After two weeks of relentless criticism over its XCP copy protection software, Sony BMG Music Entertainment is pulling CDs that contain the software from store shelves. The company is also planning to offer customers a way to exchange CDs that contain the flawed copy-protection software.
"We share the concerns of consumers regarding discs with the XCP software, and we are instituting a program that will allow customers to exchange any CD with XCP software for the same CD without copy protection," Sony said in a statement (http://blog.sonymusic.com/sonybmg/archives/111505.html) posted to the company's Web site on Tuesday.
XCP, which stands for Extended Copy Protection, is Windows software designed to limit the number of copies a PC user can make of a CD, but it uses controversial cloaking techniques to hide itself on the computer. Critics had warned that these techniques could gum up a computer's performance or possibly even be used by attackers to attack the machine.
Late last week, the first examples of malicious software that exploited the XCP cloaking mechanism began surfacing, prompting Sony to temporarily cease production of XCP-enabled CDs.
Sony had originally defended its use of XCP, and had downplayed the security and privacy risks associated with the software. With Tuesday's recall, however, the company finally appeared to acknowledge the seriousness of the matter. "We deeply regret any inconvenience this may cause our customers," Sony's statement said.
Still, Sony has some important questions to answer, according to the computer expert who first discovered the problems with XCP.
The biggest problem Sony now faces is helping customers who have installed the nearly undetectable software to remove it from their machines, said Mark Russinovich, chief software architect with Winternals Software LP. Users who want to take XCP off their computers had been forced to send an e-mail to Sony and then download an ActiveX control that exposes them to further security risks, he said.
Sony on Tuesday suspended use of this uninstall process and promised to provide a "simplified and secure procedure" for uninstalling XCP. But the company provided no details on what this new procedure might be, or on how customers might exchange their XCP CDs. It also failed to address concerns about a second type of copy-protection software, called MediaMax, that ships with Sony CDs. Computer experts have said that this software suffers from many of the same problems as XCP.
Russinovich had some advice for Sony on how to simplify things. First off, the company should drop the dangerous ActiveX software, he said. Secondly, they should release a secure uninstaller that is easier to obtain. "They should just say, 'If you want the uninstaller, here it is: Click this link to execute it,'" he said. "I've seen no valid reason to have the uninstall process be what it is."
XCP is included in about 20 Sony titles including CDs by Van Zant, Sony has said. Security researcher Dan Kaminsky has estimated that at least 500,000 computers have installed the software (http://www.doxpara.com/?q=sony).