Jump to content

Recommended Posts

Posted (edited)

I saw this on GOOGLE news the science/technology section

 

 

 

 

Experts: Sony plan widens security hole

 

 

NOV. 15 1:34 P.M. ET The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony's suggested method for removing the program actually widens the security hole the original software created, researchers say.

 

Sony apparently has moved to recall the discs in question, but music fans who have listened to them on their computers or tried to remove the dangerous software they deposited could still be vulnerable.

 

"This is a surprisingly bad design from a security standpoint," said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. "It endangers users in several ways."Record label Sony BMG Music Entertainment said Tuesday that it will recall millions of CDs that, if played in a consumer's PC disc drive, will expose the computer to serious security risks.

 

Anyone who has purchased one of the CDs, which include southern rockers Van Zant, Neil Diamond's latest album, and more than 18 others, can exchange the purchase, Sony said. The company added that it would release details of its CD exchange program "shortly."

 

Sony reported that over the past eight months it shipped more than 4.7 million CDs with the so-called XCP copy protection. More than 2.1 million of those discs have been sold.

 

"We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets," the company said in a statement. "We deeply regret any inconvenience this may cause our customers."

 

The company made the announcement--its second public apology since the CDs' risks came to light last week--just as security researchers found several other potentially dangerous flaws in the software.

 

Princeton University computer science professor Ed Felten wrote on his blog Tuesday that he and a fellow researcher had confirmed that Sony's initial Web-based uninstall tool--designed to uninstall the copy-protection software deposited by Sony's CDs--actually exposed a critical vulnerability on computers.

 

The tool downloaded a program that causes a user's hard drive to accept instructions from Web sites. But the program remained active on the user's hard drive after it had been instructed to uninstall the Sony software. The program could then be triggered by almost any code from any Web site, including malicious instructions, the Princeton researchers said.

 

"Any Web page can seize control of your computer; then it can do anything it likes," Felton and fellow researcher J. Alex Halderman wrote on their blog. "That's about as serious as a security flaw can get."

 

Sony later replaced that Web-based uninstall tool with one that downloads a program with its own instructions, as opposed to one that accepts instructions from Web sites. The researchers said the new program appeared to be safe.

 

For anyone who did use the earlier tool, the researchers' blog has instructions for removing the Sony component.

 

Separately on Tuesday, security company Internet Security Systems released its own new advisory on Sony's software. It warned that flaws in the copy-protection software--not just in the early uninstall tool--could allow an attacker to take control of a user's machine.

 

Previously, security researchers had spotlighted the online release of several Trojan horse viruses that piggybacked on the Sony software to hide their presence on hard drives.

 

The Trojan horse software, once installed, automatically connects to an Internet chat network and allows an attacker to take remote control of an infected computer.

 

Half a million people at risk?

Although more than 2 million of the Sony discs have been sold, it's still unclear how many of those were actually played in a Windows-based computer, thus triggering the security risks. Sony notes that the copy-protection software is not activated on an ordinary CD or DVD player, or on a Macintosh computer.

 

Security researcher Dan Kaminsky said he estimated that at least 500,000 computers had installed the Sony software.

 

Once installed, the Sony software can relay data, which indicates what CDs are being played, to an outside server. To relay the information, the software has to find its destination by contacting the Internet's domain name system address servers, where a publicly available record of that request is left behind.

 

Kaminsky said he counted more than 568,000 separate requests. The method counts any request coming from the same network, but only once. So it might not include repeated requests coming from offices or schools, where numerous computers use the same network, he said.

 

"The thing that's proved here is not the upper bound," Kaminsky said. "This is a lower bound. This is a pandemic."

 

Sony's copy-protection software was created by British company First 4 Internet. The software is installed on a computer's hard drive when certain Sony compact discs are put in the CD player and the listener accepts a license agreement.

 

The software then hides itself using a controversial programming tool called a "rootkit," which takes over high-level access to some computing functions. The rootkit blocks all but the most technically savvy users from being able to detect its presence.

 

Sony has worked with antivirus companies to help their products pierce this veil of invisibility, and has posted a patch on its Web site that will uncloak the hidden software. It also said it would temporarily stop manufacturing discs using the First 4 Internet tools.

 

Lawsuits have been filed against the record label in California and New York, and others are expected.

Edited by polopony
Posted

I don't mind rootkits. Any kit that assists me in getting a root can't be all that bad. =))

 

Regards

Posted

=)) =)) =))Real good zac. Be a great XMAS prezzie.

 

Where'd you find that?

 

Regards

Posted
=)) =)) =))Real good zac. Be a great XMAS prezzie.

 

Where'd you find that?

 

Regards

Written under my pen name - taking advanced orders now

Posted
A damn good example of why Autoplay should be disabled on any PC running windoze.

 

 

I'll second that :thumbup:

Posted

And, what about people who are NOT aware of these protected CD's? They never exchange them, sell them to someone who isn't versed in the protection, too. Or, worse, put them up for sale at a used shop or donate them to a library? Well after Sony's exchange program ends, of course, which they'd only keep up as long as they legally need to and not forever as would be necessary. The result? A Trojan that probably will live forever. :doh:

Posted

AVs are now adding the rootkit to their virus definitions :). So after a while, most of them should be removed.

Posted

Unfortunately, in the real world, things don't work that way. :) Those who would be unlikely to know that their CD is protected and has the rootkit would most likely also be one who doesn't have AV installed, does not regularly update the definitions, does not have the knowledge to configure AV to run the way it should, e.g. not the default settings, or to fix the AV should a problem arise with scanning or updates retrieval. Plus, once opened, I'd be willing to bet that the CD does not contain any info on it being super copy protected. Only on the cellophane as they would legally require so the customer can return it unopened. I've not seen any of these protected CD's, so, I don't know if they are labeled on the discs or the booklets or inserts for this protection.

Posted

again on Google news 120,000 Canadians bought the Sony cd's and this was part of the article

 

McKay said the company will list for Canadians all the affected titles by Monday on its website, cp.sonybmg.com/xcp
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.