Microsoft patches two DRM holes
Published: 17 Feb 2005 09:55 GMT
Microsoft said on Tuesday that Japanese hackers had discovered a potential weakness in its copy protection technology but that the software company fixed the flaw before it was widely used.
The Redmond, Washington-based giant on Tuesday introduced an update to its Windows Media Player, which included changes aimed at blocking the Japanese hackers' work, as well as a security update.
The copy protection changes mark the first time in nearly four years that Microsoft's digital rights management (DRM) protections have been publicly broken, even if largely in theory. As in an earlier case, the company says it was able to update its software before the flaws advanced much beyond the theoretical stage.
"No DRM is perfect," said David Caulton, group product manager in the Windows Media division. "This is another example of somebody finding a way around the technology that we didn't think about. We hear about it, and we effectively get a fix out to users before there's a widely distributed tool for removing digital rights management from files."
The update comes as renewed evidence that hackers and other independent programmers are scrutinising Microsoft's Windows Media Player, as well as the Internet Explorer browser, for flaws or programming loopholes. Microsoft has released repeated security fixes for its Web-browsing software over the past year, as new risks for surfers using the browser continue to appear.
The Japanese hack emerged several weeks ago, when programmers on a public online bulletin board were found to be discussing ways to strip the copy protection off Windows Media files. The actual software that purportedly performed the trick was taken offline after a Japanese magazine wrote about the hack, but Microsoft said the company was able to identify the potential flaw.
The new update also addresses a problem exposed a month ago, in which the Media Player and its digital rights management software could be used to show ads -- or even to lure unsuspecting Web surfers into downloading harmful software onto their hard drives, security researchers said.
The process exploited a feature of the Media Player content protection, which allows protected files to pop up a Web page with information about a video or song license. In such a case, that page could be loaded with automatic spyware download mechanisms, Spanish security company Panda Software said.
Microsoft originally denied that Media player contained a security vulnerability, claiming that it would only allow a social engineering attack -- where a user is fooled into downloading malware. It subsequently admitted that it would issue a patch to fix the problem.
The new update to the Media Player software contains a setting that allows consumers to request that they be notified any time their computer is going onto the Internet to obtain a content licence. By default, this option will be turned off, but computer users can turn it on, Caulton said.
With the associated security issues, however, once the computer does launch the online license acquisition process, a Web page could still be popped up -- even with the update in place. That risk is shared by anyone surfing online, Caulton said, but it could be virtually eliminated by using the latest spyware blockers and Windows operating-system updates, which block automatic downloads of software.
The new Windows Media Player is available now on Microsoft's site and may be distributed to consumers through the company's automatic software update function in the future.
Did you find this article useful?
68 out of 166 people found this useful
- Share this article:
