Sony fixes security hole in CDs, again

Sony BMG is replacing a patch for its CD copy protection software after Princeton University researchers found a security flaw in the update.

Sony announced on Tuesday that a new risk had been found with a batch of 27 of its compact discs, which automatically install antipiracy software on hard drives when put into a computer's disc drive. Along with the Electronic Frontier Foundation, a digital rights group, the record label released a patch aimed at fixing that flaw.

However, Princeton computer science professor Ed Felten wrote in his blog on Wednesday that the patch itself could open computers to attack by hackers.

Sony executives said Thursday that they are working as closely as possible with security professionals to address the issues identified by Felten, and would have a new patch available by midday that day.

"The security space is a dynamic one, as we have learned," said Thomas Hesse, president of Sony's global digital businesses. "Our goal is to be diligent and swift, and we have gone to experts to handle this issue."

Sony's ongoing troubles with copy protection software highlight the delicate line that record labels and other content companies are walking in trying to protect their products from widespread duplication.

On the one hand, labels have watched their revenues decrease over the past several years, as more people swap songs online and burn CDs for friends and acquaintances.

However, the labels' technological attempts to create a copy-protected CD that retains compatibility with millions of old CD players have opened them up to the unfamiliar hazards of software development. Several of Sony's attempts to patch security holes in its antipiracy software over the past weeks have turned out to raise their own new problems, instead of quelling concerns.

The current security flaw in Sony's discs is related to software produced by SunnComm Technologies and affects 27 titles that remain on the market.

It's separate from an earlier vulnerability that affected 52 other titles and that related to antipiracy software written by another company, First 4 Internet. Those titles have been recalled from store shelves.

The flaw found by Felten could allow Sony's original patch to trigger malicious software on a computer, if that software was already in place when the patch was installed.

[bobby_brady]

Record labels shouldn't be guaranteed a profit

Like any other business there is a cycle. Why should the music industry be guaranteed a profit every year? If there is a down turn in revenue they put the blame on piracy! What a joke!

[heystoopid]

Oh well,

With all these problems, Perhaps Sony should pay Mark Russinovich, to supply a full solution, for what a better to ask in regard to this problem?

[SeizeCTRL]

Linux Anyone?

How easy would it be to load a Sony CD in a linux box, rip the disc to MP3 and copy it over to a Windows system? Totally kill off the rootkits and autoinstallers and all the other anti-copy crap Sony tries to cook up.

Remember the one a year or two ago where you could take a Sharpie and draw a black line around the edge of the CD and bypass the copy protection software? :D How much did the lose over that?

They aren't going to stop people copying / downloading music. It would be cheaper for them to stop trying!

[Earl Benser]

How about something....

... that just eliminates the offending software - you know, like
uninstall????

[rfriedel]

Open your eyes...

If they offer or provide a means to remove the software then they would in essence be admitting to a giant mistake and, in their minds, be setting the DRM movement back a couple of steps.

[iameline]

Hey Sony -- it's easy

Sony, having your CDs not have security problems is easy -- don't have them install software on my computer.

Actually, I will never grant Sony (or any other music company) permission to do so, and any time they do, it will be unauthorized and therefore illegal -- criminally so here in Canada.

So by treating their paying customers like criminals, they themselves become criminal. I wonder if they can see the irony.

Boycott Sony

I don't understand why Sony keeps patching all this software? They keep getting deeper into trouble by trying to patch the software.

They act like their customers just don't matter. They don't hear anything anyone says, they just steamroll their way through.

The process used to design the software they put on CDs is flawed. It's high level, technically inept and in the end, doesn't really protect the disc at all.

Again. Linux anyone?

[PrimalTrader]

Where's the fix?

I read this and did not see where/what the fix was, only that they are working on it.

The profits that the industry made were almost obscene a few years back. They have priced themselves out my pocketbook. Maybe they could sell more at lower prices? Instead I listen to my music online and hear what I want for free. No need to pirate it either.

Now with these debacles unfolding, I'm convinced even further to stay away from them. Far far away. I hope SONY hears this loud and clear along with the rest of the industry.

[bobby_brady]

Where does DMCA fit in with Rootkit DRM?

If a software company "uninstalls" Sony's Rootkit DRM software, aren't they breaking the DMCA?

[sanenazok]

Probably Not

Since you can't play CD's without the software, you shouldn't be able to copy them. DMCA does not protect software for itself, the "uninstallation" must allow you to have unfettered access. Here, all you get is a CD that can't be played on a computer (theoretically).

[swift2--2008]

Well, that's not possible

The only solution? Drop all ideas of DRM on CDs. It's not something that was designed to hold DRM. If they want to introduce a new format, dreaming that we'll all follow along with new players, etc., they can dream on. All physical media are dead.

[llaitner]

Sony punishes people that actually buy CDs

Sony is so stupid. They punish the people that buy their CDs. They put malware on their computers. They make their music NOT work on ipods. Then they release a "fix" that makes it worse.

I will be illegally downloading anything that Sony sells from now on. It is much safer. It is cheaper. And it is easier.

I have had enough of Sony. I don't need their malware.

[SqlserverCode]

At least Intel is doing something

At least Intel is doing something about it

http://otherthingsnow.blogspot.com/2005/12/intel-to-develop-hardware-rootkit.html

[skeptik]

Strike 2!

"The security space is a dynamic one, as we have learned," said Thomas Hesse, president of Sony's global digital businesses. "Our goal is to be diligent and swift, and we have gone to experts to handle this issue."

The count is 0 and 2 on Sony. So what happens after the 3rd stike? The top executives all get 7 figure bonuses for trying so hard?
Mr Hesse is clearly a moron if he's just realizing security is a constantly changing arena. But I would appreciate it if he would continue his education on his own PC rather than jeapordizing millions of paying consumers as he figures out what everyone else already knows. It's not like they're preventing any piracy, just enraging their client base and making fools of themselves in the process.

[ArizonaBrian]

I Agree

The little high school hackers are bad enough, now I have to worry about major corporations hacking my PC in the name of security. And why wouldn't that be against the law? Intentional or not, Sony has created security holes on all our PCs.

I'm going to do the only thing I can, I'm going to stop buying all Sony products. I'm sure they won't notice but if everyone did that with just CDs then Sony would be ejected from the music business. What major band/artist would sign a contract with Sony if they couldn't sell CDs?

Napster isn't going to put Sony out of Business - Sony is going to put Sony out of Business.

B

[skeptik]

Shame on cnet

"On the one hand, labels have watched their revenues decrease over the past several years, as more people swap songs online and burn CDs for friends and acquaintances."

This clearly implies that revenue decreas is because of piracy and this is far from a statistically supported fact. In fact other stories on cnet itself have indicated there are plenty of other reasons for the decline in revenue (end of people rebuying music owned on other pre-Cd formats, economic depression, increase in other entertainment product options, etc) and some studies indicating that heavy P2P users actually buy MORE CDs than non-users.