Microsoft's Digital Rights Management -- A Little Deeper

[InfoSec News <isn () c4i org>]

http://bsdvault.net/article.php?sid=527&mode=&order=0

Contributed by DittoHead on Friday, June 28 @ 10:36:24 EDT 

I read this article about Microsoft's Palladium Digital Rights
Management last week, linked from the Drudge Report. The story was
reported in many other places, so I didn't submit it here.  Last night
I got security bulletin MS02-032 from Microsoft concerning Windows
Media Player; there is a patch that fixes all previous vulnerabilities
and three new vulnerabilities. As I started the installation of the
patch, the End User License Agreement box popped up. Normally I don't
even read these things, but this time I did.  There was a fairly
standard preamble followed by some bullet points;  here is the text of
the second point:

" * Digital Rights Management (Security). You agree that in order to
protect the integrity of content and software protected by digital
rights management ("Secure Content"), Microsoft may provide security
related updates to the OS Components that will be automatically
downloaded onto your computer. These security related updates may
disable your ability to copy and/or play Secure Content and use other
software on your computer. If we provide such a security update, we
will use reasonable efforts to post notices on a web site explaining
the update. "

These security related updates sound more like version upgrades to the
OS, since new functionality is added, and Windows Media Player will be
used as an agent to download and install the new software
"automatically." Normally security updates are announced by email
containing a link to the website where the patch can be downloaded.  
There was no mention of which website Microsoft will use to post
notices of new or upgraded software that was automatically downloaded
to your computer while you were listening to a webcast using Windows
Media Player, or how a user will know when to check the website to
find out what has been added to the OS.

I have never been a Microsoft basher and have been using MS software
since I bought my first computer in 1988, but this is really
disappointing. Clearly the Media Player is going to be used for a
purpose for which a service pack would be more appropriate. Even if
the purpose is to install an automatic update utility, the owner of
the computer should be in control and not be subject to "Things That
Happen Behind Your Back." I don't think a firewall will help
either--you must allow Media Player content to pass through in order
to use it.

A funny/ironic/sad point is that the security bulletin reads in part:

" - An information disclosure vulnerability that could provide the
means to enable an attacker to run code on the user's system and is
rated as critical severity ".

It looks to me like that's exactly what the patch does.

FYI my patch is for Media Player 6.4 on Windows NT 4.0.
 
 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.