November 15, 2005 3:03 PM PST

Sony recalls risky 'rootkit' CDs

Record label Sony BMG Music Entertainment said Tuesday that it will recall millions of CDs that, if played in a consumer's PC disc drive, will expose the computer to serious security risks.

Anyone who has purchased one of the CDs, which include southern rockers Van Zant, Neil Diamond's latest album, and more than 18 others, can exchange the purchase, Sony said. The company added that it would release details of its CD exchange program "shortly."

Sony reported that over the past eight months it shipped more than 4.7 million CDs with the so-called XCP copy protection. More than 2.1 million of those discs have been sold.

Reader response
What should Sony do?
Debate how the debacle will
affect the label's policies.

"We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets," the company said in a statement. "We deeply regret any inconvenience this may cause our customers."

The company made the announcement--its second public apology since the CDs' risks came to light last week--just as security researchers found several other potentially dangerous flaws in the software.

Princeton University computer science professor Ed Felten wrote on his blog Tuesday that he and a fellow researcher had confirmed that Sony's initial Web-based uninstall tool--designed to uninstall the copy-protection software deposited by Sony's CDs--actually exposed a critical vulnerability on computers.

The tool downloaded a program that causes a user's hard drive to accept instructions from Web sites. But the program remained active on the user's hard drive after it had been instructed to uninstall the Sony software. The program could then be triggered by almost any code from any Web site, including malicious instructions, the Princeton researchers said.

"Any Web page can seize control of your computer; then it can do anything it likes," Felton and fellow researcher J. Alex Halderman wrote on their blog. "That's about as serious as a security flaw can get."

Sony later replaced that Web-based uninstall tool with one that downloads a program with its own instructions, as opposed to one that accepts instructions from Web sites. The researchers said the new program appeared to be safe.

For anyone who did use the earlier tool, the researchers' blog has instructions for removing the Sony component.

Separately on Tuesday, security company Internet Security Systems released its own new advisory on Sony's software. It warned that flaws in the copy-protection software--not just in the early uninstall tool--could allow an attacker to take control of a user's machine.

Related story
FAQ: Sony's 'rootkit' CDs
The basics everyone should know about Sony's copy-protection technology.

Previously, security researchers had spotlighted the online release of several Trojan horse viruses that piggybacked on the Sony software to hide their presence on hard drives.

The Trojan horse software, once installed, automatically connects to an Internet chat network and allows an attacker to take remote control of an infected computer.

Half a million people at risk?
Although more than 2 million of the Sony discs have been sold, it's still unclear how many of those were actually played in a Windows-based computer, thus triggering the security risks. Sony notes that the copy-protection software is not activated on an ordinary CD or DVD player, or on a Macintosh computer.

Security researcher Dan Kaminsky said he estimated that at least 500,000 computers had installed the Sony software.

Once installed, the Sony software can relay data, which indicates what CDs are being played, to an outside server. To relay the information, the software has to find its destination by contacting the Internet's domain name system address servers, where a publicly available record of that request is left behind.

Kaminsky said he counted more than 568,000 separate requests. The method counts any request coming from the same network, but only once. So it might not include repeated requests coming from offices or schools, where numerous computers use the same network, he said.

"The thing that's proved here is not the upper bound," Kaminsky said. "This is a lower bound. This is a pandemic."

Sony's copy-protection software was created by British company First 4 Internet. The software is installed on a computer's hard drive when certain Sony compact discs are put in the CD player and the listener accepts a license agreement.

The software then hides itself using a controversial programming tool called a "rootkit," which takes over high-level access to some computing functions. The rootkit blocks all but the most technically savvy users from being able to detect its presence.

Sony has worked with antivirus companies to help their products pierce this veil of invisibility, and has posted a patch on its Web site that will uncloak the hidden software. It also said it would temporarily stop manufacturing discs using the First 4 Internet tools.

Lawsuits have been filed against the record label in California and New York, and others are expected.


Join the conversation!
Add your comment
What about prosecution? Someone writes a virus or a trojan and
gets 20 years, but Sony distributes malicious code and everything's
groovy? Double standard?
Posted by (56 comments )
Reply Link Flag
Where is the outcry???
Ok, the RIAA has no problem in taking people to court for downloading unpaid songs from p2p. The RIAA knows that most of the folks can't afford decent legal representation. So, the common Joe settles with the RIAA, who walks away with amounts that can go from a few hundred dollars to some thousands. Meaningless amounts to the RIAA, but a definite blow to the financial stability of the individual being sued. Everyone cries, "justice's been served because those being sued were contributing to the illegal activity of downloading songs without restitution to the labels. Sure.

Now, Sony decides to install software that can be easily exploited to install and propagate viruses and other malicious garbage; possibly permanently damaging someone's computer.

Where's the outcry??? Where's the "Congressional Hearings."??? Where are the politicians and elected representatives coming to the rescue of the working folk??? Nowhere !!!! Why ??? Because the RIAA has them by (fill the blank) and we all know it.

Shame, shame, shame.

That's why I don't buy cd's anymore.
Posted by Dead Soulman (245 comments )
Reply Link Flag
Hear hear
These companies will do anything to stop people from copying their cd's... including making people so afraid to even use a cd for fear of it destroying their PC's that noone will buy a copy protected disc again. Who do they think they are benifiting? It would seem to me that this fiasco will only encourage music pirates. Bravo sony! How about next move to cripple the music industry.. start sueing musicians when someone copies their cd's, call it recovering revinue for free advertising of the bands.
Posted by Cold_realms (2 comments )
Link Flag
Think Sony is in hot water? Check out Starforce
PC Gamers have been fighting for the last year with multiple different publishers about an even more nefarious Rootkit/Virus known as Starforce.

Read below for what it does. The Rootkit makers website is here

<a class="jive-link-external" href="" target="_newWindow"></a>

" haven't studied StarForce particularly, but I *am* a programmer, so I can tell you roughly how it works and why people dislike it.

In order to be effective, it has to install as a device driver, which means for WinXP, it has ring-0 privileges, something normally only Windows and "real" device drivers have. With this greatest of privileges comes the greatest of responsibilities - a bug can do almost unlimited damage to your system integrity, because it's operating as close to the OS itself as 3rd-party code can (in the Windows World). This is one reason why people dislike it - writing software that operates in this ring is demanding and easy to get wrong. This is why you see a low percentage of true horror stories - some relatively corner-case bug can very easily result in filesystem corruption.

Next, in order to prevent various circumvention techniques - mostly, debuggers - copy protection schemes like Star Force do NOT just start up when the game starts. That's BS, pure and simple. The drivers are loaded when the OS boots, and block various tools like debuggers, drive emulators, and the like from operating in the way they're intended to work. This is a wonderful way to do what Star Force wants to do, but it is NOT something the computer owner wants. This is the next reason people dislike it - Star Force is asserting, on the game's behalf, that the game's owners' rights are more important than the users's rights to know, and control, what happens on their system. Arguments that the OS and other apps do the same kind of thing are misleading - some games try lesser approaches to the same thing (always running full screen, attempting to find debuggers already in memory and not loading if so, etc.), but Star Force's approach is taking it to the next level - directly interfering with OTHER user-space software to enforce its copy protection.

Finally, it's apparent that not all programs that bundle Star Force uninstall them correctly (I haven't tested to see whether the demo cleans up properly or not). I suspect few if ANY do - because otherwise uninstalling the demo would break StarForce for other programs on the system. Maybe the program loader re-installs the drivers if they're missing? I dunno. Either way, this is the third reason people dislike Star Force. It's interfering behavior - blocking debuggers, drive emulators, etc. - often remains even when the protected program is removed.

In short, the arguments FOR such protections are valid in some ways: There are known techniques for copying games, and Star Force goes farther than most in thwarting those techniques.

However, the consumer's points are also valid, and in my opinion, more telling. The user should be presented with clear notice of what Star Force wants to do to their system and possible side effects - they shouldn't be left to wonder why some of their other software/hardware suddenly doesn't work correctly.

Also, as has been pointed out, it is a LOSING proposition that publishers (and some developers) still fail to grasp. You simply cannot thwart an intelligent cracker because you're installing software on his machine, and the first rule of hacking is that a hacker is the lord of his own machine. Tools like Star Force simply cannot work in the long term.

They can reduce piracy - somewhat - by making it harder to crack a game immediately. But, when you add up the benefits there, and weigh them against the hassles to, and the ill-will from, your LEGAL users - and the relative numbers of each - I just don't see how a software vendor can justify the former at the expense of the latter."

Couple of links to ongoing battles with Ubisoft and Codemasters.

<a class="jive-link-external" href="" target="_newWindow"></a>

<a class="jive-link-external" href="" target="_newWindow"></a>
Posted by W0lfe (4 comments )
Reply Link Flag
StarForce Response
StarForce reply to Gavin Brown
Dear Sir, calling StarForce nefarious Rootkit/Virus is a good enough cause to press charges.
How do you like that for a start?
Allow me to continue. If you havent studied StarForce particularly, why dont you mind you own business and talk about things that you understand?
Basically, there is no need to further continue with your offensive comment on However, it would be healthy to refresh the minds of those who might have thought that you knew what you were talking about. When you talk about copy protection, why do you mention StarForce alone? That can make one think that you have personal interest in undermining our good name.
The pirates are strong, to be stronger is what we get paid for. Therefore we use every possible LEGAL tool to protect the product. The StarForce driver is not a bug and StarForce installs zero rootkits or Trojans and it harms the systems integrity no more than any other software.
It is true, that the SF drivers are loaded with the OS, but it is not true that they immediately start blocking debuggers, emulators and etc. Read one of the users comments, for instance. The man has 4 emulators running on his PC: <a class="jive-link-external" href=";st=0&#38;p=1138&#38;#entry1138" target="_newWindow">;st=0&#38;p=1138&#38;#entry1138</a>
Such things are only blocked when the protected software is run. Now, let me ask you a question. If you are not a pirate, why would you need a debugger simultaneously running with the protected software? It is in the interest of the developer to keep the debuggers and emulators out of business when the protected application is run.
Again, if you havent tested how the drivers are installed/uninstalled why even talk about it?
The drivers are installed with the protected software and it is up to the software developer how they will be uninstalled. StarForce offers many ways to make the integration of protection flexible and user friendly. And if some developers choose to select the option of manual drivers uninstall, it is their sole right. Please study <a class="jive-link-external" href="" target="_newWindow"></a>
There you will find the SF drivers removal tool as well.
We invite those who would like to ask questions and learn more about copy protection to our forum which has some truly unique posts.
As for the people who dislike us  we know them  they are the legions of pirates around the world. As for law-obedient users  they havent even heard about StarForce problem The percent of users that had compatibility problems with StarForce is 0.3%.:
<a class="jive-link-external" href="" target="_newWindow"></a>
You say that tools like StarForce cannot work in the long term. You are absolutely correct. And we are not even meant to. Our job is to protect the product during the peak of sales, which is usually one to three months. So that the developer and the publisher could get their revenue and invest the money into their new projects which we all so much anticipate every time. And believe me, we do our job well, some of the games we protected stayed secure for 6 months and longer.
I want to close with advice to read page one of the UBI forum that you refer to. For some reason you started reading on page 2.
<a class="jive-link-external" href="" target="_newWindow"></a>
Posted by Dennis Zhidkov (1 comment )
Link Flag
Another opinion on the situation
I am an expert computer user, and a programmer myself. From time to time I enjoy playing computer games. I have been watching after StarForce for some time now.

"PC Gamers have been fighting for the last year with multiple different publishers about an even more nefarious Rootkit/Virus known as Starforce. Read below for what it does. The Rootkit makers website is here <a class="jive-link-external" href="" target="_newWindow"></a>"

I would like to comment on this baltant slander against a good product such as StarForce.

1) StarForce is NOT a root kit. Root kits are used in a bad and deceptive manner, they hide particular files, registry
keys, processes, etcetera from the user and any other software which is installed on the given computer. A root kit
usually achieves this task using a ring0 driver system.

The StarForce drivers are a legitimate way to gain all the required previledges from the Operating System in order for the protection to work correctly. StarForce hides absolutely nothing from the end-user, as all the drivers are
clearly visible and removable at will.

2) There's also no ground to call StarFarce a Virus. StarForce's aim is to protect Intellectual Property. To achieve
this task, it employs a multilevel guard module. Viruses are meant to be hidden from the user, provide no means
for uninstallation, and cause direct harm.

"It's interfering behavior - blocking debuggers, drive emulators, etc. - often remains even when the protected program is removed."

This is a very illiterate statement. StarForce does not block any debuggers. StarForce protected applications can
not run with system-level debuggers since they require the same system resources as debuggers do, and thus, the StarForce protected detect debuggers and refuse to run. StarForce tempers with no debuggers. Concerning the Virtual
Drive claim; StarForce is a copy protection system. The main goal of a copy protection system is to ensure that
the user has rights to run the protected application. StarForces merely requires the presence of the original
media in the drive for authentication purposes ONLY.

"Also, as has been pointed out, it is a LOSING proposition that publishers (and some developers) still fail to grasp. You simply cannot thwart an intelligent cracker because you're installing software on his machine, and the first rule of hacking is that a hacker is the lord of his own machine. Tools like Star Force simply cannot work in the long term."

Some of the StarForce protected titles remain secure (not-cracked), months after their release. Some of them include
Splinter Cell: Chaos Theory, Worms 4, Beyond Divinity, and many more. This statement of just points at the illiteracy
of the author in regarding to Copy Protection. Moreover, if a title gets cracked 4 months after its debut, it is insignificant, as the protection did well in securing the title's shelf release.

To sum thing up, this post is very misleading. Clearly, the author tries to spin his personal frustrations with StarForce to a very saddening magnitude. I would at least expect from a respectable web site such as CNet to review posts and remove such blatant misconceptions. As, at the end of the day, these are the end-users they mislead, not to speak about the way they obnoxiously disrepute a good product.
Posted by TIM01 (1 comment )
Link Flag
Say, why hasn't Eliot Spitzer acted on this yet?
This, self install invasive windows mal der mer ware, breaks every law in the world,at all levels in both criminal and business ethics, no matter which way you dress it, it is a felony criminal trespass, with hefty fines and long jail sentences, for that is how individual virii writers are treated, except in this case it is a multinational corporation guilty of the collective crime! Question, why hasn't Eliot Spitzer, instigated criminal proceedings here, for after all New York is his bailiwick! So until then, SONY BMG will find ways to bury this with creative accounting methods, so that they can and will levy all charges and fees this fiasco costs, on the very recording artists that this mal der mer ware was incorporated on their released audio cd's from say about january/february 2005 onwards! There will be no winners, only losers, when the virii writers, can fully integrate this invasive ware into their online products, and turn the infected machines into bots, without user consent! Let us boycott any future purchase of all SONY related products at all levels, for they have shown us they are willing to treat all customers as thieves, and have no business ethics what so ever! SONY BMG will be laughing all the way to bank, the way they denied all liability and responsibility here. New rumours are spreading on the net, that recent new releases of DVD's may also contain a new variant of mal der mer ware as well! A check on shows a number of new sony bmg releases are being hammered with negative don't buy reviews, about the incorporation of this mal der mer ware on the new cd's
Posted by heystoopid (691 comments )
Reply Link Flag
What about SunnComm DRM technology?
Sony continues to use SunnComm's DRM software. Have any security experts looked at this software and determined whether there are security issues associated with it?
Posted by jane colorado (2 comments )
Reply Link Flag
Check this out ...
<a class="jive-link-external" href="" target="_newWindow"></a>

In short:
1) It install DRM software before EULA pops up
2) It does not uninstall properly
3) It phone home
Posted by (6 comments )
Link Flag
do you trust them?
i think this isn't something you can control-z to fix. even if you get an exchange for your cd, do you really trust sony's media now? so called okay cds don't do it for me. touching their products now makes me very wary. anything i would download from them makes me wary. i don't trust 'em. and the bad thing is: i don't know what it would take for me to trust their media at this point.
Posted by mock (7 comments )
Reply Link Flag
Sony 'n others
I use my computer for just about everything day to day, but one thing I really enjoy is PC gaming and my archived blues music. I went anti Sony when they would only produce their games for sony platform consoles. I went against MS because they want to rule my computer world with hackie bloated software. I put as much open source utilities on my machine as I can find that will intergrate. If Linux/Fedora etc. was able to play PC games I wouldn't be using MS XP. I don't know where I stand in the general population of like-minded computer users, but if everyone voted with their money I'm sure some changes would take place. Mess'n with my computer and using my games and music against me really !@#$%&#38;* me off.
Posted by aqvanavt (17 comments )
Reply Link Flag
There is more to it, read it here
BOSTON - The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sonys suggested method for removing the program actually widens the security hole the original software created, researchers say.

Sony apparently has moved to recall the discs in question, but music fans who have listened to them on their computers or tried to remove the dangerous software they deposited could still be vulnerable.

This is a surprisingly bad design from a security standpoint, said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. It endangers users in several ways.

<a class="jive-link-external" href="" target="_newWindow"></a>
Posted by bobby_brady (765 comments )
Reply Link Flag
I'm at a loss for words to describe this betrayal!
I commented over a week ago on /. regarding this ActiveX commponent. I've commented here regarding the dangers of what's been done by Sony.
I own over fifteen thousands of dollars worth of Sony hardware, software, and music however I'll never purchase a Sony product again.
I was going to purchase a Sony surround sound system to hook up to my Sony widescreen TV in the living room this christmas. It's an older system who's main claim to fame is it can't be stolen because it would take four burly men to cart it off. It took four people just to lift it out of it's container and put it on a Sony stand. Now I've got to hire four burly men to cart it off.
What's next, when I insert a Sony CD into my Sony Xplod CDX-MP450X 50WX4 Mp3 car stereo system is it going to foul up the firmware so only Sony DRM'd content will play on it. With the next Sony firmware upgrade will my Sony VIA PCG-GRZ660 laptop quit ripping DVD's that I own so my son who has Autism and constantly scratches his movies won't be screaming at me because his movies won't play. This is what happens when hardware companies hop in bed with content providers.
Dump your Sony stock and buy Panasonic, Toshiba or even overhyped Google.
"Do no evil" sound like a better mantra to me.
Posted by Muddleme (99 comments )
Reply Link Flag
I'm now shying away from Sony products
Sony wants to go head first into the little DRM game. What about consumer rights? Forget it Sony, you've guys were always trying to restrict it. Heck you couldn't even play mp3 files on their "mp3 player". The player would convert it over to their format! What a crock! Forget it Sony, you've had your chance! We consumers have fire power to, and that's with our wallets!
Posted by bobby_brady (765 comments )
Link Flag
update to my comments
btw when i say i dont buy commercial software i mean that i only use open source software that is freely distributed. i am a linux user and any software i buy is just to support a public project. and that is what the rest of america should be doing. companies have stopped competing to make a better product for less money but instead try to stop each other from copying thier games and pass the cost on to the consumer.
Posted by fredblotnic (10 comments )
Reply Link Flag
Getting Sick of being called a Hacker by Starforce
I want the world to know that Starforce PR person calling everyone that has had problems when having Starforce on their computers are not all hackers. I for one had an issue with a Plextor 40/12/40 drive that was caused by Starforce. I am sick and tired of Zhidkov calling every one that has problems with Starforce as HACKERS or PIRATES. I have never been a pirate or hacker. Just because we have had MAJOR problems with Starforce on our machines gives him no right to say we are pirates.
I dare him to call me one!
I have been involved ever since May of 2005 posting on the Ubi forums under Soulcommander. And even helped Ubi conduct an Investigation into Starforce as the Ubi techs had no clue what was happening. This investigation not only proved how Starforce treated their customers through email support, but also how Starforce treated customers on their very own forums...Closing threads and deleting them.

Starforce continues to do things to make us hate them! Just this weekend they post a bit torrent link on their web site by their very own Forum employee to a Stardock game known to have NO copy protection, this game is called Galactic Civ II by Stardock....
You can read how well it was doing selling out in North America on the Stardock web site, as well as see what Starforce posted on their forums (the bit torrent link).
<a class="jive-link-external" href="" target="_newWindow"></a>

You can also read how myself Lart44 and 13thHouR responded to Gamespot here explaining to them whats really happening with Starforce: <a class="jive-link-external" href=";page=6" target="_newWindow">;page=6</a>

And the resulting interview with Stardocks head here to the incident that Starforce did on their forums posting the bit torrent link:
<a class="jive-link-external" href="" target="_newWindow"></a>

As you can see Starforce is not only bad for your computer their employees very devious and unprofessional.
What copy protection company would post a Bit Torrent link to download a game with out paying for it just to prove a point that the game needed Copy Protection and thus see look people are getting it with out paying for it.

If Stardock wants to put a game out with out copy protection and can out sell any game with copy protection what is the problem?

I spoke to Strdocks Larry Kuperman about the sucess of Galactic Civ II several weeks ago you can see my commnet here on our web site:
(Soulcommander's 3rds)
<a class="jive-link-external" href=";file=viewtopic&#38;t=25" target="_newWindow">;file=viewtopic&#38;t=25</a>

Larry tells me that Starforce kept calling them asking them to use their copy protection. And Larry told them not to call anymore and some otehr choice words....

Well as you can see then Starforce the weekend of 3/11 3/12 posts the bit torrent link to hurt Stardocks Galactic Civ II sales.

What would you call a company that does that?
EVIL, Comes to mind.

For those of you wondering if JM is an employee of Starforce? Yes he is. He is the one that posted the Bit Torrent link.

Enough said!

If you want to hear more about the Starforce controversy as some like to call
You can here it in a recorded interview here:
<a class="jive-link-external" href="" target="_newWindow"></a> Cyber Shack U.S. Interview

<a class="jive-link-external" href="" target="_newWindow"></a> Cyber shack Part 1 Interview

<a class="jive-link-external" href="" target="_newWindow"></a> Part 2 Cyber Shack

In the Inerview,
Dennis Zhidkov (StarForce Technologies)
Steven Levy (Newsweek magazine)
Dan Mattia (
And myself
Larry Freese (Consumer Rights Activist)
Posted by Radio_Announcer (5 comments )
Reply Link Flag
You sir are deluded
"calling StarForce 'nefarious Rootkit/Virus' is a good enough cause to press charges."

Utter rubbish, if you don't like the way your product is being described by users then the problem is on YOUR END.

"why don't you mind you own business and talk about things that you understand?"

Why don't YOU mind YOUR business and keep your malicious drivers away from MY computer?

"Basically, there is no need to further continue with your offensive comment on"

Then why is it you said that and then went on for another 11 paragraphs ranting about his comment?

"Now, let me ask you a question. If you are not a pirate, why would you need a debugger simultaneously running with the protected software?"

Firstly, if I decide to purchase $1000 debugging software, then I'd expect to be able to do whatever the heck I want with it, secondly there are many, many legitimate reasons to have a debugger running. Perhaps they're monitoring another piece of software running in the background. Maybe there's a bug in a program I purchased, and I'd like to patch it, and re-compile it? You can always put internal CRC-checks in to make the software more difficult to modify, if that's what you're worried about.

"And if some developers choose to select the option of manual drivers uninstall, it is their sole right."

Amazingly, it's also the consumer's right to criticize.
Posted by Plamdi (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.