Researchers: Sony Patch Opens Huge Security Hole
As Security Fix warned in a post late last night, researchers have found new flaws in a program designed to remove portions of an anti-piracy software included in an unknown number of Sony BMG music CDs.
A patch that Sony issued a week ago when virus writers began taking advantage of the software's file-hiding capabilities actually introduces serious new security risks onto the user's machine, according to research released today by Princeton University computer science professor Edward Felten.
The Sony Web page where users can download the removal patch installs a program that remains on the user's PC even after removal tool has done its job, Felten said. And because of the way the tool is configured, he said, it allows any Web page that the user subsequently visits to download, install and run any code that it likes.
I was speechless when I read this news, and had roughly the same thoughts as Felten expressed in his blog: "That's about as serious as a security flaw can get."
According to Felten (whose research was informed by a discovery from a Finnish researcher known as "Muzzy"), "the root of the problem is a serious design flaw in Sony's web-based uninstaller. When you first fill out Sony's form to request a copy of the uninstaller, the request form downloads and installs a program -- an ActiveX control created by the [digital rights management software] vendor, First4Internet -- called CodeSupport.
"CodeSupport remains on your system after you leave Sony's site, and it is marked as safe for scripting, so any Web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site.
"Unfortunately, CodeSupport doesn't verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user's permission."
If you've visited Sony's site and downloaded this removal tool, Felten's site has instructions on how to get rid of it -- although "it may not prevent the software from installing again, but it's better than nothing. We'll have to wait for First4Internet to develop a complete patch."
If you have Sony's anti-piracy software on your computer but haven't downloaded this removal tool yet, then good. Don't download it.
In related news, USA Today reports that Sony will recall the CDs with the flawed anti-piracy software on them. Furthermore, the story notes that discs in the supply chain will not be sold, and customers who have already bought discs will be able to exchange them. Sony will announce details of the recall plan later in the week.
As security researcher Don Kennedy (aka "Zoverlord") pointed out to me this morning, this means that Sony's security woes now extend beyond those who actually bought and used one of these copy-protected CDs on their computer.
I'm betting that quite a few people frightened by all of this rootkit hubbub went and installed Sony's removal tool even though they weren't sure whether the anti-piracy software was even on their PC in the first place. Now, even those users have something new to worry about.
Posted by: ZOverLord | November 15, 2005 12:05 PM | Report abuse
Posted by: Dave H | November 15, 2005 1:56 PM | Report abuse
Posted by: Daivd Maynor | November 15, 2005 3:21 PM | Report abuse
Posted by: Anonymous | November 15, 2005 3:27 PM | Report abuse
Posted by: Chris | November 15, 2005 3:28 PM | Report abuse
Posted by: Jon | November 15, 2005 3:34 PM | Report abuse
Posted by: ouij | November 15, 2005 5:36 PM | Report abuse
Posted by: AussieVamp2 | November 15, 2005 8:44 PM | Report abuse
Posted by: S. Holmes | November 15, 2005 9:54 PM | Report abuse
Posted by: JDalton | November 16, 2005 12:07 AM | Report abuse
Posted by: Positive Outcome | November 16, 2005 12:23 AM | Report abuse
Posted by: Judy | November 16, 2005 12:39 AM | Report abuse
Posted by: Francois | November 16, 2005 2:22 AM | Report abuse
Posted by: DT | November 16, 2005 10:51 AM | Report abuse
Posted by: DT | November 16, 2005 11:04 AM | Report abuse
Posted by: Heather K. | November 16, 2005 6:41 PM | Report abuse
The comments to this entry are closed.