Microsoft Media Player "Security Patch" Changes EULA Big Time

MobyTurbo writes "In an article on BSD Vault a careful reader posts that in the latest Windows Media Player security patch, the EULA (the "license agreement" you click on) says that you give MS the right to install digital rights management software, and the right to disable any other programs which may circumvent DRM on your computer." So if you want your machine secure, you also want microsoft to have free reign on your PC.

Security Patches are the getting worse

[peterdaly]

I thought it was bad recently when a "Critical" IE6 security path completetly broke the ability to view TIFF images in a browser without hacking the registry by hand. I maintain a web site that basically sells access to TIFF imaged documents. All of a sudden we had about a hundred pissed off customers (some not wanting to pay their bill) because _WE_ broke access to the information that runs their businesses. As each customer ran windows update, our website broke. Of course they all say they have not installed any new software, which makes it all the more difficult to troubleshoot until the problem was figured out.

MS is without a doubt throwing non-security things into "security patches", and I for one don't like the unadvertised "featues" one bit.

-Pete

Re:extortion

[rabtech]

No, because most companies reserve the "right" to change the terms of the EULA, without notification, at ANY TIME.

The whole concept of the EULA is so silly... I really hope it gets tossed out of court ASAP. Where else can the manufacturer of a product hold you under a contract you did not sign, and change the terms of that contract at any time without notifying you or getting your agreement on the changes?

Another Nail

Microsoft is stuck in a quandary. On the one hand they have to do something to keep the revenue stream going. But all their moves to ensure this are alienating customers.

XP and Microsoft's moves from customers owning their software (such as that "ownership" was anyway) to only renting it might have been the turning point where I work. My boss recently had us change his laptop from Win98-only to dual-boot Linux as well. A new "computerization" initiative for the production line will use Java-based apps running on *gasp* currently moth-balled X-terminals!

With this kind of... extortion (the DRM crap included in a security update, fer Christ's sake), I'm of the opinion that MS is only driving another nail in its own coffin.

Corporate users can't install that

[Animats]

If you're in a large company, contact your legal department immediately. That's a serious issue, because it gives Microsoft the unlimited right to destroy any software on your machine. That's not something the individual employee is authorized to agree to.

Re:Corporate users can't install that

I am not sure what you meant by that, but I am currently doing an internship at a very large corporation (hint:-shift the letters in HAL one down) and ALL the employees in our division have "Administrator" access to their workstations.

We are not allowed to install anything "illegal" of course, but basically you have to police yourself.

Of course, the fact that this is the research division and 90% of the staff members have Ph.Ds in EE or CS might have something to do with it.

So I am saying that the original poster made a valid point. Sometimes the employees have to make the judgement of which software they can legally install and which software would be problematic.

Scary

[scotfl]

These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer.

Now there's a particularly nasty line. It starts off with DRM for 'Secure Content' (which I guess is M$'s new term for protected IP), but then it expands into 'Other Programs'. Which means, MS is now reserving the right to disable any program they don't like.

Furthermore, the patch that disables the program will "will be automatically downloaded onto your computer," without your knowledge. But, the real kicker is this one (my favourite line):

If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update.

So even if they send out patches killing off all non-MS software, they can bury a notice so deep in microsoft.com that no one will ever find it, and claim (correctly) they are going above and beyond the EULA. Damn, I'm glad I use Macs and NetBSD.

scope creep

[theCat]

People are going to say that this is such a bad thing. But really, it's just an extended interpretation of what was always in the license. Software companies have been telling us for decades that we don't own the software we buy, and we've let them. And it doesn't matter that to now they haven't done much with that stipulation (except make it hard/impossible to sell a used computer with software) but they could have at any time. So now, Microsoft is

Back In The Olden Days, why, we just wrote our own software! Companies sold hardware and a compiler. That has slowly changed, and now we are staring down the barrel of the 'software subscription' gun. Meaning, you will have as much control over the nature and quality of your software (and hence your entire computing experience) as you have over the programming on broadcast TV. Which is, none at all. The masses are thrilled with that (they still watch TV, too) and M$ and all the others are selling to the masses and probably not a single reader of this post. So yeah it sucks when M$ takes control, as if they never had control, but if you have a problem with that you can join with a bunch of software rebels and create your own software, and license it the way you like. Yeah sure I'm not the first to come up with that idea, but before we lament what the software companies do because we let them, we can just go around them.

After all, we do still own the hardware. For now.

Legality of EULA

[javacowboy]

Where else can the manufacturer of a product hold you under a contract you did not sign, and change the terms of that contract at any time without notifying you or getting your agreement on the changes?

This is an interesting point. How legally binding *IS* the EULA? It's generally accepted that in internet transactions involving credit card numbers, a customer can at any time deny having made the transaction. Without a signature, there's no way to PROVE that the customer made the transaction: they can't take that customer to court. This is why there is a much larger allowance for bad debts on online credit card transactions. In a real-life transaction with a carbon copy, all they need is your signature to prove that you made the transaction, and they can sue you.

In that vein, how can the EULA possibly be legally binding? I can see how the signature on the invoice for their computer or copy of Windows, they could be held liable. However, how can I user clicking on "OK" in a upgrade screen be legally binding?

I don't understand how the judicial/legislative system has allowed them to get away with this, whereas credit card companies are screwed on fraudulent online transactions. This doesn't make any sense to me. Some court somewhere should be able to strike down the EULA as non-binding contracts, due to the lack of a customer signature or any other proof that the customer entered the transaction.

Re:Legality of EULA

I hate invasive EULAs as much as the next guy, but I don't think you can claim you didn't see or accept the agreement.

Of course I can. I never agree to any of those EULA's, and I never read them. I click on the button yes, you may construe that to mean i have agreed to something, I don't agree.

Things Microsoft might do under this EULA

[Animats]

Some things to expect that Microsoft might do, and would now be allowed to do.

• Register all file types understood by Microsoft Media Player (.avi, .mp3, etc.) to Media Player and not let go. Prevent any assignment of those types to another player. This enforces the "requirement" that content be played through a "DRM compliant" player. (That's a likely plan; Microsoft software has been notorious for grabbing control of file types. So far, you've usually been able to make it let go.)
• Compute a digital fingerprint of played content and check with a Microsoft server to see if it's pirated. This would make the RIAA and MPAA very happy. (Isn't this already being done for audio CDs, to get the title info?)
• Check for "pirate" file sharing clients and turn them off. (Probably not for a while, but possible.)

This is the stuff the RIAA has been asking Congress for, but Congress hasn't gone along with it. Now it's coming in through the back door.

And notice that this system includes a back door, through which Microsoft can secretly install new software that takes away functions or spies on you.

Re:Two questions

[birder]

You can remove wmplayer.exe and rename mplayer2.exe (in the same directory) to wmplayer.exe

That's a start

Re:Brownie Points with DRM advocates

[kawika]

Yep. Take a look here to see Microsoft's plans for cozying up to the DRM folks. The strange thing is that the final presentation on "Mercury" isn't available. That was the most interesting one. It was about how the DRM software would manage rights for portable media players over the Internet using public/private keys. And of course, Microsoft runs this whole DRM infrastructure for a nice fee.

I was there for most of the live presentation, and during the Q&A someone got up and asked what would happen if the keys were compromised, for example someone found a way to hack the unique id in a player. The MS guy indicated that the keys for an entire brand/model of player could be shut off if necessary. The next question, of course, was how the buyers of those players would feel when their expensive players became useless. The MS guy said that the decision to shut off access wouldn't be Microsoft's, but they could do so on a court order, for example.

Why would someone want to buy a portable media player (or desktop media player for that matter) that could become worthless a few months later because someone else hacked it and rendered the DRM insecure? You wouldn't. Why would a manufacturer want to take the chance that they'd be involved in a messy class-action suit from customers because their portable media player now can't play music? They wouldn't.>/b>

I just can't see how this can come to pass.

Re:MS/Borg

[kaustik]

I think that an EULA like this would apply more-so to one who had pirated the software. Running even a pirated version of this would expose your computer to the scrutiny of M$ - scrutiny that is even less-wanted by people like you and I who most likely have massive amounts of software that we may have "delayed" on paying any licensing fees for. I wonder how long it will be before I boot up my XP partition to an empty hard drive and picture of a disapproving Bill shaking his finger at me... or an FBI agent at my door.

Re:This has got to stop

[DeltaBlaster]

I could be totally wrong (which I probably am)... Isn't there something illegal about Microsoft disabling (thereby 'destroying') items from YOUR computer (YOUR property)??

security as a carrot on a stick

Microsoft is employing a rather insideous 'carrot on a stick' approach to controling its users computers. Lets consider a hypothetical bright MS OS user who we'll call 'Bob'. Bob hasn't upgraded to WindowsXP for various reasons, perhaps he's heard that it uses some sort of 'fingerprinting' protection that could interfere with his ability to upgrade the hardware of his computer, and his basic attitude is 'Win98SE is serving me just fine, thanks very much.' He regards his operating system as 'his', as a relatively stable entity. Another thing which enables him to stick with it is that when there are glaring security holes, and there have been many, MS provides a patch he can download and apply and carry on securely with his good old OS.

While he regards the OS as 'his', he understands that really it's just 'licensed' to him by MS. 'Semantics', he thinks, as a license is a form of contract which cannot be changed by either party without the consent of both parties, so whatever. It doesn't occur to him that when he downloads that security patch and just automatically clicks on 'OK' in order to proceed with the install, that he might be agreeing to something, in fact he doesn't even bother to read the gobbledy-gook text of the EULA (end user license agreement) presented by the installer. Perhaps he would have found the EULA for the latest security update for Windows Media Player interesting.

* Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update.

Of course, even had he read it, what would he have done? Clicked 'cancel' and left his computer vulnerable to the security hole? Each security hole discovered in Windows now is an opportunity for MS to modify the EULA and gain new concessions from the user. And because there will be more security updates in future, in order to have a secure OS, Bob will have to install the next to be secure, and the next to be secure... You see where the 'carrot on a stick' image comes from, Bob keeps plodding along after the carrot of security, never really getting it, but along the way agreeing to whatever MS wants.

Once Bob's sufficiently clued in, he may want to say to hell with MS altogether. To Bob and others like him I'd suggest Linux/Mandrake as a nice, easy to install and use, version of Linux. The commercial version comes with an MS Office replacement called StarOffice, though you can get a free version called OpenOffice which doesn't have the db support from OpenOffice.org

Personally, I think infrastructure, anything critical like operating systems, should be free, but another alternative I'd suggest in the 'lesser of two evils' category would the Mac, esp. running OS/X. Here in Canada, and I expect in the US, Apple is running some really brilliant ads featuring former Windows users as part of their campaign to get Windows users to switch. The web site for the campaign is at http://www.apple.com/switch/

Re:automatic EULA remover

[Qrlx]

Removing the EULA won't prevent it from applying to you. It's like if you (bad analogy coming) add a zero to the end of the speed limit sign -- you can't drive 550 now just because you changed the sign.

What we need is third-party security patches and hotfixes for Microsoft products. Ones that don't change the EULA.

Seeing as most bugs/exploits are found by non-MS folks, the next step is for them to write a patch for the bug. Props to the next hacker who find a bug and releases a patch too, completely circumventing Microsoft's involvement in the process!

Re:PNG packs tighter than TIFF

[dvdeug]

PNG, on the other hand, uses Phil Katz's Deflate (LZSS on a 32 KB window, followed by Huffman coding), which makes smaller files than any of TIFF's three algorithms.

TIFF has a deflate compression scheme too, though not everyone supports it. TIFF can be smaller; CCITT Fax, which is designed for bilevel text, actually works better than PNG for bilevel text.

What does TIFF do that PNG doesn't?

JPEG. Multiple images in one picture; libtiff's registered tags allow for a 3D scan to be stored in one file as a series of slices. Thumbnails can be included by the same mechanism. It can also be used like PDF, in holding an entire document in one file. It provides for anyone to register new tags, for arbitary extension. It's an extraordinarily flexible file format.

Re:automatic EULA remover

[rmohr02]

That may not work on M$ products because on the box it says the user must agree to the enclosed EULA before using the program. If they don't agree, the box says they can return it, even when it's opened. Thus using the EULA remover wouldn't accomplish anything.

Re:extortion

[donutello]

No, because most companies reserve the "right" to change the terms of the EULA, without notification, at ANY TIME.

Horseshit! You can't change a EULA without notification. This is Contract Law 101. You can't change a contract unilaterally. Show me a EULA which reserves the right to change itself without notice and I'll show you a EULA that has no feet to stand on.

The whole concept of the EULA is so silly... I really hope it gets tossed out of court ASAP. Where else can the manufacturer of a product hold you under a contract you did not sign, and change the terms of that contract at any time without notifying you or getting your agreement on the changes?

The concept of a EULA is not silly. A paper signature is only one way to prove that you actually indulged in the transaction. It is not necessary to prove that you actually did. And nowhere can anyone change the terms of a contract without notifying you or getting your agreement on the changes. It hasn't happened in this instance and won't happen ever.

How to take a stand and have it count

[Arcturax]

We can go through the courts but there is no guarantee you will win. In fact, if anything, you may do the opposite, set a precident that EULA's are legally binding.

So instead, you will just have to stop using Microsoft software. People bitch and moan and gripe but at the end of the day they sit down and load up Windows.

Well, if you really want an effective protest, you are going to have to change. There are some options and they are not as bad as they seem once you adjust!

First off, there is Linux.
Pros: Keep old hardware, plenty of free software available, WINE may let you play some Windows only games, large community of geeks who will likely help you for free if you get into trouble (a million places to go for "support"). EULA, if any, is not the work of the devil.
Cons: Limited number of games, some only available through WINE, need to learn UNIX (big curve for some people), some hardware may not work right or at all, ease of use is not all there yet. No office but there are alternatives which are getting better by the month.

There is also the Macintosh:
Pros: Extremely easy to use, rock solid OS which matches or exceeds the windows experience when it comes to user interface, cd burning from the desktop and overall user experience. Plug and play far superior to Windows and Linux. Good and rapidly growing supply of games and other software. OS is based on open source software (NetBSD) and Linux/UNIX software can and is being ported over (you can even replace your UI with Gnome or KDE if you wish!). Microsoft office is available as well as the open source alternatives ported to Mac OS X. Large fanatic user base who will often help out other Mac users in distress for free.
Cons: Not as many games/software choices as Windows, though this has improved imensely in the last 4 years. EULA may be the work of the devil, check Steve Job's receding hairline to see if horns are exposed. Mac OS X still a young OS and there will be bumps in the road. Last but not least, you will need a new computer and the hardware is a bit more expensive though this is made up for quality and an average usable lifetime of 4 years compared to 2 for a PC.

So you may have to make some sacrifices and changes, but you can give M$ the finger and still have a usable computing solution in your home or office.

On patch, EULA doesn't display

[KMSelf]

Patching a number of systems at the office (my desktop's Debian GNU/Linux, but others suffer...), I noticed that the EULA dialog (digression #2: HTF is someone supposed to be able to read the text in a dialog that shows ~8 lines x 20 columns?) didn't present the EULA by the time I'd clicked the "Accept" button. This several times. And though we're running some older systems, this included a set of newer 1 GHz+ boxen.

What's the legal status of a contract which disappears "on approval" before it's been read?

Everyday my decision seems smarter and better.

[miffo.swe]

I decided to use open source software as much as possible since a couple of years back. Mostly because i have trouble using Microsoft software, mainly due to the lack of quality. A thing that bothers me more and more is that some companies want to take control over MY computer. A thought that dont please me at all. Its my computer and i make the decisions about it. If a company can gain access trough a back door to alter settings and such then surely anyone else that gets their hands on the keys can too.This makes a huge security threat to all possibly sensitive data i might have on my box. No serious OS shold contain a backdoor. There arent a single legit reason for it. Hopefully there are more people that thinks as i do and maybe there will be enough people using linux/freebsd/whatever to sustain alternatives to Microsoft in the future.

Re:PNG packs tighter than TIFF

[ncc74656]

What does TIFF do that PNG doesn't?

Does PNG support multiple images in one file? Don't take this as a troll...I've had fax software that would store all the pages of an incoming fax in a single TIFF file that could be viewed/printed/etc. Does PNG support a similar capability?

(For images on a website that you don't want to put through JPEG losses, PNG rocks.)

Re:MS/Borg

[esarjeant]

FWIW, I've never really liked the MS Media Player since it was overhauled (was that v7?). It's big & bloated now, it's impossible to figure out how to just "Play" a CD without making a copy of it, and as far as using your DVD's it's faster to reformat, install Linux and fire-up Ogle.

NON-NERD WORKAROUND HERE

Using ZoneAlarm just deny wmp any access to the net, and add the content server to the Local Zone. Bit of an arse, but you may be glad...

Another big win for Open Source

[Angst+Badger]

Years ago, it was a common observation that increasingly draconian and intrusive licensing agreements would lead to widespread adoption of Free and Open Source software. It hasn't been quite that dramatic, but it has been happening, mostly in Europe and elsewhere outside of the United States. But give it time -- the new MS EULA is a direct threat to corporate security. Joe Average may miss this point, but you can be sure that corporate IT security folks will flash on it as soon as they realize that they just agreed to be rooted by MS.

There are conflicting versions of the EULA!!!

[Robber+Baron]

If you retreive the patch via windowsupdate(only works with IE), the EULA doesn't say ANYTHING about DRM or crippling your ability to access secure content!

What the hell? I thought the BSD article was a troll, but to be sure I checked out his links and sure enough, THAT version of the patch contains the paragraph about DRM etc...

Well now we have two versions of the same EULA with conflicting conditions, both of which are posted in VERY public places! Now I'm no expert on contract law, but with two publicly posted conflicting versions, as far as I'm concerned, we can safely ignore both! Way to go Bill!

What If This EULA Applied to Hardware?

[reallocate]

My first reaction: My hardware belongs to me, and I don't want anyone putting code on my hard drive except me.

My second reaction: Oh, well. I don't run Windows, so no problem.

My third reaction: What if this kind of EULA migrates to hardware? What if the next box, or drive, you buy is only "licensed" to you, and the act of purchasing that license gives MS, or the government, to add or delete code from your machine at as they see fit?

Post-install non-compliance made impossible?

I was just thinking.. Don't EULAs usually state that if you at any point decide that you can not comply with the EULA, you must uninstall the program or part of program (in this case the patch) the EULA came with?

Because the Windows Update website states quite clearly that the update can not be uninstalled. So.. how exactly can I make use of the rights I have concerning the EULA, when this been made impossible?

Re:automatic EULA remover

> Most software purchases are in fact licenses,
> with terms of use and the option for the company
> to revoke your license.
>
Of course the simple solution here is for customers to provide their *own* licenses upon purchase of the software in question. By "accepting your money" (as in "opening the package") *they* agree to various terms of your choosing, which you have kindly outlined in your Personal Interest Safety and Security Outline For Fiduciary Management of Software ("PISSOFFMS"). A clause for monthly storage fee's to you for what they insist is "their software" could prove quite amusing.

Aluminium

[leonbrooks]

Gold only has value because people agree that it does. If opinion shifts, then value disappears. This is as true for gold or diamonds as it is for dollars or pesos.

Agree. Aluminium `the eternal metal' was once rare and precious.

how can any government or corporation use MS

[oogoody]

When it will become or already is one big
backdoor for the NSA and CIA and music industry?