing the internet for DRM information."
Currently there is no way to keep Windows Media Player from automatically attempting to connect to the internet when you try to play specially crafted Windows Media files. The updates to Media Player 9 and 10, expected within a month, will allow users to prevent such internet access when media files are played.
Given the popularity of P-to-P networks where these infected media files are proliferating, "this could easily become an epidemic very quickly," says Patrick Hinojosa, CTO for antivirus utility provider Panda Software.
Panda reported earlier this month that it had detected two new Trojan horse programs in video files circulating on peer-to-peer networks. The company estimates that "tens of thousands" of PCs have already been infected by Trj/WmvDownloader.A and Trj/WmvDownloader.B, which sneak onto systems via the Media Player and attempt to install malicious programs and viruses.
The problem starts when a user tries to play a DRM-protected file. Normally, when you download a protected Windows Media file, you also receive a license that permits playback. If Windows Media Player can't find a valid license on your PC, it checks in with a remote system running Microsoft's Windows Media DRM Server.
That DRM feature automatically triggers an Internet Explorer browser session. Under normal circumstances, the browser page that opens should walk the user through a license acquisition process.
Since the license dialog box acts just like an Internet Explorer window, it can display whatever HTML coding is on the page that the file points to, whether it's a legitimate request for license information or a script that launches ads.
Some Windows Media files on peer-to-peer networks such as Kazaa contain ad-spawning code. The affected files are indistinguishable from files containing songs or short videos in Windows Media format, but when played they launch ads instead of media clips. When we ran the files, we noted over a half dozen pop-ups, several attempts to download adware onto our test PC, and an attempt to hijack our browser's home page.