New Sony CD risk identified

Computer researchers uncovered a new security risk Friday related to Sony BMG Music Entertainment copy-protected CDs, which could expose several hundred computers to attack.

This security flaw dealt with different technology than that which has sparked controversy for nearly three weeks, however.

Recent criticism has focused on Sony's release of discs containing copy-protection software created by British company First 4 Internet, which opened listener's computers to hackers' attack. The latest risk is from an uninstaller program distributed by SunnComm Technologies, a company that provides copy protection on other Sony BMG releases.

"This nightmare makes it rather clear that Sony doesn't really care about customers, not only in the way they want to spy on you (and open the door to your pc for any hacker) but rather in the way the handled the whole situation."
--Ki Ji

Sony said in a statement Friday that SunnComm had removed the uninstall program from the Web, and was in the process of contacting 223 consumers who had downloaded it while it was available.

The security hole in the uninstall program was similar to one discovered with First 4 Internet's uninstall program several days ago.

In each case, Princeton University computer science professor Edward Felten and researcher Alex Halderman found that the uninstall programs responded to commands from their creators' Web sites, but would also respond to malicious instructions from other Web sites.

In its statement, Sony said that SunnComm was developing a new uninstall program for its copy-protection software, and that Felten had agreed to review it before it was posted online.

The SunnComm security risk discovered by Felten and Halderman is limited to the uninstall program, which was distributed separately from the CDs themselves.

[pariank]

ohh... WOW!

When will this fiasco end?

[RockyFromWA]

What's all the fuss, this technology was known a year ago???

Am I the only one mystified by all of the fuss about this Sony CD rootkit stuff. This "technology" from First 4 Internet (F4i) and SunnComm has been well documented in the trade mags and Internet sites starting over a year ago. What is disappointing is the fact that even the supposed technical mags missed asking F4i how their "technology" really worked. No wonder F4i and Sony thought the "technology" was wonderful, even the computer mags seemed to like it. Foolish. F4i's technology was obviously going to install software on systems when the user put the CD into a computer, nothing mysterious about that. For proof of the reporting by the media about this great technology, look at: http://news.zdnet.com/2100-9588_22-5492395.html, http://news.zdnet.com/2100-3513_22-5238208.html, and even Slashdot, http://slashdot.org/article.pl?sid=04/12/18/189224&from=rss. At least the Slashdot users saw some of the potential issues. For even more articles, just look at the Press section at the First 4 Internet site: http://www.xcp-aurora.com/press_related.aspx.

[ScullyB]

Where's the information?

The articles you point to mention nothing of exploitable rootkit technology being installed. Yes, everyone has known of copy protection for the past year but I didn't see even the slashdotters mention rootkits.

POCs are already in the wild. That's the difference.

[wazzledoozle]

I think I used it

As soon as the story was posted about the uninstaller being available, I ran it.

How do I remove it?

[digitallysick]

boycott sony!!!

this is what they get for going crazy over the whole copying music thing, now sony and the artist will loose money because no one will buy the cds anymore, i think people are fed up with sonys actions

[Flytrap]

...and would you believe...

...that the whole fiasco was aimed at punishing and restricting fair use for thoese people that had actually bought and paid for the CD's; not the copyright pirates.

What confuses me is that Sony's malicious efforts appear to have been directed at law abiding consumers that has paid for their CDs.

Why would they do that?

[Brucenote]

Amazing!

Sony needs a new Technical Director
AND a new PR firm!

They've botched this whole thing about as
badly as possible....

[SqlserverCode]

Think Apple, Sink Sony

What a backlash in the making, I know I won't be buying any Sony products. What's next? Maybe the Memorysticks have a rootkit on them too? I mean do you trust those sticks now?

http://work-out.blogspot.com/

[Stan Johnson]

MUST BOYCOTT SONY

Consumers must stop this greed ridden company from doing any further damage.

Sony's gotta go!

[My-Self]

Fuuly agree.

That's the only boycott I fully follow.

If it's Sony, then I'm sorry, but I won't buy it.

Classic Sony

My first wakeup call with Sony was the day my friends all turned out with Playstation 2s. There was this fancy little logo on their memory cards called "Magic Gate". After a bit of research, it became clear to me that Sony was trying to do something I didn't approve of.
After purchasing a MiniDisc player ages ago - surprise - there was Magic Gate, offering to "protect" ME.

From what? I don't own or condone the use of Mini Disc players anymore. The questionable and slow software that Sony forces on people cripples any appeal they once had.

Now, a year or two down the road, after going anti-sony, I'm not surprised about any of this. This is just the classic behaviour I've come to expect from them.

Get smart and stop purchasing Sony products. There are much better alternatives out there for so many good reasons.

[XedOut CreationZ]

Valuable information right here - note: sarcasm

"programs responded to commands from their creators' Web
sites, but would also respond to malicious instructions from
other Web sites."

So this is pretty much the topic? It's been my understanding that
this kind of thing has been around for a long time. You forgot to
mention that the commands sent by the website are
preprogramed and so the security risk only exist if those
commands did something potentially harmful to the computer
or it's user. Otherwise it could be as basic as the "mailto:" link
protocol in a browser, which generally opens the computer's
default mail program with a new message addressed to the
email address after the "mailto:" potocol.

[aabcdefghij987654321]

Not so valuable

It depends on what commands it makes available and it those commands were innoucous then it wouldn't be a vulnerability but if those commands allow the removal of files, editing the registry and/or the introduction of new files then there's no limit to what can be done with the software. In fact if the software contains a single buffer overflow that can be exploited to introduce your own code then it's a definite problem.

[Mister C]

This is a good thing!

The light of day has a definite antibiotic effect. Once the smoke clears we may all be better off because of Sony's greed and stupidity. In the mean time I sure am glad I haven't put any new Sony CD's on my machine (3 cheers for blind dumb luck).

[imperialgatekeeper]

Sony is over...

I have to admit, their camera products are good.

Their audio products lack user-friendliness because of the DRM software they use. All their electronics have proprietary parts, and they hate technical users of their products... Their customer service and driver support is good for nothing because new products are always cheaper than repairs and drivers do not work.

On top of that, they are hiding their horrible financial standing.

I give them 2 years to burn through their cash..

[heystoopid]

Sink SONY!

Time has come to sink SONY, in a sea of class action law suits for consumer restitution for this malware/trojan(current and future incantations of this virus transmitted software)/including illegal use of open source software/recording artists if forced to pay restitution from all royalty payments for the replacement consumer cd's on issue/restitution to all users forced to disinfect and remove rootkit from all computers, with hardrive wipe, clean and reinstall of uninfected OS!/legal action from FTC for false advertising and deliberate breach of business and ethics regulations(all) and from the redoubtable NEW YORK AG Eliot Spitzer for 568,000 cases of illegal felony trespass of personal and federal property! Finally , a total consumer boycott of all that is SONY! Me, I will never trust SONY to do the right thing ever, for once bitten twice shy!