Nearly two months after promising to update its media player software to block the threat of malware infection, Microsoft Corp. on Tuesday admitted that users of its Windows Media Player 9 Series remain at risk.
Redmond has hemmed and hawed on its response to the threat and the circumstances of the latest admission isn’t sitting well with security researchers.
When the first red flag was raised in early January, Microsoft made it clear that the use of rigged .wmv files to exploit the DRM (digital rights management) mechanism was not a software flaw.
A week later, the company reversed course and promised new versions of WMP within 30 days. "While this issue is not the result of any exploit of Windows Media DRM, we do recognize it may cause problems for some of our customers," the company said in a statement. To help mitigate these problems, Microsoft said the software would be tweaked to "allow the end-user more control over when and how any pop-ups display in the license acquisition process."
On February 15, Microsoft rolled out two WMP updates which, according to officials, covered the malware infection scenario. Even the language in Microsoft’s update pointed to the addition of "integrity checks to the DRM system."
However, security researchers quickly discovered that the WMP update did not solve the problem. Harvard University researcher Ben Edelman told eWEEK.com he tested the updated WMP9 on Windows XP SP2 (Service Pack 2) and found that the spyware infection threat remained. "Regrettably, and quite surprisingly, the update does not seem to solve the problem," Edelman said.
Ed Bott, a best-selling author who has written extensively on the Microsoft Windows platform, confirmed Edelman’s findings and said the absence of documentation with the Microsoft updates caused even more confusion.
On Monday, a spokesman for Microsoft first claimed the Edelman and Bott were testing the wrong WMP update and pointed eWEEK.com to a separate February 15 update to the WMP 10 software.
The problem with that, as explained by Edelman and Bott, is that WMP 10 is only available as an optional update for users of the Windows XP operating system. "It’s quite clear that there is major confusion at their [Microsoft’s] end," Bott said. "To suggest that the WMP 10 update fixes this problem is obviously inaccurate."
"The problem, prior to installing the patch, was that users were still receiving a pop-up inviting them to install [malicious] software, without requiring users first to affirmatively request the installation by clicking in an Information Bar style of display. In my testing, that problem remains in effect," Edelman added.
Read the rest here
Now this is really sad.