[ISN] Microsoft's Digital Rights Management -- A Little Deeper

From: InfoSec News (isnat_private)
Date: Mon Jul 01 2002 - 03:09:29 PDT

  • Next message: InfoSec News: "[ISN] Falun Gong's on TV"

    Contributed by DittoHead on Friday, June 28 @ 10:36:24 EDT 
    I read this article about Microsoft's Palladium Digital Rights
    Management last week, linked from the Drudge Report. The story was
    reported in many other places, so I didn't submit it here.  Last night
    I got security bulletin MS02-032 from Microsoft concerning Windows
    Media Player; there is a patch that fixes all previous vulnerabilities
    and three new vulnerabilities. As I started the installation of the
    patch, the End User License Agreement box popped up. Normally I don't
    even read these things, but this time I did.  There was a fairly
    standard preamble followed by some bullet points;  here is the text of
    the second point:
    " * Digital Rights Management (Security). You agree that in order to
    protect the integrity of content and software protected by digital
    rights management ("Secure Content"), Microsoft may provide security
    related updates to the OS Components that will be automatically
    downloaded onto your computer. These security related updates may
    disable your ability to copy and/or play Secure Content and use other
    software on your computer. If we provide such a security update, we
    will use reasonable efforts to post notices on a web site explaining
    the update. "
    These security related updates sound more like version upgrades to the
    OS, since new functionality is added, and Windows Media Player will be
    used as an agent to download and install the new software
    "automatically." Normally security updates are announced by email
    containing a link to the website where the patch can be downloaded.  
    There was no mention of which website Microsoft will use to post
    notices of new or upgraded software that was automatically downloaded
    to your computer while you were listening to a webcast using Windows
    Media Player, or how a user will know when to check the website to
    find out what has been added to the OS.
    I have never been a Microsoft basher and have been using MS software
    since I bought my first computer in 1988, but this is really
    disappointing. Clearly the Media Player is going to be used for a
    purpose for which a service pack would be more appropriate. Even if
    the purpose is to install an automatic update utility, the owner of
    the computer should be in control and not be subject to "Things That
    Happen Behind Your Back." I don't think a firewall will help
    either--you must allow Media Player content to pass through in order
    to use it.
    A funny/ironic/sad point is that the security bulletin reads in part:
    " - An information disclosure vulnerability that could provide the
    means to enable an attacker to run code on the user's system and is
    rated as critical severity ".
    It looks to me like that's exactly what the patch does.
    FYI my patch is for Media Player 6.4 on Windows NT 4.0.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jul 01 2002 - 05:47:22 PDT