By John Borland, 7 December 2005 08:35
NEWS
Sony BMG Music Entertainment and the Electronic Frontier Foundation (EFF) digital rights group jointly announced Tuesday that they had found, and fixed, a new computer security risk associated with some of the record label's CDs.
The danger is associated with copy-protection software included on some Sony CDs created by a company called SunnComm Technologies. The vulnerability could allow malicious programmers to gain control of computers that have run the software, which is typically installed automatically when a CD is put in a computer's CD drive.
The issue affects a different set of CDs than the ones involved in the copy-protection gaffe that led Sony to recall 4.7 million CDs last month, and which has triggered several lawsuits against the record label.
EFF staff attorney Kurt Opsahl said in a statement: "We're pleased that Sony BMG responded quickly and responsibly when we drew their attention to this security problem. Consumers should take immediate steps to protect their computers."
The announcement is the latest result of the detailed scrutiny applied by the technical community to Sony's copy-protected CDs, after a string of serious security issues were found to be associated with the label's anti-piracy efforts.
The record label's copy-protected CDs have been on the market for more than eight months. But in late October, blogger Mark Russinovich discovered they surreptitiously installed a "rootkit" programming tool. Rootkit tools are typically used by hackers to hide viruses on hard drives, so Sony's move opened up a potentially serious security hole.
The controversy escalated as other researchers discovered new security flaws associated with the copy-protected CDs, which used technology from British company First 4 Internet. Virus writers began distributing malicious code that took advantage of the holes. The label recalled all the CDs with the First 4 Internet technology installed, offering an exchange program for consumers who had purchased any of the 52 CDs affected.
Following those revelations, the EFF asked computer security company iSec Partners to study the SunnComm copy protection technology, which Sony said has been distributed with 27 of its CDs in the US. iSec found the hole announced on Tuesday and notified Sony but news of the risk was not released until SunnComm had created a patch.
Sony said another security company, NGS Software, has tested the patch and certified that it addresses the vulnerability.
The patch can be downloaded from Sony's site. A list of the CDs affected is also posted on the site.
Sony said it will notify customers though a banner advertisement directly in the SunnComm software, as well as through an internet advertising campaign.
John Borland writes for CNET News.com
Comments
There are 3 comments. Join the discussion
1. Joe Whitehead
Useful information from Microsoft: search for "nodrivetypeautorun" and "nodriveautorun" on thier site.
2. Chris Goodman
I consider that any software downloaded/installed into my computer without my specific prior consent is an invasion of my privacy. It is of no matter that this is a result of a commercial organisation endeavouring to protect a copyright, it is still an unwarranted intrusion.
If Sony or any other company wish to prevent copying of their product they must find other ways to do so. If this means that their product is so programmed that it will play only from the disc, and that in order for it to be actually downloaded will need the agreed pre-installation of a programme for that is acceptable.
All the copy prevention in the world will not stop one determined to make a copy.
3. J.C.
I called Sony and asked how I could remove their software since I don't have a high speed connection and they told me to go to a friend and download and burn it to a CD. They said they had no plans whatsoever to help anyone with dial up or no internet access. That's what I call customer service!!! NOT !!!