http://bsdvault.net/article.php?sid=527&mode=&order=0 Contributed by DittoHead on Friday, June 28 @ 10:36:24 EDT I read this article about Microsoft's Palladium Digital Rights Management last week, linked from the Drudge Report. The story was reported in many other places, so I didn't submit it here. Last night I got security bulletin MS02-032 from Microsoft concerning Windows Media Player; there is a patch that fixes all previous vulnerabilities and three new vulnerabilities. As I started the installation of the patch, the End User License Agreement box popped up. Normally I don't even read these things, but this time I did. There was a fairly standard preamble followed by some bullet points; here is the text of the second point: " * Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update. " These security related updates sound more like version upgrades to the OS, since new functionality is added, and Windows Media Player will be used as an agent to download and install the new software "automatically." Normally security updates are announced by email containing a link to the website where the patch can be downloaded. There was no mention of which website Microsoft will use to post notices of new or upgraded software that was automatically downloaded to your computer while you were listening to a webcast using Windows Media Player, or how a user will know when to check the website to find out what has been added to the OS. I have never been a Microsoft basher and have been using MS software since I bought my first computer in 1988, but this is really disappointing. Clearly the Media Player is going to be used for a purpose for which a service pack would be more appropriate. Even if the purpose is to install an automatic update utility, the owner of the computer should be in control and not be subject to "Things That Happen Behind Your Back." I don't think a firewall will help either--you must allow Media Player content to pass through in order to use it. A funny/ironic/sad point is that the security bulletin reads in part: " - An information disclosure vulnerability that could provide the means to enable an attacker to run code on the user's system and is rated as critical severity ". It looks to me like that's exactly what the patch does. FYI my patch is for Media Player 6.4 on Windows NT 4.0. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jul 01 2002 - 05:47:22 PDT