Security and Windows Media Player 11
Last updated: June 2007
This security statement applies to Windows Media Player 11 for Windows XP, Windows Media Player 11 for Windows Vista, and Windows Media Player 11 for Windows Server 2008.
At Microsoft, we are continually striving to foster a safe and reliable computing experience. As part of this effort, we develop and release updates and fixes for recognized issues. Periodically, we combine many of these fixes into a single package and make the package available for you to install on your computer. These packages are called service packs.
For example, Windows XP Service Pack 2 (SP2) contains the latest collection of updates for Windows XP Home Edition and Windows XP Professional. These updates help improve the reliability and compatibility of the operating system. Windows XP SP2 also includes several security technologies that help protect your computer against malicious attacks from viruses and worms. These technologies are not intended to replace periodic security updates as they are released, but rather to help strengthen the ability of Windows XP to defend against malicious attacks. Together, they will make it more difficult to attack Windows XP, even if the latest updates are not applied. To download Windows XP SP2, see the Windows Update website.
If you are running Windows XP and are not yet ready to upgrade to Windows Vista, installing Windows XP SP2 is your first line of defense for improving the security of your computer. But when you visit a website, play digital media content from the Internet, or store content or information on your computer, it is important to know whether your privacy is maintained and whether your computer is protected from attacks to the greatest extent possible. Although the Internet provides new and exciting opportunities, it can also introduce risks to the security of your computer and any personal information stored on it.
To help maintain the security of your computer and the privacy of your personal information, it is important to follow these basic guidelines:
This page provides information about security features in Windows Media Player 11 and best practices for helping to maintain the security of your computer and the privacy of your personal information.
Adjusting security settings in the Player
Windows Media Player 11 offers enhanced security features on the Security tab of the Options dialog box:
Run script commands when present. This option specifies whether to allow URL and FILENAME script commands to run when you play digital media content that contains them. (If the Player encounters a URL script command during playback, your default web browser displays the webpage corresponding to the URL specified in the script command. If the Player reaches a FILENAME script command, the digital media file specified by the script command is opened.) Script commands can contain instructions that enhance the playback experience. For example, a script command may open your Internet browser and display a related webpage while the Player plays back content. However, digital media content may contain malicious script commands that attempt to perform unwanted actions on your computer. Webpages may also contain malicious script commands that run on your computer without your knowledge. By default, script commands will not run. You can select this check box if you want to enable the script commands in the Player.
Run script commands and rich media streams when the Player is in a Web page. This option specifies whether to allow URL and FILENAME script commands to run when you play digital media content that is embedded in a webpage. This option is selected by default. You can clear this check box if you want to prevent any script commands and rich-media streams from running in a webpage. Note that when you clear this check box it may prevent rich-media streams from running. Rich-media streams can contain HTML, a PowerPoint slide show, or digital media content.
Play enhanced content that uses Web pages without prompting. This option specifies whether to notify you when you are about to play digital media content that has been enhanced with webpages. These webpages will display information related to the content you are playing. But because some content can contain malicious webpages, Windows Media Player will prompt you to verify that you want to proceed when enhanced digital media content is detected. The prompt is enabled by default. To turn off the prompt, select this check box.
Note: Your installed online store might also enhance your playback experience with webpages, and you might not be prompted for this content. Consult your online store for more information.
Show local captions when present.
Windows Media Player supports Synchronized Accessible Media Interchange (SAMI) captioning of media content. SAMI content can be located on the Internet, your hard disk, or your CD or DVD. During playback, Windows Media Player accesses the content to locate and display SAMI captions. Enabling this option allows access to SAMI content in all of the content zones available to your computer. Clearing this option will limit access to the Internet zone. This option is turned off by default.
Zone Settings. This command opens the Internet Options Security dialog box, which lists zone settings that control which types of content can be displayed in the Player. The Player uses the Internet zone settings for much of the HTML content that is displayed in the Player. You can change the Internet Explorer zone settings to control how content is displayed in webpages in the Player and to change the level of access that websites have to your computer. Note that changing settings may affect the operation of Player features or prevent information from being displayed. Changes to the zone settings will also affect Internet Explorer, Outlook, Outlook Express, and any other programs that rely on the Internet Options security zones. For more information about zones and zone settings, see Internet Explorer Help.
Using secure Internet sites for transactions
Windows Media Player can display webpages to improve your playback experience. Some of these webpages are set up to prevent unauthorized people from seeing the information that is sent to or from those sites. These are called "secure" sites. Windows Media Player supports the security protocols used by secure sites, and upholds the security settings you established in Internet Explorer. (A protocol is a set of rules and standards that enables computers to exchange information.)
When you visit a secure website, it automatically sends you its certificate, and the Player displays a lock icon on the status bar. When you click the lock icon, the certificate of the website is displayed. (A certificate is a statement verifying the identity of a person or the security of a website.)
If you are about to send information (such as your credit card number) to a website, you should determine whether the connection is secure by checking for the lock icon in the status bar. If the security credentials of the site are suspect, the Player will not display the lock icon.
Windows Media servers and certain web servers use different technologies to verify or authenticate your identity before you can access digital media content. These technologies, which are also known as authentication packages, include the Basic, NTLM, Digest, Kerberos, and Negotiate protocols.
When connecting to a server, you might be prompted for user name and password. If the authentication protocol being used is not secure enough to protect these credentials, you will receive a warning. Consider carefully whether to submit your credentials at this time. You can choose not to submit your credentials by clicking Cancel.
File format validation
A variety of content is available on the web today. While much of this content is reliable and offered by trusted sources, not all content is safe. Some content has been tainted to perform malicious actions on your computer or to obtain personal information such as passwords or credit card numbers. In some cases, files are renamed with different file name extensions in an attempt to trick you into downloading unwanted content. When Windows Media Player attempts to play a music or video file that has been downloaded from the Internet, it verifies that the file name extension matches the format of the file. If a discrepancy is found, the Player asks you to confirm that the file should be played. Note that if the extension does not match the file format, unexpected playback behavior could occur.
Using a user account with limited privileges
If your computer is running a version of the Windows XP, Windows Vista, or Windows Server 2008 operating system that enables you to use different types of user accounts, such as administrator or standard accounts, your computer may be better protected if you log on using an account with limited privileges. Since users with administrator accounts can make system-wide changes to the computer, including installing and removing programs, adding and deleting operating system files, and accessing other users' passwords and library databases, malicious programs or viruses can use this type of user account to access personal information. Users with non-administrator accounts cannot allow programs and applications to be installed and run automatically, which could protect your computer from viruses. For more information about user accounts, see Windows Help and Support.
Working offline with the Player
Working offline (disconnecting from the Internet) is the most secure mode in which to use the Player. Keep in mind, however, that many Player features are unavailable when you work offline. For example, if you attempt to access an online store when working offline, the Player displays a page informing you that the computer must be connected to the Internet in order to use this feature. Other features that require an Internet connection include:
Retrieving and displaying media information, including album art
Finding, viewing, and updating album information
Finding and viewing DVD information
Acquiring and restoring media usage rights
Downloading codecs, visualizations, portable device drivers, plug-ins, and skins
Checking for updates to the Player, and performing security upgrades
Setting the secure clock on portable devices based on Windows Media DRM 10 for Portable Devices
Browsing Windows Media Player Web Help
For more information about working offline and the Player features that require an Internet connection, see Windows Media Player Help.
Updating your computer
Microsoft is committed to delivering timely updates to help maintain the security of your computer. When security and privacy issues are discovered, Microsoft will make information and software patches available as quickly as possible. For the latest information and patches for your computer, see the Trustworthy Computing Security webpage.
In addition, ensure that you understand the security features of Internet Explorer and install the latest security and privacy updates. To do so, see Security and privacy features in Internet Explorer.
You can visit the Windows Update website
to install the latest service packs, device drivers, application compatibility updates, and security updates for your computer. Windows Update provides you with a tailored selection of updates that apply only to the software and hardware installed on your computer. Any update that Microsoft considers critical to the operation of your operating system, programs, or hardware is classified as a critical update and is automatically selected for you to install. Critical updates are provided to help resolve known issues and protect your computer from known security vulnerabilities. For more information about using Windows Update, see Windows Help and Support.
Reporting security vulnerabilities
The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products. If you believe you have found a security vulnerability affecting a Microsoft product, we'd like to work with you to investigate it. To report a security vulnerability, please contact the Microsoft Security Response Center. For more information about security vulnerabilities, see the Definition of a Security Vulnerability webpage.