More questions raised as Sony starts rootkit exchange

Sony BMG Music Entertainment has rolled out a promised mail-in program that lets music buyers exchange CDs containing its controversial XCP copy protection software, but there appears to be no end to the entertainment giant's troubles. Security researchers now say they have now spotted new problems in the software Sony is giving users who want to remove its copy-protection products.

Researchers say that both the uninstall software Sony has made available for removing XCP (Extended Copy Protection), along with a separate uninstaller for a Sony copy protection program called MediaMax, contain critical security holes. Sony had already ceased distribution of the XCP uninstaller after its security problems were brought to light earlier this week.

On Thursday, however, Princeton University computer science student J. Alex Halderman claimed that MediaMax uninstaller, created by software vendor SunnComm International Inc., also presented a risk. Sony uses the MediaMax software to prevent unauthorized copying of some of its CDs, the company has said.

"It turns out that the Web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony’s other DRM, XCP," he wrote Thursday on the Freedom-to-Tinker blog. (http://www.freedom-to-tinker.com/?p=931)

SunnComm ceased distribution of the MediaMax uninstaller on Thursday, and only a very small number of Sony customers have downloaded the software, said John McKay, a Sony spokesman. "As soon as we saw the blog, SunnComm took it down," he said.

A total of 223 people had downloaded the software before it was pulled, he said. SunnComm is in the process of developing a new uninstall tool. Halderman has posted instructions for identifying and removing the buggy SunnComm tool on his blog.

Security vendor Secunia rated (http://secunia.com/advisories/17639/) this MediaMax uninstaller flaw "highly critical," and warned that if hackers could trick a user into visiting a malicious Web site, they could then possibly exploit this flaw and take over a machine that had used the uninstaller.

Sony has been on the defensive for nearly three weeks now, ever since Windows expert Mark Russinovich revealed that XCP was using "rootkit" techniques, normally only used by hackers, to conceal itself on Windows systems. Sony initially defended its use of the software, which limits the number of times a Sony CD can be copied, but it eventually reversed its position. The company ceased production of XCP-enabled CDs and promised the recall after malicious "Trojan horse" programs were written that exploited the XCP code.

Similar to viruses, Trojan horse programs are malicious programs that masquerade as some other kind of software in order to trick users into installing it on the computer.

On Friday, Sony posted instructions to its Web site (http://www.upsrow.com/sonybmg/) explaining how users could send in their XCP CDs in exchange for new CDs and MP3 files of the music they bought. Sony is providing prepaid United Parcel Service Inc. shipping labels that can be used to send in the 52 titles that had been shipping with XCP.

The XCP titles include music by Celine Dion, Rosanne Cash, and Neil Diamond. A complete list of Sony's XCP CDs can now be found with the mail-in instructions.

Amazon.com Inc. customers who want to return XCP-protected CDs can do so following the normal returns process, according to a statement posted alongside affected CDs. "Simply indicate that the CD is "defective" as the reason for return.," Amazon said.

REFERENCES:
Sony pulls copy-protected CDs from shelves, Nov. 15, 2005