December 6, 2005 4:58 PM PST

New Sony CD security risk found

Sony BMG Music Entertainment and the Electronic Frontier Foundation digital rights group jointly announced Tuesday that they had found, and fixed, a new computer security risk associated with some of the record label's CDs.

The danger is associated with copy-protection software included on some Sony discs created by a company called SunnComm Technologies. The vulnerability could allow malicious programmers to gain control of computers that have run the software, which is typically installed automatically when a disc is put in a computer's CD drive.

Sony's rootkit fiasco

The issue affects a different set of CDs than the ones involved in the copy-protection gaffe that led Sony to recall 4.7 million CDs last month, and which has triggered several lawsuits against the record label.

"We're pleased that Sony BMG responded quickly and responsibly when we drew their attention to this security problem," EFF staff attorney Kurt Opsahl said in a statement. "Consumers should take immediate steps to protect their computers."

The announcement is the latest result of the detailed scrutiny applied by the technical community to Sony's copy-protected discs, after a string of serious security issues were found to be associated with the label's antipiracy efforts.

The record label's copy-protected discs have been on the market for more than eight months. But in late October, blogger Mark Russinovich discovered that they surreptitiously installed a "rootkit" programming tool. Rootkit tools are typically used by hackers to hide viruses on hard drives, so Sony's move opened up a potentially serious security hole.

The controversy escalated as other researchers discovered new security flaws associated with the copy-protected CDs, which used technology from British company First 4 Internet. Virus writers began distributing malicious code that took advantage of the holes. The label recalled all the discs with the First 4 Internet technology installed, offering an exchange program for consumers who had purchased any of the 52 CDs affected.

Following those revelations, the EFF asked computer security company iSec Partners to study the SunnComm copy protection technology, which Sony said has been distributed with 27 of its CDs in the United States. iSec found the hole announced Tuesday and notified Sony, but news of the risk was not released until SunnComm had created a patch.

Sony said another security company, NGS Software, has tested the patch and certified that it addresses the vulnerability.

The patch can be downloaded from Sony's site. A list of the CDs affected in the United States, and a slightly different list in Canada, is also posted on the site.

Sony said it will notify customers though a banner advertisement directly in the SunnComm software, as well as through an Internet advertising campaign.

20 comments

Join the conversation!
Add your comment
Sorry Sony...I'm done with your CD's.
This is the straw that broke the camel's back. I'm buying all my
future music from Apple's iTunes. At least I know what their DRM
is and can live with it. You and your sneaky attack on our
computers have crossed the line. I hope this costs you enough that
you get the message that we will not put up with these games. I
buy music not root kits and security holes.
Posted by nouser (191 comments )
Reply Link Flag
Can't take the chance with Sony CD's
I'll have to agree that Sony has lost my trust. Now when I send staff down to the local music store to get music for the radio station, I tell them specifically to give anything with a Sony label, the miss... Plenty of other record producers out there who don't feel the need to hack radio station networks.

Alex Colquitt
Director - 2USA
American Radio in Australia
Posted by (4 comments )
Link Flag
I'm through with Sony hardware also.
I been a fan of Sony products ever since I worked with Sony
video cameras and recorders in 1973. Not anymore. My
mistrust of Sony products extends beyond CD's, to ALL Sony
products. I don't have time to dismantle and analyse their
electronic circuitry for hidden "gotcha's," so I just shop for other
brands.
Posted by Griff in Fairbanks (8 comments )
Link Flag
Sony CDs
I agree, I think a boycott on CDs is the best response to this type of behavior from such a reputable company. Sorry Sony...
Posted by bmb5220 (5 comments )
Reply Link Flag
ads too?
Oh, so now you get ads with your CD's and now they are the means for disseminating vital security information?
**** poor job Sony. You have no upgrade/patch contingency? I bet it makes sense now... (or does it?)

Glad I only buy music online.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Just my 2 Cents.
You know technically if you think about it all of these companies are breaking the EULA. In the EULA for software and Audio it says you can make one legal archive for your purposes only. Well with all the time and money that is spent on protecting Data in one form or fashion they are prohibbiting us from making our leagal archive of what we have purchased. What I want to know is why no one has complained about this. Should the companies trying to stop thieves also provide the tools for people that have purchased the prouct the tools to make their 1 legal Archive? Being a Musician and and IT person I am really torn on all sides here. I believe the purpose of being an entertainer is to get you music/message out to as many people as possibe. When CD's originally came out they were only $9.99 which was a very fair price to pay. However Greed from the Record companies has driven up the price. Lord knows it is certainly not the talent with some of the crap they try to pedal us. When you think about the cost factor from when CD was introduced until now the cost has actually gone down on to produce a CD. When a local garage band can produce 100 CD's for $500, make you think that a Rcord Company producing millions has to be paying a fraction of a dollar to produce a CD. Then Software people do not set a good price point for the consumer. Sure we understand that many hours of labor goes into makeing a product but really does it cost $300 to $600 for what some people are asking? When connecting to a server why should we pay for a connection license. Did we not all just buy the OS? In the words of Joe Pesci from the Lethal Weapons series the F**K you in the drive through. Well that is how I am starting to feel from both the record companies and the software companies. Final thought Make it at an afordable price point and people will not find the need as much to steel your stuff. Quite being greedy and be more consumer conscious. And if I purchase something give me the rights to protect my investment by being allowed to make my backup copies.
Posted by TSVAMP (3 comments )
Link Flag
sony crossed the line this time
sony, when i buy a product, i will do what i want with it, when i want with it, weather you like it or not, sony thinks they can control the product, once you own it, this is a mistake!
Posted by digitallysick (103 comments )
Reply Link Flag
What price a customer?
Obviously by unleashing this stealth trojanware, full of security holes, on all of Microsoft Windows, customers worldwide for the price of a legitimate cd. I can only conclude SONY BMG, does not wish for return custom! Oh well, let them sink into a sea of redink for restitution of this malware, and take down the already financially troubled HQ as well, from the problem these buccaneers Messr's Lack & Hesse, have created, they would be of no real loss to the world! Mind you, for non US residents, you should see the merry-go-round , of we don't care/not our responsibility/border limits apply/unit responsibility, not our problem!, this has created
Posted by heystoopid (691 comments )
Reply Link Flag
Boycott Sony/Blu-ray
Boycott Sony and Boycott its bastard child Blu-ray.
Posted by anarchyreigns (299 comments )
Reply Link Flag
What Did You Expect From Sony BMG Payola?
Sony BMG -- the company that gave us a new payola scandal. Their music is so crappy they have to "comp" DJs with trips to Vegas and plasma screen TVs to get airplay.

<a class="jive-link-external" href="http://www.oag.state.ny.us/press/2005/jul/jul25a_05.html" target="_newWindow">http://www.oag.state.ny.us/press/2005/jul/jul25a_05.html</a>
"SONY SETTLES PAYOLA INVESTIGATION
Company Acknowledges Problems; Agrees to Sweeping Reforms

Attorney General Eliot Spitzer today announced an agreement to halt pervasive "pay-for-play" in the music industry.

Under the agreement, SONY BMG MUSIC ENTERTAINMENT, one of the world's leading record companies and owner of a number of major record labels, has agreed to stop making payments and providing expensive gifts to radio stations and their employees in return for "airplay" for the company's songs.

Such payoffs violate state and federal law.

"Our investigation shows that, contrary to listener expectations that songs are selected for airplay based on artistic merit and popularity, air time is often determined by undisclosed payoffs to radio stations and their employees," Spitzer said. "This agreement is a model for breaking the pervasive influence of bribes in the industry."

After receiving tips from industry insiders, Spitzer's office conducted a year-long investigation and determined that SONY BMG and its record labels had offered a series of inducements to radio stations and their employees to obtain airplay for the recordings by the company's artists."
Posted by Stating (869 comments )
Reply Link Flag
Let em sit on their disks..and spin
I'd never ever buy a sony or bmg product ever again !!!! Lost my money
Posted by nnjdonny (8 comments )
Reply Link Flag
Will PS3/Blueray contain Rootkit in any way or form?
I'm worried that the Blueray spec will require labels and studios to install some sort of rootkit on Blueray disc.
Posted by bobby_brady (765 comments )
Reply Link Flag
Another Rootkit?
after all the bad press and the falling cd sales over this last rootkit, you think that could really happen? i'm certain that sony will keep pushing drm, but i doubt it will be anything remotely connected with rootkits.

mark d.
Posted by markdoiron (1138 comments )
Link Flag
Message has been deleted.
Posted by letmein (3 comments )
Reply Link Flag
Too late, I'm done buying any Song or BMG products
Too late for Sony, I'm done buying any Sony or BMG products. How can I dare to trust anything from them not to screw up my equipment?
Posted by John.Q.Public (6 comments )
Reply Link Flag
ME TOO!!!
Yes, sony's gonna regreat it later, when cd's stay week after week in those store shelves, because nobody will want their computer compromised by a stupid program just because sony can't seem to get their act together when protecting their products, don't get me wrong, I know they have to protect their business but this is just plain stupid, now people will fear buying cds from them, Nice going Sony !!!!!!!!!
Posted by hector a (16 comments )
Link Flag
The really bad part is...
the thousands of people with dial up or no internet access have to recourse to remove the Sony spyware. I called them and they told me to go to a friends house that has high speed and burn the patch or removal software to a disk. They told me they do NOT plan to help users without high speed.
Posted by nyabdns (16 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.