N/A - KB892313

In March 2005, Microsoft issued an update to Windows Media Player to address the issue discussed in this advisory. Microsoft was made aware that malicious attackers can potentially create media files that could then trigger the launch of a Web site without further user interaction. This Web site could potentially then try and trick the user into downloading and executing malicious software add-ons, such as spyware. This social engineering attack abuses a by-design feature in Microsoft Windows Media Player Digital Rights Management (DRM) technology that requires users to have a license to playback a media file.

This issue does not automatically cause malicious software to run on a user’s computer. However, as a result of the malicious attacker’s actions, users may be persuaded to install malicious software if they are redirected to a malicious web page when acquiring a license.

An update to the Windows Media Player is available that allows users to modify the functionality involving automatic license acquisition in order to help prevent such attacks. Specifically, this update lets users configure Windows Media Player so they are prompted when the player accesses a web page to acquire a license. This update is available immediately through the Microsoft Download Center for users of Windows Media Player 10 on Microsoft Windows XP or Windows 2003 SP1 and for users of Windows Media Player 9 Series on Windows XP, Windows 2000 or Windows Server 2003.

Also, Internet Explorer for Windows XP SP2 helps prevent downloads from starting automatically and warns users about potentially harmful activities. Users who have installed Windows XP SP2 and turned on the Pop-Up Blocker feature have an added layer of defense from any attempt to deliver malicious software.

What versions of Windows Media Player are associated with this advisory?
This advisory pertains to Windows Media Player 9 and Windows Media Player 10.

Is this a security vulnerability that requires Microsoft to issue an update?
Although this is not a security vulnerability, this update was issued to provide additional warning for users who could be deceived into visiting a malicious Web site.

What is the scope of the advisory?
The scope of this advisory is to inform Windows Media Player users that an update has been released to reduce the risk of users being deceived into visiting a Web site.

What causes this threat?
An attacker could create a social engineering attack that abuses a function of the Windows Media DRM system designed to allow common license delivery scenarios. It does not automatically cause malicious software to run on the user’s computer.

What might an attacker use this function to do?
An attacker can create media files that could use this function to trick users into visiting a malicious Web site.This Web site could then try and trick the user into downloading and executing malicious software add-ons, such as spyware.

What does this feature do?
This feature let users specify whether they want to have Windows Media Player automatically acquire licenses to play protected content, or whether they would prefer to be prompted when a license is required.