The application software, which sends the user's IP address and listening habits to Sony, is installed without user notice or consent, officials from Long Island, N.Y.-based Computer Associates said Monday.
The unauthorized download, which CA has classified as spyware, can lead to the disclosure of confidential corporate information if an employee brings a CD with the application to work, Sam Curry, CA's vice president of eTrust Security Management, said Monday.
"Most companies don't have a policy [on listening to CDs at work], and if they do, they're generally not enforced," he said. "This can lead to the disclosure and exploitation of company information and private client information. This will create a lot of traffic, and it'll wear out PCs more quickly."
The application initially installs a rootkit when a CD is placed in a disk drive, allowing the download to "phone home" information from the PC to Sony.
Attempts to remove the application can lead to more problems. Sony has issued a 3MB patch to remove the rootkit, which also does not notify the user of installation. The patch has also contained a broken uninstall feature that can cause PCs using the Windows operating system to crash, according to CA.
The Sony website's process for removing the rootkit forces users to reveal their email addresses, musical tastes and places they purchased CDs. The site also attempts to install an ActiveX control, designed to send out data to British-based First4Internet.
Joe Stewart, senior security researcher at Lurhq, said this type of application download was unprecedented.
"I don't know that it has been done before. It was pretty shoddy," he said, adding that companies won't be able to stop users from copying audio CDs in this manner.
Instructions for disabling the program are available at www.ca.com/securityadvisor/