Microsoft has denied that an anti-piracy "feature" in its Windows Media Player that allows a Trojan horse to run on a user's PC is a vulnerability.
Panda Software warned earlier this week that hackers are using the player's DRM tool to fool people into downloading spyware and viruses.
The Spanish security company said that virus writers had released licence-protected multimedia files containing Trojan horses (WmvDownloader.A and WmvDownloader.B) that can exploit the anti-piracy features in version 10 of the Media Player and Windows XP SP2.
Despite Panda's warning that the Trojan can download a cocktail of malware, Microsoft denies there is a flaw in its software.
"This Trojan appears to utilise a function of the Windows Media DRM designed to enable licence delivery scenarios as part of a social engineering attack," said Microsoft in an emailed statement.
"There is no way to automatically force the user to run the malicious software. This function is not a security vulnerability in Windows Media Player or DRM."
But Microsoft didn't say whether Windows XP SP2 fully protected users from unwanted downloads.
"Internet Explorer for Windows XP SP2 helps prevent downloads from automatically launching. Users who have installed Windows XP SP2 and turned on the pop-up blocker have an added layer of defence from this Trojan's attempt to deliver malicious software," said Microsoft.
The Redmond giant also said that people should go to the police if they think they have been attacked by such Trojans.
Microsoft also added that "customers in the United States who believe they have been attacked should contact their local FBI office or post their complaint on www.ifccfbi.gov. Customers outside the US should contact the national law enforcement agency in their country."
Talkback
Seems like they're burying their heads in the sand yet again. Whenever a flaw is found then Microsoft either wait ages before admitting it or deny it. How often do regular users need to access licences for music, when I used WMP I did it nearly everyday.
I don't think that law enforcement agencies (payed for with tax money) would welcome the day that everyone suspecting to be the victim of a trojan (or virus) attack comes to them and claim their time and resources (usually in short demand and needed for more urgent matters).
As such those law enforcement agencies should consider placing (some) responsibility on the vendors involved. And by doing so motivating such vendors to maximize their efforts in order to minimize demands on the resources of law enforcement agencies.
Microsoft probably has no incentive to fix this. As I understand it, the one and only security fix is called "upgrading to XP-SP2", and all earlier versions of I.E. are now official (as opposed to unofficial) security risks. This sounds like a perfect excuse for MS to ask everyone to migrate to XP - or else.
Time to Migrate!
Well, if you're running any version of windows <XP, I guess it's time to migrate.
Might as well look at the Mac and Linux if you're gonna have to migrate.