Computer researchers uncovered a new security risk Friday related to Sony BMG Music Entertainment copy-protected CDs, which could expose several hundred computers to attack.
This security flaw dealt with different technology than that which has sparked controversy for nearly three weeks, however.
Recent criticism has focused on Sony's release of discs containing copy-protection software created by British company First 4 Internet, which opened listener's computers to hackers' attack. The latest risk is from an uninstaller program distributed by SunnComm Technologies, a company that provides copy protection on other Sony BMG releases.
Sony said in a statement Friday that SunnComm had removed the uninstall program from the Web, and was in the process of contacting 223 consumers who had downloaded it while it was available.
The security hole in the uninstall program was similar to one discovered with First 4 Internet's uninstall program several days ago.
In each case, Princeton University computer science professor Edward Felten and researcher Alex Halderman found that the uninstall programs responded to commands from their creators' Web sites, but would also respond to malicious instructions from other Web sites.
In its statement, Sony said that SunnComm was developing a new uninstall program for its copy-protection software, and that Felten had agreed to review it before it was posted online.
The SunnComm security risk discovered by Felten and Halderman is limited to the uninstall program, which was distributed separately from the CDs themselves.
What's all the fuss, this technology was known a year ago???
Am I the only one mystified by all of the fuss about this Sony CD rootkit stuff. This "technology" from First 4 Internet (F4i) and SunnComm has been well documented in the trade mags and Internet sites starting over a year ago. What is disappointing is the fact that even the supposed technical mags missed asking F4i how their "technology" really worked. No wonder F4i and Sony thought the "technology" was wonderful, even the computer mags seemed to like it. Foolish. F4i's technology was obviously going to install software on systems when the user put the CD into a computer, nothing mysterious about that. For proof of the reporting by the media about this great technology, look at: <a class="jive-link-external" href="http://news.zdnet.com/2100-9588_22-5492395.html," target="_newWindow">http://news.zdnet.com/2100-9588_22-5492395.html,</a> <a class="jive-link-external" href="http://news.zdnet.com/2100-3513_22-5238208.html," target="_newWindow">http://news.zdnet.com/2100-3513_22-5238208.html,</a> and even Slashdot, <a class="jive-link-external" href="http://slashdot.org/article.pl?sid=04/12/18/189224&from=rss" target="_newWindow">http://slashdot.org/article.pl?sid=04/12/18/189224&from=rss</a>. At least the Slashdot users saw some of the potential issues. For even more articles, just look at the Press section at the First 4 Internet site: <a class="jive-link-external" href="http://www.xcp-aurora.com/press_related.aspx" target="_newWindow">http://www.xcp-aurora.com/press_related.aspx</a>.
The articles you point to mention nothing of exploitable rootkit technology being installed. Yes, everyone has known of copy protection for the past year but I didn't see even the slashdotters mention rootkits.
POCs are already in the wild. That's the difference.
this is what they get for going crazy over the whole copying music thing, now sony and the artist will loose money because no one will buy the cds anymore, i think people are fed up with sonys actions
...that the whole fiasco was aimed at punishing and restricting fair use for thoese people that had actually bought and paid for the CD's; not the copyright pirates.
What confuses me is that Sony's malicious efforts appear to have been directed at law abiding consumers that has paid for their CDs.
What a backlash in the making, I know I won't be buying any Sony products. What's next? Maybe the Memorysticks have a rootkit on them too? I mean do you trust those sticks now?
My first wakeup call with Sony was the day my friends all turned out with Playstation 2s. There was this fancy little logo on their memory cards called "Magic Gate". After a bit of research, it became clear to me that Sony was trying to do something I didn't approve of. After purchasing a MiniDisc player ages ago - surprise - there was Magic Gate, offering to "protect" ME.
From what? I don't own or condone the use of Mini Disc players anymore. The questionable and slow software that Sony forces on people cripples any appeal they once had.
Now, a year or two down the road, after going anti-sony, I'm not surprised about any of this. This is just the classic behaviour I've come to expect from them.
Get smart and stop purchasing Sony products. There are much better alternatives out there for so many good reasons.
"programs responded to commands from their creators' Web sites, but would also respond to malicious instructions from other Web sites."
So this is pretty much the topic? It's been my understanding that this kind of thing has been around for a long time. You forgot to mention that the commands sent by the website are preprogramed and so the security risk only exist if those commands did something potentially harmful to the computer or it's user. Otherwise it could be as basic as the "mailto:" link protocol in a browser, which generally opens the computer's default mail program with a new message addressed to the email address after the "mailto:" potocol.
It depends on what commands it makes available and it those commands were innoucous then it wouldn't be a vulnerability but if those commands allow the removal of files, editing the registry and/or the introduction of new files then there's no limit to what can be done with the software. In fact if the software contains a single buffer overflow that can be exploited to introduce your own code then it's a definite problem.
The light of day has a definite antibiotic effect. Once the smoke clears we may all be better off because of Sony's greed and stupidity. In the mean time I sure am glad I haven't put any new Sony CD's on my machine (3 cheers for blind dumb luck).
Their audio products lack user-friendliness because of the DRM software they use. All their electronics have proprietary parts, and they hate technical users of their products... Their customer service and driver support is good for nothing because new products are always cheaper than repairs and drivers do not work.
On top of that, they are hiding their horrible financial standing.
Time has come to sink SONY, in a sea of class action law suits for consumer restitution for this malware/trojan(current and future incantations of this virus transmitted software)/including illegal use of open source software/recording artists if forced to pay restitution from all royalty payments for the replacement consumer cd's on issue/restitution to all users forced to disinfect and remove rootkit from all computers, with hardrive wipe, clean and reinstall of uninfected OS!/legal action from FTC for false advertising and deliberate breach of business and ethics regulations(all) and from the redoubtable NEW YORK AG Eliot Spitzer for 568,000 cases of illegal felony trespass of personal and federal property! Finally , a total consumer boycott of all that is SONY! Me, I will never trust SONY to do the right thing ever, for once bitten twice shy!
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Game on: European Union grants unconditional approval for $12.5 billion deal, but says it will keep an eye on Google. The company says it aims to "supercharge" Android with the acquisition.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
The Washington State Senate passed a bill that would charge electric car owners $100 per year to compensate for not paying gas taxes. The bill still has to pass the House.
POCs are already in the wild. That's the difference.
How do I remove it?
What confuses me is that Sony's malicious efforts appear to have been directed at law abiding consumers that has paid for their CDs.
Why would they do that?
AND a new PR firm!
They've botched this whole thing about as
badly as possible....
<a class="jive-link-external" href="http://work-out.blogspot.com/" target="_newWindow">http://work-out.blogspot.com/</a>
Sony's gotta go!
If it's Sony, then I'm sorry, but I won't buy it.
After purchasing a MiniDisc player ages ago - surprise - there was Magic Gate, offering to "protect" ME.
From what? I don't own or condone the use of Mini Disc players anymore. The questionable and slow software that Sony forces on people cripples any appeal they once had.
Now, a year or two down the road, after going anti-sony, I'm not surprised about any of this. This is just the classic behaviour I've come to expect from them.
Get smart and stop purchasing Sony products. There are much better alternatives out there for so many good reasons.
sites, but would also respond to malicious instructions from
other Web sites."
So this is pretty much the topic? It's been my understanding that
this kind of thing has been around for a long time. You forgot to
mention that the commands sent by the website are
preprogramed and so the security risk only exist if those
commands did something potentially harmful to the computer
or it's user. Otherwise it could be as basic as the "mailto:" link
protocol in a browser, which generally opens the computer's
default mail program with a new message addressed to the
email address after the "mailto:" potocol.
Their audio products lack user-friendliness because of the DRM software they use. All their electronics have proprietary parts, and they hate technical users of their products... Their customer service and driver support is good for nothing because new products are always cheaper than repairs and drivers do not work.
On top of that, they are hiding their horrible financial standing.
I give them 2 years to burn through their cash..