Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Windows Media Player Vulnerability Info (MUST READ!!!)
Spyware Warrior Blog ^ | 12/31/04 | Eric L. Howes

Posted on 12/31/2004 3:14:06 AM PST by goldstategop

Hi All:

PC World has a pair of articles about a potentially dangerous new development on the spyware/adware front: WMA (Windows Media) files being used to install adware and spyware. See:

Risk Your PC’s Health for a Song? http://www.pcworld.com/news/article/0,aid,119016,00.asp

Protect Yourself From Audio Adware http://www.pcworld.com/news/article/0,aid,119063,00.asp

In short, the well-known copyright management/protection firm Overpeer has figured out how to install adware through Windows Media files. The technique exploits features of the Windows Media DRM functionality to launch special Internet Explorer windows that display popup ads and that also attempt to download and install adware/spyware. This happens when the user opens the Windows Media file for playing.

Some might be tempted to dismiss this new method for distributing adware and spyware as a risk only for those using P2P networks. That snap judgement would be a mistaken and misguided one, though. The P2P file sharing angle on this story is a red herring.

The problem here involves the DRM features of Windows Media, and those features create a new and potentially very effective means for adware vendors to push unwanted software on unsuspecting users who have no interest whatsoever in using P2P networks to trade unauthorized music files.

I should caution readers that the PC World article, while detailed, is still short on specifics and that we still need more information. That said, users should be advised to take the usual steps to protect themselves against adware and spyware. At a minimum that involves:

locking down Internet Explorer (esp. ActiveX controls, Java applets, and scripting); installing spyware prevention utilities such as SpywareBlaster and SpywareGuard; installing at least two reputable anti-spyware scanners and keeping them updated; keeping your system updated through Windows Update. In addition to the above, PC World recommends tweaking the settings for Windows Media Player:

said by PC World:

* Change windows Media Player setting to give you more warning. Select Tool, Options, Privacy and turn off ‘Acquire licenses automatically for protected content’. A dialog box then will warn you each time a protected file attempts to get a license, and it will display the URL from which the file intends to request the license. If you have any doubts about the site, choose ‘No.’ Changing this setting in Windows Media Player will affect any other players you use that support Microsoft’s DRM scheme.

Also, it appears that merely switching your default browser to something other than Internet Explorer will not be sufficient to eliminate the threat, as Windows Media Player uses the Internet Explorer engine to open browser windows that function as dialog boxes. Even if you’re not actively using Internet Explorer, you should lock it down to prevent its being exploited by rogue WMA files.

If and when more information becomes available, I’ll post it to this thread.

Best,

Eric L. Howes

To supplement the advice from PC World, you might want to take the following measures:

locking down Internet Explorer (esp. ActiveX controls, Java applets, and scripting); Either lock down the Internet zone (https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm ), use Enough is Enough ( https://netfiles.uiuc.edu/ehowes/www/resource6.htm ), or use IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm ).

installing spyware prevention utilities such as SpywareBlaster and SpywareGuard; http://www.javacoolsoftware.com/spywareblaster.html http://www.javacoolsoftware.com/spywareguard.html

installing at least two reputable anti-spyware scanners and keeping them updated; http://spywarewarrior.com/asw-features.htm#rec

keeping your system updated through Windows Update. http://windowsupdate.microsoft.com/

See screenshot below for privacy settings in Windows Media Player 9

For Windows Media Player 10, see these screenshots.

If you have questions about adware, spyware or Windows security, you can post in the Spyware Warrior forums. Please do not post help requests in the blog comments.

Thank you.


TOPICS: Business/Economy; Culture/Society; Technical
KEYWORDS: ericlhowes; exploit; getamac; internetexploiter; lowqualitycrap; microsoft; patch; privacy; scumware; securityflaw; spyware; trojan; virus; vulnerability; windows; windowsmediaplayer; worm
Navigation: use the links below to view more comments.
first 1-5051-66 next last
Every one is urged to follow Eric L. Howes' recommendations to protect themselves against a new scumware exploit threat via Windows Media Player. Must read!!! Thanks.
1 posted on 12/31/2004 3:14:07 AM PST by goldstategop
[ Post Reply | Private Reply | View Replies]

To: goldstategop
Thanks for posting this, I recently downloaded Windows Media Player and instantly got all the symptoms described in this article. Now I know what to do!
2 posted on 12/31/2004 3:36:12 AM PST by DirtyHarryY2K (''Go though life with a Bible in one hand and a Newspaper in the other" -- Billy Graham)
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

ping


3 posted on 12/31/2004 3:37:42 AM PST by paudio (Four More Years..... Let's Use Them Wisely...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

thank you, turned that stuff off immediately, haven't had any troubles YET, though.


4 posted on 12/31/2004 3:42:36 AM PST by William of Orange (I'm John Kerry and I approve this message. No I don't. Yes I do. No I don't. Yes I do. Maybe, not.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: William of Orange

None here either. And I've got Internet Explorer locked down tight.


5 posted on 12/31/2004 3:44:33 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 4 | View Replies]

To: goldstategop

BTTT


6 posted on 12/31/2004 3:46:19 AM PST by Fiddlstix (This Tagline for sale. (Presented by TagLines R US))
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

Thanks for this posting...nothing like keeping your anti-virus program updated!.......


7 posted on 12/31/2004 3:50:27 AM PST by Route101
[ Post Reply | Private Reply | To 1 | View Replies]

To: Route101

And anti-trojan scanner too. Ewido Security Suite here updates at least once a day with new definitions.


8 posted on 12/31/2004 3:51:33 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 7 | View Replies]

To: goldstategop

Done, and thanks for this info.


9 posted on 12/31/2004 3:51:51 AM PST by G.Mason (A war mongering, UN hating, military industrial complex loving, Al Qaeda incinerating American.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

If you use a personal firewall (I have Sygate Personal Firewall on right now), you'll be amazed at how many programs try to access the internet, and how often. I block them all by default, including Media Player


10 posted on 12/31/2004 3:54:21 AM PST by fr_freak
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

bump


11 posted on 12/31/2004 3:56:13 AM PST by patj
[ Post Reply | Private Reply | To 1 | View Replies]

ping for later


12 posted on 12/31/2004 3:57:31 AM PST by happy_happy_joy_joy (True joy comes from within.....)
[ Post Reply | Private Reply | To 10 | View Replies]

To: goldstategop

What is the best FREE trojan scanner can I find ( that won't install it's own Spyware of it's own ).


13 posted on 12/31/2004 4:10:04 AM PST by Prophet in the wilderness (PSALM 53 : 1 The ( FOOL ) hath said in his heart , There is no GOD .)
[ Post Reply | Private Reply | To 8 | View Replies]

To: fr_freak

I let all my legitimate programs access the Internet.


14 posted on 12/31/2004 4:11:21 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Prophet in the wilderness

Ewido Security Suite. The premium features can be tried for 14 days for free. If you decide you don't want em, keep the scanner and download updates manually. http://www.ewido.net


15 posted on 12/31/2004 4:13:25 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 13 | View Replies]

To: goldstategop

Can you recommend a free/inexpensive firewall for W2000 on dial-up?


16 posted on 12/31/2004 4:31:29 AM PST by raybbr
[ Post Reply | Private Reply | To 15 | View Replies]

To: goldstategop

Thanks


17 posted on 12/31/2004 4:35:10 AM PST by freeangel (freeangel)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Prophet in the wilderness; martin_fierro

Contact martin for free utilities. He has a list of links.


18 posted on 12/31/2004 4:49:59 AM PST by ovrtaxt (I find your inoffensiveness offensive.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: raybbr

Try Zone Alarm.


19 posted on 12/31/2004 4:50:59 AM PST by ShadowDancer
[ Post Reply | Private Reply | To 16 | View Replies]

To: ovrtaxt

Ok,,


20 posted on 12/31/2004 4:51:37 AM PST by Prophet in the wilderness (PSALM 53 : 1 The ( FOOL ) hath said in his heart , There is no GOD .)
[ Post Reply | Private Reply | To 18 | View Replies]

To: raybbr

Try Zone Alarm. I personally run Norton Internet Security Firewall, which isn't cheap but is reliable. http://zonelabs.com


21 posted on 12/31/2004 4:59:25 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 16 | View Replies]

To: goldstategop

Thanks again....


22 posted on 12/31/2004 5:04:27 AM PST by Route101
[ Post Reply | Private Reply | To 8 | View Replies]

To: Fiddlstix

bookmarked


23 posted on 12/31/2004 5:08:56 AM PST by stylin_geek (Liberalism: comparable to a chicken with its head cut off, but with more spastic motions)
[ Post Reply | Private Reply | To 6 | View Replies]

To: fr_freak
Same with me.

I have ZoneAlarm and only allow a very few exe's to access without my checking OK.

Dial Up users should un-select the automatic dialing (in their Dial Up Adapter), too. Older viruses (when I had dial up) used that feature to rob one's system of email and private files. They would capture, dial up, and send the data to some unknown location.

Anyone not running some of the free spyware/adware/firewalls/virus checkers are a part of the problem. They very probably have contaminated machines and are inadvertently spreading malice. GET WITH THE PROGRAMS TO STOP THIS, People. There are free programs --- USE THEM!!!!
24 posted on 12/31/2004 5:20:26 AM PST by TomGuy (America: Best friend or worst enemy. Choose wisely.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: goldstategop

bump


25 posted on 12/31/2004 5:23:21 AM PST by lupie
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

bttttt


26 posted on 12/31/2004 5:26:12 AM PST by dennisw (G_D: Against Amelek for all generations.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr
Help for viruses and malware:
 
 Ad-Aware ... Spybot ... Peper Uninstaller ... HijackThis... CWShredder ... Spyware Blaster ... IE Spyad ... Free online Virus scan ... AVG AntiVirus ... LSPfix ... How to Show Hidden Files ... How to boot into Safe Mode ... How did I get infected in the first place?


Things you need--(all FREE)
Anti-Virus
AVG Anti-Virus version 7 (free) release available...
 Avast
Firewall
Kerio(Direct Download) Zone Alarm
 If are using zone alarm it may slow your PC. Try Outpost Firewall http://www.agnitum.com/products/outpost or Sygate Firewall http://www.sygate.com/ both have FREE and Pro versions and are heads above ZA.
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update- you must keep updated, it is the start of a secure system-
get all CRITICAL Updates

Things you want(Still Free)
 
 Get Firefox I use Firefox PR1 and IMHO, beats the sox off MS Explorer. Life is good with tabs. Click the link and give it a try.

Ad-Aware
Spybot S&D
SpywareBlaster
MS MVP Hosts file
Mike Lin's Homepage and get the Startup Control Panel and Startup Monitor tools.
 
The best forum for malware removal:
-SWI Forums-

27 posted on 12/31/2004 5:32:29 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 16 | View Replies]

To: goldstategop

Question: Is it sufficient to set IE's security settings on "high"? Is that "locked down"?


28 posted on 12/31/2004 6:22:05 AM PST by Clara Lou (Hillary Clinton: "We're going to take things away from you on behalf of the common good.")
[ Post Reply | Private Reply | To 5 | View Replies]

To: backhoe
Thanks backhoe. Once again you prove that FR is the place to get help from somoene who does it just for the sake of helping.
29 posted on 12/31/2004 6:26:38 AM PST by raybbr
[ Post Reply | Private Reply | To 27 | View Replies]

To: raybbr

30 posted on 12/31/2004 6:28:29 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 29 | View Replies]

To: goldstategop

thanks for this informative post. you did a great deal of work to include all the screens. it is a person like you that makes others realize what can be done if you are generous. Thanks again.


31 posted on 12/31/2004 6:44:49 AM PST by q_an_a
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

bttt


32 posted on 12/31/2004 6:52:01 AM PST by jdm (Stockhausen, Kagel, Xenakis -- world capitals or avant-garde composers?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

Dumb question: WTH does "locked down" mean?


33 posted on 12/31/2004 7:15:08 AM PST by Ben Chad
[ Post Reply | Private Reply | To 1 | View Replies]

To: Prophet in the wilderness

I use Spybot and Ad-Aware SE. Each time I use them (about every other day) I check for updates. I downloaded both from download.com.


34 posted on 12/31/2004 7:54:00 AM PST by PhilipFreneau (The fool hath said in his heart, There is no God. -- Psalms 14: 1, 53:1)
[ Post Reply | Private Reply | To 13 | View Replies]

Comment #35 Removed by Moderator

To: goldstategop
I'm at a loss to why anyone would use Microsoft's software.


36 posted on 12/31/2004 8:14:56 AM PST by KoRn
[ Post Reply | Private Reply | To 1 | View Replies]

To: Clara Lou

Set it on high for your restricted zone, medium for the Internet and low for sites you absolutely trust that you can put in your trusted zones tab.


37 posted on 12/31/2004 8:16:56 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Ben Chad

It means its like the equivalent of Fort Knox - no one can get in unless you allow it. So when you install that registry patch - IE Spy-ad you're letting the bad guys know your computer is off limits. I went to Coolwebsearch and nothing happened. That's how effective this particular piece of condom software is in shutting down the scumware pushers' abilities to install unwanted software via drive by downloads behind your back.


38 posted on 12/31/2004 8:21:17 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 33 | View Replies]

To: sandyeggo

WMP uses the Internet Explorer browser settings so if these are secured, just unchecking the "acquire licensing info automatically" box should take care of hackers ability to exploit the DRM channel to install malware on your computer over your objections.


39 posted on 12/31/2004 8:23:47 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 35 | View Replies]

To: backhoe
I want to thank you for the links and tips...

I just finally was able to locate and destroy an executable file that was so "hidden," that all my anti-spyware couldn't find it. UNTIL NOW.

40 posted on 12/31/2004 8:28:08 AM PST by F16Fighter
[ Post Reply | Private Reply | To 27 | View Replies]

To: Nightshift

poing


41 posted on 12/31/2004 8:29:14 AM PST by tutstar ( <{{--->< http://ripe4change.4-all.org Violations of Florida Statutes ongoing!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: goldstategop

Thanks!!!!!!!!!


42 posted on 12/31/2004 8:30:00 AM PST by countrydummy (#RIGHTALK.. http://www.rightalk.com)
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #43 Removed by Moderator

To: raybbr
free/inexpensive firewall for W2000

I also recommend Zone Alarm. The free version (note: they will try to convince you to buy the 'pro' version, but for dial-up I think that's overkill...) is available here (click the red "free download" button):

Zone Labs

44 posted on 12/31/2004 9:02:37 AM PST by NoCmpromiz (The only thing the French do well is wine and cheese, both of which are made better in California.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: F16Fighter
I want to thank you for the links and tips... I just finally was able to locate and destroy an executable file that was so "hidden," that all my anti-spyware couldn't find it. UNTIL NOW.

I'm glad you found it helpful- the people who write and propagate that garbage should be publicly horsewhipped.

45 posted on 12/31/2004 9:20:36 AM PST by backhoe (-30-)
[ Post Reply | Private Reply | To 40 | View Replies]

To: ShadowAce

Ping


46 posted on 12/31/2004 9:27:32 AM PST by Still Thinking (Disregard the law of unintended consequences at your own risk.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

Ongoing Windows security vulnerability ping!


47 posted on 12/31/2004 9:32:45 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: raybbr

Zone Alarm or Sygate Personal Firewall. I use SPF as it gives you, the user, more control over what computer ports and/or programs you want to allow or block, that option is only in the paid version of Zone Alarm, but it's available in the freebie version as well as the paid version of SPF.


48 posted on 12/31/2004 9:56:31 AM PST by BigSkyFreeper
[ Post Reply | Private Reply | To 16 | View Replies]

To: goldstategop

ping


49 posted on 12/31/2004 9:58:25 AM PST by isom35
[ Post Reply | Private Reply | To 1 | View Replies]

To: KoRn
I'm at a loss to why anyone would use Microsoft's software.

I'm at a loss as to why anyone would have the Winamp Browser open.

50 posted on 12/31/2004 9:58:49 AM PST by BigSkyFreeper
[ Post Reply | Private Reply | To 36 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-66 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson