Network News

X My Profile
View More Activity

Researchers: Sony Patch Opens Huge Security Hole

As Security Fix warned in a post late last night, researchers have found new flaws in a program designed to remove portions of an anti-piracy software included in an unknown number of Sony BMG music CDs.

A patch that Sony issued a week ago when virus writers began taking advantage of the software's file-hiding capabilities actually introduces serious new security risks onto the user's machine, according to research released today by Princeton University computer science professor Edward Felten.

The Sony Web page where users can download the removal patch installs a program that remains on the user's PC even after removal tool has done its job, Felten said. And because of the way the tool is configured, he said, it allows any Web page that the user subsequently visits to download, install and run any code that it likes.

I was speechless when I read this news, and had roughly the same thoughts as Felten expressed in his blog: "That's about as serious as a security flaw can get."

According to Felten (whose research was informed by a discovery from a Finnish researcher known as "Muzzy"), "the root of the problem is a serious design flaw in Sony's web-based uninstaller. When you first fill out Sony's form to request a copy of the uninstaller, the request form downloads and installs a program -- an ActiveX control created by the [digital rights management software] vendor, First4Internet -- called CodeSupport.

"CodeSupport remains on your system after you leave Sony's site, and it is marked as safe for scripting, so any Web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site.

"Unfortunately, CodeSupport doesn't verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user's permission."

If you've visited Sony's site and downloaded this removal tool, Felten's site has instructions on how to get rid of it -- although "it may not prevent the software from installing again, but it's better than nothing. We'll have to wait for First4Internet to develop a complete patch."

If you have Sony's anti-piracy software on your computer but haven't downloaded this removal tool yet, then good. Don't download it.

In related news, USA Today reports that Sony will recall the CDs with the flawed anti-piracy software on them. Furthermore, the story notes that discs in the supply chain will not be sold, and customers who have already bought discs will be able to exchange them. Sony will announce details of the recall plan later in the week.

As security researcher Don Kennedy (aka "Zoverlord") pointed out to me this morning, this means that Sony's security woes now extend beyond those who actually bought and used one of these copy-protected CDs on their computer.

I'm betting that quite a few people frightened by all of this rootkit hubbub went and installed Sony's removal tool even though they weren't sure whether the anti-piracy software was even on their PC in the first place. Now, even those users have something new to worry about.

By Brian Krebs  |  November 15, 2005; 11:10 AM ET
Categories:  Latest Warnings , Piracy  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: More Sony Problems to Be Revealed
Next: Researcher: Sony DRM on Half a Million Networks


Until First4Internet and Sony remove this ActiveX from their servers it would be with great caution that people should use ActiveX and or accept ActiveX installations since this can be Installed via Simple HTML by Anyone, Anywhere, and WorldWide.

Posted by: ZOverLord | November 15, 2005 12:05 PM | Report abuse

Unbelievable. But what has been clear from Russinovich's first post forward is the absolute inteptitude of First4Internet's coding practices. Security is not a first, second, or even third thought of these guys, which isn't so surprising when you read some of the chats they were lurking in order to get code ideas. Still, Sony has a lot more to lose and you think they would have done a better job of vetting. I can't see how First4 will survive the lawsuits...

Posted by: Dave H | November 15, 2005 1:56 PM | Report abuse

Thats not all that is wrong, we found bufferoverflows in it as well.

Posted by: Daivd Maynor | November 15, 2005 3:21 PM | Report abuse

Isn't it deliciously ironic that it's now safer to download MP3s off of P2P sharing networks than to buy a CD from a retailer? Or that Sony's attempts to save a dollar of profits from piracy will now cost them one hundred dollars of lawyers fees, settlement fees, and lost customer trust.

Posted by: Anonymous | November 15, 2005 3:27 PM | Report abuse

This is a complete disaster for Sony. Not only do they plant tracking software on the cd, but their solution to problem now causes even more issues. Sony needs to be hammered for this. Amazing. This is a lawsuit waiting to happen.

Posted by: Chris | November 15, 2005 3:28 PM | Report abuse

This is nothing short of a virus planted in unsuspecting and trusting owners systems. When a virus writer is caught, they are generally hauled off to jail by the police and dealt with in a fairly heavy handed manner. I think the managers at Sony who made the decision to place this virus on their music CDs can and must be brought to justice, and treated like any other hacker. Only heavy fines and possibly jail time will cause these huge corporations, who think they can do anything they want, to think twice before trying something like this happens again. I hope Sony/BMG suffers a huge hit in their profits because of this fiasco as well.

Posted by: Jon | November 15, 2005 3:34 PM | Report abuse

Microsoft is trying to look like the knight in shining armor by offering to remove the offending rootkit.

But nobody seems to be questioning the fact that this entire fiasco is enabled by Microsoft at every stage:

First, the design of Windows makes this type of rootkit relatively trivial. A real, multiple-user, limited-permission operating system would not.

Second, and most notably, the "fix" requires ActiveX, which itself is full of holes.

Time to evaluate alternatives, people: Mac OSX, Linux, and the various BSD flavors.

Posted by: ouij | November 15, 2005 5:36 PM | Report abuse

Chance of me ever buying a CD by Sony again?
Zero. (Same goes for Warner, and their non-CD standard copy protected with programs plastic discs - could be just as bad?)

Posted by: AussieVamp2 | November 15, 2005 8:44 PM | Report abuse

We found the boss behind all this!

Posted by: S. Holmes | November 15, 2005 9:54 PM | Report abuse

The damage to home and business PCs, destruction of the O/S fixed by a reinstall, the virus' and trojans that will exploit this for years to come, for causing bandwidth theft, denial of service attacks and corporate or political espionage and information theft resulting in huge financial losses or penalties, will cause BILLIONS in damage, loss of careers, possibly deaths, and yet not much of it recognizably traceable to the root cause, Music Industry Greed. Much of the media dances delicately around the issue, hoping not to offend a major advertiser, employer and business partner. BILLIONS, sheeple, BILLIONS in losses. Everyone involved in this deserves long prison sentences and fines sufficient to destroy and WipeFromTheFaceOfTheEarth Sony/BMG/First4Internet. Let Sony then turn on their overlords in the RIAA and eat them alive. Destroy the RIAA now before they kill us all.


Posted by: JDalton | November 16, 2005 12:07 AM | Report abuse

There is one big positive to come out of this complete mess. That is the end of copy protection schemes on CDs. Ater all what sort of idiot is ever again going to put a labelled copy protected CD in their computer. You obviously can't trust the music companies to not install dangerous programs on you computer, so the only option is to not buy copy protected CDs.

Posted by: Positive Outcome | November 16, 2005 12:23 AM | Report abuse

What can we as consumers do to complain about this? Who do we contact? I purchased a cd from sony BMG recently and though I didn't download the patch, it angers and frightens me that I may be vulnerable, as I put it into my pc.

Posted by: Judy | November 16, 2005 12:39 AM | Report abuse

I'm looking at a plasma panel for my home theater, and after this fiasco Sony is right out. Panasonic and Samsung are now at the top of my list, and it'll be a long bloody time before Sony gets any of my money.

Posted by: Francois | November 16, 2005 2:22 AM | Report abuse

To Francois:

Go with the Panasonic. I have one and it runs circles around Sony, Samsung and all the others.

Posted by: DT | November 16, 2005 10:51 AM | Report abuse

I notice that, whenever profits are down, the music industry immediately blames piracy as the cause. I have 4 words for them - "It's the economy, stupid!" The world has been in a (minor?) recession for around 5 years now. That is why CD sales are down. When you're not working, the decision between buying food or CDs becomes moot. Food wins out most of the time.

To Ouij: I can't say I love Microsoft but Windows IS a limited-permission operating system. Normal day-to-day use should be performed as a normal user limited access account. You need administrative priviledges to install the Sony/First4Internet software.

Posted by: DT | November 16, 2005 11:04 AM | Report abuse

There are still lots of us with Vinyl. You guys may want to dust off those turntables. They won't give you any viruses!

Posted by: Heather K. | November 16, 2005 6:41 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company