Sony caves in, spyware CD exchange offered

By on

The man who first made public Sony-BMG Entertainment’s spyware-like CD-Roms had only one word at the top of his weblog Wednesday: “Victory!”

After Sony released a statement yesterday saying it would pull CDs with the application from stores and offer exchanges for versions without the digital rights management (DRM) technology, Mark Russinovich was almost satisfied with Sony's response.

"While not publicly admitting blame for distributing a rootkit, providing no uninstall for the DRM software, implementing a music player that sends information to Sony's site and supplying a remotely-exploitable ActiveX control for the online uninstall they eventually made available – all without any disclosure to users – they have come close," he said.

Russinovich revealed on his blog in late October that Sony was using rootkit technology on its CDs which could "phone home" personal information to Sony or one of its business partners.

Virus writers soon exploited the cloaking technology, and within days numerous trojans were using the rootkit to compromise PCs.

Security firms, many calling the Sony application spyware, warned users about the DRM technology, and the media firestorm that followed forced Sony to pull the application from CD-Roms earlier this week.

The downward spiral continued for Sony when Ed Felten, a professor of computer science at Princeton University, said Tuesday on his blog that the uninstall provided on Sony's website left PCs open to hijackings from other sites.

The uninstaller, Felten warned, downloads a program onto PCs called CodeSupport, which remains on a unit after a user leaves Sony's site. The program was labeled as "safe for scripting," so a site can download code onto a PC – without user permission – by using it. Sony said in a release Wednesday that it "shared the concerns of consumers regarding these discs," but did not apologize outright. The company also laid blame at the feet of First4Internet, its UK-based partner and said another uninstall would be available soon.

"This software was provided to us by a third-party vendor, First4Internet," Sony said. "Ultimately, the experience of consumers is our primary concern, and our goal is to help bring our artists' music to as broad an audience as possible. Going forward, we will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music."

Russinovich warned his readers that they should continue to be on the lookout for rootkit technology in CDs.

"First, as I've stated, they don't admit wrongdoing, only that the software was a security concern," he said. "Second, there's no statement on Sony's site or their press releases regarding future policy."

www.bmg.com
www.sysinternals.com
www.first4internet.co.uk
www.freedom-to-tinker.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?