November 16, 2005

Sony/BMG Humiliated over OS-Altering Rootkit

Filed under: Business Moves, Consumer Outrage, Corporate Outrage, Economy, Money Tip of the Day — TBlumer @ 11:05 am

Following up on this post (”Privacy Prevention Turns into PR Nightmare”) about Sony’s Window OS-altering software–I don’t think I’ve ever seen this happen with commercial software before, but the designation is richly deserved:

Microsoft Treating Sony BMG Rootkit as Malicious Software

Microsoft said it would remove controversial copy-protection software that CDs from music publisher Sony BMG install on personal computers, deeming it a security risk to PCs running on Windows.

The XCP program, developed by First4Internet in Britain and used on music CDs by Sony BMG to restrict copying and sharing, has generated concern amongst computer users because it acts like virus software and hides deep inside a computer, where it leaves the backdoor open for other viruses.

“We have analyzed this software and have determined that in order to help protect our customers, we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users,” Jason Garms, group program manager of the Anti-Malware Technology Team, said on Microsoft (MSFT)’s Technet blog.

“Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool,” Garms added.

When Microsoft calls you out, you know you’re in trouble.

Sony’s humiliating PR nightmare is turning into a legal one as well, as Sony’s technical efforts at damage control are only adding to the company’s woes (bold is mine):

Experts: Sony BMG Rootkit ‘Fix’ Only Makes Things Worse

The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony’s suggested method for removing the program widened the security hole the original software created, researchers say.

Sony has moved to recall the discs in question. But music fans who have listened to them on their computers or tried to remove the dangerous software they deposited could still be vulnerable.

“This is a surprisingly bad design from a security standpoint,” said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. “It endangers users in several ways.”

The “XCP” copy-protection program was included on at least 20 CDs, including releases by Van Zant, The Bad Plus, Neil Diamond, and Celine Dion. Sony BMG said 4.7 million were shipped, with 2.1 million sold.

The Electronic Frontier Foundation has published a page on how to identify an affected CD, and compiled a list of affected CDs, but does not claim that it is complete.

I hope this is an object lesson to companies with legitimate interests in protecting their intellectual property: Don’t mess with your customers’ computers!

Aside: It seems a bit of a stretch to call some of the CDs involved “intellectual” property (but I know better than to name names).
___________________

UPDATE: The Boycott Sony Blog has some coping suggestions.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.