For those who have not followed this story, researchers have discovered specially designed Windows Media Player files that will initiate the installation of spyware and adware when users attempt to play those files. These specially designed media files exploit the DRM (Digital Rights Management) functionality that Microsoft built into Windows Media Player by opening web pages in hosted instances of Internet Explorer. The ostensible purpose for opening these special Internet Explorer windows (which resemble dialog boxes) is to acquire license information needed to play the media files. Once open, though, these hosted instances of Internet Explorer can be used to initiate the download and installation of spyware and adware, just as happens in drive-by-downloads at regular web sites.
Gee thanks, Microsoft.
"You say that it is your custom to burn widows. Very well. We also have a custom: when men burn a woman alive, we tie a rope around their necks and we hang them. Build your funeral pyre; beside it, my carpenters will build a gallows. You may follow your custom. And then we will follow ours."- General Sir Charles Napier
Windows Security .... an oxymoron for 23 years and counting ......
[img=right]http://www.tallguyz.com/imagelib/chmeesig.jpg[/img]My guess might be excellent or it might be crummy, but
Mrs. Spade didn't raise any children dippy enough to
make guesses in front of a district attorney,
an assistant district attorney, and a stenographer.
Sam Spade, "The Maltese Falcon" Operation Freedom Fry
Like I needed more shit breaking computers for me to fix. Dammit, I'm not paid commission, and I'm not paid well, STOP BREAKING THINGS!
Chronological Incontinence: Time warps around the poster. The thread topic winks out of existence and reappears in 1d10 posts.
Out of Context Theatre, this week starring Darth Nostril.
-'If you really want to fuck with these idiots tell them that there is a vaccine for chemtrails.'
Generic MS bashing aside, this kind of crap arises from MS's efforts to make computers accessible to the masses. In other words: "Let's hide everything from the user and make it as simple as we can."
Which in itself isn't a bad thing. God knows that WinXP networking is orders of magnitude easier to set up than Win95 networking.
What makes it bad is when MS tosses basic security to the winds in order to 'simplify' things for the clueless user.
Even the most stupid 'luser' would like to think his files are somewhat secure. Instead of programming to the lowest common denominator, how about insisting that the user at least learn a little about security and access control?
Last edited by Glocksman on 2005-01-05 06:17pm, edited 1 time in total.
"You say that it is your custom to burn widows. Very well. We also have a custom: when men burn a woman alive, we tie a rope around their necks and we hang them. Build your funeral pyre; beside it, my carpenters will build a gallows. You may follow your custom. And then we will follow ours."- General Sir Charles Napier
"Hello, Microsoft Tech Support?"
"Yes, the internet's not working."
"How's it not working, sir?"
"I type something into the url and it comes up with some foreign page"
"Looks like you have spyware, sir. You might have got it from Windows Media Player. It's a new feature we've brought out, to improve your experience!"
"OK, Can I switch it off?"
"Certainly sir. Just download Microsoft anti-spyware"
Glocksman wrote:Generic MS bashing aside, this kind of crap arises from MS's efforts to make computers accessible to the masses. In other words: "Let's hide everything from the user and make it as simple as we can."
Which in itself isn't a bad thing. God knows that WinXP networking is orders of magnitude easier to set up than Win95 networking.
What makes it bad is when MS tosses basic security to the winds in order to 'simplify' things for the clueless user.
Even the most stupid 'luser' would like to think his files are somewhat secure. Instead of programming to the lowest common denominator, how about insisting that the user at least learn a little about security and access control?
Mac OS X is orders of magnitude easier to set up with networking than Windows XP (literally, plug it in and you're done), yet it's nothing but a BSD distro.
Glocksman wrote:Generic MS bashing aside, this kind of crap arises from MS's efforts to make computers accessible to the masses. In other words: "Let's hide everything from the user and make it as simple as we can."
Which in itself isn't a bad thing. God knows that WinXP networking is orders of magnitude easier to set up than Win95 networking.
What makes it bad is when MS tosses basic security to the winds in order to 'simplify' things for the clueless user.
Even the most stupid 'luser' would like to think his files are somewhat secure. Instead of programming to the lowest common denominator, how about insisting that the user at least learn a little about security and access control?
Mac OS X is orders of magnitude easier to set up with networking than Windows XP (literally, plug it in and you're done), yet it's nothing but a BSD distro.
Which has exactly dick to do with the thread. I love Mac OS X, I use Mac OS X, and I hate Windows. But I don't go around turning threads into "MAC OS X RUL3ZZ!!!" wank-fests, now do I?
Cut it out.
Damien Sorresso
"Ever see what them computa bitchez do to numbas? It ain't natural. Numbas ain't supposed to be code, they supposed to quantify shit."
- The Onion
Glocksman wrote:Generic MS bashing aside, this kind of crap arises from MS's efforts to make computers accessible to the masses. In other words: "Let's hide everything from the user and make it as simple as we can."
Which in itself isn't a bad thing. God knows that WinXP networking is orders of magnitude easier to set up than Win95 networking.
What makes it bad is when MS tosses basic security to the winds in order to 'simplify' things for the clueless user.
Even the most stupid 'luser' would like to think his files are somewhat secure. Instead of programming to the lowest common denominator, how about insisting that the user at least learn a little about security and access control?
Mac OS X is orders of magnitude easier to set up with networking than Windows XP (literally, plug it in and you're done), yet it's nothing but a BSD distro.
Which has exactly dick to do with the thread. I love Mac OS X, I use Mac OS X, and I hate Windows. But I don't go around turning threads into "MAC OS X RUL3ZZ!!!" wank-fests, now do I?
Cut it out.
I absolutely won't, thing is he tied Windows XP being easier to network with Microsoft hiding things from the user and dumbing it down, and I was using OS X as an example to show that thats not necessarily the case.
Praxis wrote:
I absolutely won't, thing is he tied Windows XP being easier to network with Microsoft hiding things from the user and dumbing it down, and I was using OS X as an example to show that thats not necessarily the case.
He compared it to Windows 95, not every other OS on the market. He was trying to show an INTERNAL Microsoft trend of dumbing down the OS for the end user. But of course, this naturally gave you an invitation to come in and spout your usual Apple wank speech.
I seriously didn't mean it that way, was just using it as an example.
My interpretation of his post was that he was attributing Windows XP's simplified networking to being closed source and not informing users how it works. Maybe I misread it, or perhaps he had another point that just went over my head, but I wasn't trying to be Mr. Apple Fanboy again.
My initial response was skeptical, and accurately so. The PC World article said, "PC World has learned that some Windows Media files on peer-to-peer networks such as Kazaa contain code that can spawn a string of pop-up ads and install adware." [emphasis added]. The clear implication was that simply playing a music or video file will install a program on your machine. That turned out not to be true, as you and I have both shown.
My remarks about digital signatures were not intended to justify the purveyors of this garbage or to imply that signed programs are somehow safe. My remarks were aimed at the readers of this forum and my Web site, who are already well informed about spyware and viruses and would be deeply suspicious of these dialog boxes. I was shocked at how honest the license agreements were in describing the crappy things these programs would do. I don't expect a sophisticated, suspicious user to be fooled by this stuff. I also don't expect a naive user to read license agreements ever.
As for "blaming the user," I stand by the remark I made. You are demanding that Microsoft patch this vulnerability. I agree that that should be done. But the reason that viruses and spyware spread is because no matter how hard we try to educate the masses, many people simply don't install patches after they're released. I get virus-infected e-mail messages every day, and my mail server blocks many more. In most cases those viruses can be prevented by a patch that were released three or four years ago. If someone hasn't installed a Critical Update from 2001, why would they install a new one to fix this vulnerability when it's available?
You need to consent in installing the ActiveX code.
You get bigger problems with people downloading shit which claims to put "weather on the tray" and then slows the shell to a fucking crawl cos its so buzy at logging everything you do and doing a shitty job at it.
Terr Fangbite wrote:And we give microcrap our money for what reason again?
WMP is and has always been free.
"Okay, I'll have the truth with a side order of clarity." ~ Dr. Daniel Jackson.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
Praxis wrote:I seriously didn't mean it that way, was just using it as an example.
My interpretation of his post was that he was attributing Windows XP's simplified networking to being closed source and not informing users how it works. Maybe I misread it, or perhaps he had another point that just went over my head, but I wasn't trying to be Mr. Apple Fanboy again.
The major difference between WinXP's networking and Win95 networking, is you dont need to fucking reboot every time you change something in WinXP.
The actual GUI to interact with all the complex stuff hasnt changed one bit. There is just some nice simple wizards added for the clueless.
"Okay, I'll have the truth with a side order of clarity." ~ Dr. Daniel Jackson.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
I see. Guess I misread.
Ignore my above posts, please.
Anyway, I wonder if this Media Center vulnerability had anything to do with Billy's Media Center PC crashing at this year's CES?
It gets a bit disturbing when even music files can be viruses.
You need to consent in installing the ActiveX code.
You get bigger problems with people downloading shit which claims to put "weather on the tray" and then slows the shell to a fucking crawl cos its so buzy at logging everything you do and doing a shitty job at it.
I agree that 'Joanie Secretary' types who put a 'weather banner' that contains ad/spyware on her work PC, and then doesn't have a clue why the IT people are so angry with her after the system starts crawling are a problem.
Eric Howes looks on it (the issue of consent) a little differently:
Contrary to Ed Bott's assertion that this is not a "new and horrifying security risk" ( »Adware Installed through WMA Files ) the installation practices that users are forced to deal with when attempting to play these rogue Windows Media Player files are so confusing, deceptive, and coercive that regular users are at high risk for unwittingly consenting to the installation of spyware and adware, with potentially dire consequences for their computers, to say nothing of their privacy and security. The installation practices combine and exploit a dangerous combination of circumstances and qualities to bamboozle users into believing that they are consenting to the installation of software required to view media files. Among those circumstances and qualities are:
* a legitimate, required Windows Media Player "Security Upgrade" that conditions users to expect the installation of required software;
* ActiveX Security Warning boxes that users find inherently confusing because of the vague and inadequate information provided;
* ActiveX installation prompts for software deliberately named to give the impression that it is yet another required Windows Media Player upgrade;
* repeated, insistent pop-ups designed to coerce users into consenting to the installation of software;
* murky, confusing End User License Agreements that fail to disclose the installation of third-party software as well as the functionality and privacy practices of that software.
What we need from Microsoft is a swift fix for the problems summarized here, not attempts to minimize and pooh-pooh the risk or to subtly suggest that users are the problem for not upgrading to XP SP2 and for clicking through installation prompts. As I stressed in an earlier post here at DSLR, it is absolutely inexcusable that media files should have ever become a vehicle for pushing spyware and adware on unsuspecting users. Media files should simply not be a vehicle for adware installations. Period. That there are preventative measures for this unwelcome behavior and functionality is no excuse for the problem itself. It should have never existed in the first place.
Bingo.
Thanks again, Microsoft.
"You say that it is your custom to burn widows. Very well. We also have a custom: when men burn a woman alive, we tie a rope around their necks and we hang them. Build your funeral pyre; beside it, my carpenters will build a gallows. You may follow your custom. And then we will follow ours."- General Sir Charles Napier
The major difference between WinXP's networking and Win95 networking, is you dont need to fucking reboot every time you change something in WinXP.
The actual GUI to interact with all the complex stuff hasnt changed one bit. There is just some nice simple wizards added for the clueless.
The wizards have saved me a lot of time because I can talk people through it over the phone instead of having to go over in person and configure it.
The reboot after every change was the thing I hated most about Win95.
"You say that it is your custom to burn widows. Very well. We also have a custom: when men burn a woman alive, we tie a rope around their necks and we hang them. Build your funeral pyre; beside it, my carpenters will build a gallows. You may follow your custom. And then we will follow ours."- General Sir Charles Napier
Glocksman wrote:The wizards have saved me a lot of time because I can talk people through it over the phone instead of having to go over in person and configure it.
I tell people all the time to use the wizards. Its so much easier to talk someone though using a wizard over the phone than it is to change a bunch of settings which names are cryptic and they need to actually read the text to find the setting location rather than hit an icon.
The reboot after every change was the thing I hated most about Win95.
Hell yes.
"Okay, I'll have the truth with a side order of clarity." ~ Dr. Daniel Jackson.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
It gets a bit disturbing when even music files can be viruses.
It gets worse. A few months back (can't remember acutely when), several viruses were spread through IMAGES. JPEG and BMP images, IIRC
That was very different. Those viruses were imbedded into the images themselves, as in the executable code was in the images themselves(also it was only jpeg under Windows).
In this case its a prompt which allows you to install something. No executable code imbedded into the music files.
Notice the big fucking difference?
"Okay, I'll have the truth with a side order of clarity." ~ Dr. Daniel Jackson.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
CDS wrote:Here's a novel idea.... install a virus killer and don't download from p2p!!!!!
Install a Virus Killer...which 95% of the user base don't know how to do without shelling out money (something they're generally disinclined to do). Many virus killers are confusing to the average user as well (Norton Antivirus confounded me, and I'm not inexperienced).
Blaming p2p itself is stupid. Peer to peer is merely a method of communication. You might as well attack the concept of emailing because people can use emails to send malicious programs.
<edit>
In other words, this "novel idea" of yours is nowhere as obvious as you'd like to pretend, and furthermore somehow suggests that the user is at fault for not protecting him- or herself against the fuckups that Microsoft refuse to fix or accept the resposibilities for.
</edit>
Björn Paulsen
"Travelers with closed minds can tell us little except about themselves."
--Chinua Achebe
No, it all makes perfect sense now, after reading this today:
Continuing its recent spate of security moves, Microsoft Corp. on Thursday said it plans to release a virus detection and removal tool on Jan. 11. The antivirus fighter will be updated on the second Tuesday of every month as part of the company's scheduled software patching cycle.
Meanwhile, exactly three weeks after acquiring anti-spyware startup Giant Company, Redmond released the first public beta as a free Windows download through July 31.
Redmond also plans to release a virus detection and removal tool on Jan. 11, which will be updated on the second Tuesday of every month as part of the company's scheduled software patching cycle.
As previously reported, the spyware zapper is an exact replica of the Giant Company application acquired late last year.
Microsoft has retained all of the key Giant AntiSpyware features, including RealTime Detection, AutoUpdater, Spyware Scan and the widely hailed SpyNet Community network, which provides an early-warning mechanism.
Microsoft officials declined to discuss what happens after the beta expires in July, but analysts expect the company to start charging for definition updates once the spyware detection and removal tool goes gold.
Perfect MS thinking .... have a free product distribute spyware & viruses, then sell another product that removes them!
Thank you, Bill!
[img=right]http://www.tallguyz.com/imagelib/chmeesig.jpg[/img]My guess might be excellent or it might be crummy, but
Mrs. Spade didn't raise any children dippy enough to
make guesses in front of a district attorney,
an assistant district attorney, and a stenographer.
Sam Spade, "The Maltese Falcon" Operation Freedom Fry
