Tuesday, January 04, 2005

Microsoft's DRM Introduces Vulnerabilities

With another half-hearted attempt at pleasing one industry segment to the detriment of the rest, Microsoft's DRM feature of Windows Media Player - designed to keep Microsoft in the good books with the RIAA and MPAA - has introduced a rather serious vulnerability to their operating system (since in all countries except the EU, Microsoft Windows Media Player is bundled with Windows XP, and the EU is still waiting for their new version of Windows without this bundled application).

A recent article over at PC World shows how pop-ups and adware/spyware are able to be bundled with DRM-enabled Windows Media files. Basically what happens is that when the .wmv (Windows Media Video) file is played, it is allowed to open up a web page before playing the video content in the file. This generally only happens when a License file cannot be downloaded for the media in question, but the malicious files will open a website that opens other pop-ups and possibly even attempt to push spyware to your computer.

Microsoft also admits that it is possible for an existing file to be modified after it has been created, allowing malicious coders to modify DRM-enabled files to point to their own or other selected web servers, and then be able to target other unpatched Internet Explorer vulnerabilities to push unwanted advertisements and software to target computers.

While there are steps that can be taken to make this process more "manual" - i.e. requiring you to authorize the loading of the webpage and obtaining of the License key, these steps SHOULD have been the default settings that the software comes with - not something that users need to do to secure their machines post installation.

Another thing - WHY is Windows Media Player even installed on Windows Server 2003 and Windows Small Business Server 2003 operating systems? These are servers, not home entertainment systems. Since when has a media (video or audio) file been needed on a Server? Sure, if you are running Windows Media Services on this server, then you'd think that WMP *may* be needed, but really its not even needed then - a workstation is the place media files should be played, not on the server. By Microsoft's mind numbingly stupid "all in" Server OS design, they are introducing vulnerabilities that should never, ever affect these systems.

I've long been a proponent of the "secure by design, secure by default" school of thought - meaning that only the required software should be installed on any particular system - especially a Server - and its settings should be configured to secured upon install. The user then needs to open it up or install additional software as and when required. Sure, it means a bit more work on a Server, and on a Workstation there's going to be more software installed by default, but it means that things like this just couldn't happen.

At Quark IT, security is a major part of our business and we consider the security implications of anything that our clients are considering installing or changing to be one of the most important things. It is no use deciding to run this really useful piece of software or hardware if it opens your network and its sensitive data up to your competition and the world in general. I just wish that more IT Consultants and software authors thought this way.

Microsoft has been getting a lot better in recent years. Both the Windows XP and Windows Server 2003 ranges have been significantly better than their earlier releases when it comes to security. They still have a long, long way to go, but they are currently on the right path. Let's hope that they address this vulnerability in the January 2005 "Patch Tuesday" release.

The Outspoken Wookie

No comments: