A story filed late last night at USAToday.com says Sony has begun recalling CDs containing the XCP rootkit software from stores:
Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.
Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.
I haven’t seen this story elsewhere, and the statement quoted in the USA Today story isn’t on Sony’s Web site. If true, it’s yet another sign that Sony is finally beginning to realize how much it has messed up.
Maybe pressure from artists has something to do with the recall. The USA Today story quotes Ross Schilling, manager of the band Van Zant, which was an unwitting victim of the XCP malware:
“I said we’ve got to be proactive [about recalling these CDs], or it could destroy the business model,” Schilling says. “Sony should be in the artist business, promoting and selling records. This type of issue sheds a negative light on their ability to do that.”
[…]
[M]any artists have spoken out about all forms of copy-protected CDs, including Matthews, the Foo Fighters and Christian rock band Switchfoot. Bela Fleck and the Flecktones are set to release a new album on Sony in January, and it will not be copy protected, says Fleck’s manager, David Bendett.
Frustrated when he bought a copy-protected Dave Matthews release and couldn’t copy it to his Apple iPod, Fleck insisted that Sony not release his new album with such restrictions, Bendett says.
Meanwhile, do not use Sony’s Web-based uninstaller. Ed Felten and J. Alex Halderman of Princeton University just released their latest research, which show that Sony’s quick-and-dirty response to the problem is a nightmare waiting to happen:
Over the weekend a Finish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.
The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.
A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.
It’s important to note that this flaw is caused by the limited patch Sony has released, which disables the Aries.sys file-system filter driver but leaves the DRM files intact. What Sony needs to do, right now, is to put their full uninstaller online so that anyone who has this software on their system can completely remove all traces of it.
(Thanks to Walter for the USA Today pointer.)
Ed Bott 