Be Afraid of Sony

Wiz Feinberg · Post by **Wiz Feinberg** » 15 Nov 2005 4:23 pm

There is more bad news for people who want to remove the Sony DRM rootkit. Here are some quotes I read on Ed Felton's Blog, at Freedom To Tinker, today.

<h3>Sony’s Web-Based Uninstaller Opens a Big Security Hole</h3>

 http://www.freedom-to-tinker.com/?p=927
Tuesday November 15, 2005 by Ed Felten 
<BLOCKQUOTE>quote:<HR>
Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.
...<snip>...
How can you protect yourself against this vulnerability? First, for now don’t accept the installation of any software delivered over the net from First4Internet. (Eventually First4Internet may deliver a fix over the net. That may be worth installing.) That will keep CodeSupport off you machine, if it’s not already there.

To see whether CodeSupport is on your computer, visit our CodeSupport detector page using Internet Explorer.

If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)

cmd /k del “%windir%\downloaded program files\codesupport.*”
<HR></BLOCKQUOTE>

<BLOCKQUOTE>quote:<HR>
It looks as though the uninstaller as claimed last night, does have more serious implications than the original rootkit, in Sony’s continuing DRM nightmare. Basically, the uninstaller will allow any web page to run arbitrary code and or remotely control your pc. Which is sort of the holy grail of remote exploits. The ActiveX control called CodeSupport that is required to get the uninstaller is the culprit here. It remains on system after uninstall and is marked safe for scripting.
<HR></BLOCKQUOTE>

<BLOCKQUOTE>quote:<HR>
By going through the uninstall process, you are supposed to feel more protected as you just got rid of nasty malware. Well you are now open to all sorts of new exploits, and you are supposed to think you are protected again.

Amazing how the programmers at First4Internet are so incompetent and continue to introduce security holes onto your system.
<HR></BLOCKQUOTE>

<BLOCKQUOTE>quote:<HR>
I almost installed Sony’s active-X uninstaller until I saw that it was written by First4Internet, the same people that wrote the original rootkit. I said, “you have to be kidding!”. There was no way that I was going to let the same company that put a rootkit on my computer also install an active-X program. I dodged that bullet with a little common sense. Fool me once, shame on you. Fool me twice, shame on me! And of course, shame on you Sony for doing this in the first place. I’m waiting to remove the rootkit until I’m convinced that the removal code is finally written well and correctly, and that it has been verified.
<HR></BLOCKQUOTE>
Definition of Trojan Horse:
1: The term comes from the a Greek story of the Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy.

2: A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.
<hr>

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

[This message was edited by Wiz Feinberg on 15 November 2005 at 04:24 PM.][This message was edited by Wiz Feinberg on 15 November 2005 at 04:26 PM.]

Tommy Mc · Post by **Tommy Mc** » 16 Nov 2005 6:08 am

The more I thought about this, the madder I got. My daughter has an after school job, low pay, so it is a couple of afternoon's work to buy a CD. She made the honorable choice to purchase rather than illegally download, and how did she get rewarded? Thanks, Sony.

Since Sony has suspended using this technology, I was thinking that the equitable solution would be to demand a clean copy for my daughter. I went to their website, and found that apparently, they are going to institute an exchange program. Kinda took some wind out of my sails, but I wrote them a 'comment' anyway:
<BLOCKQUOTE>quote:<HR> My daughter just brought home the latest Trey Anastasio CD......with XCP protection. Due to the security concerns there is NO WAY this CD will be allowed near the computer...which unfortunately for her, is where most of our CDs get played. So my daughter spent her hard earned money from an after school job to buy a CD which she can't play where she wants to hear it.
I purchased my first Sony product 30 years ago: a TC-353D reel to reel which I still have. Through the years, I have bought Sony cassette recorders, Walkman, and Camcorders with confidence in the Sony name. Different division perhaps, but same name, and my confidence is now shattered! My aging computer needs replacement and I was considering a Sony, but now I could never trust the name and would always worry if spyware might come pre-installed.

I am outraged that SonyBMG would subject it's PAYING customers to this abuse. I can respect your right to protect copywritten material, but you have gone too far. I was planning on demanding a clean copy of the CD for my daughter, and now I see that you are planning to make that offer available. This is a step in the right direction. Please put me first on your list when this offer becomes available. <HR></BLOCKQUOTE>

Wiz Feinberg · Post by **Wiz Feinberg** » 16 Nov 2005 8:25 am

Bravo, Tommy! This is what Sony needs to see and hear. They need the mainstream buyers to tell them that this was a huge mistake and hurt them in the wallets.

Hopefully, heads will roll at Sony's HQ.

Steve Kaeser · Post by **Steve Kaeser** » 16 Nov 2005 9:17 am

It's bad enough when this is beind done to average citizens, but think of the number of workers who listen to music while working and now run the risk of compromising far more than their own workstation. This may only be the beginning, and the other music publishers are watching carefully to see how they can impliment Digital Rights Management (DRM) to protect their property.

What is truly scary about this DRM process is that it hides completely from the system, so you can't tell if it's actually running. Microsoft has admitted that there is no way to fully scan a system for "root kit" infections.

FYI, some firewall products (such as Zone Alarm and Black Ice) will warn you if you're computer is trying to call an outside system. This can be handy in providing warning of such contact, which you can block by default. At least Sony wouldn't know what music you were playing . . . . <G>

Steve

David L. Donald · Post by **David L. Donald** » 16 Nov 2005 12:57 pm

"It allows any web page you visit to download, install,
and run any code it likes on your computer."

Boggles the mind!
The Sony legal team must be cataleptic in fear and agravation
right around... NOW!!

What is "
WHAT the **** were your thinking!!" in Japanese?

If Microsoft is QUICKLY writing an uninstaller for both
of them "malwares" ; the C.P. and it's uninstaller,
you can bet they will send Sony a BIG bill.
Would Bill Gates crew work for free... yeah right.

First4Internet will likely be toast soon,
and I sure as shooting would not want to EVER use their name on MY resume.

Job Interviewer :
You worked for WHO that year.....
Uh, um, oooohhh weelll, we'll call you.

Job Applicant:
"Oh sorry, I took a year off and went to Tibet...
but I heard about those Sony guys....

First4Internet Who???
Bon chance les mecs la!

I love my Mac.[This message was edited by David L. Donald on 16 November 2005 at 01:02 PM.][This message was edited by David L. Donald on 18 November 2005 at 07:35 AM.]

Jeff Agnew · Post by **Jeff Agnew** » 17 Nov 2005 5:43 am

I love my Mac.

Hate to tell you and Brad but Sony also uses an intrusive DRM package for the Mac. It's not a rootkit per se but it does hide itself and alters the UNIX kernel. Made by a company called Suncomm.

Fortunately, because OS X users don't run with admin privileges by default (like Windows) it's much harder to accidentally install it.

Macintouch reports:

Digging into the "enhanced" content on the disk, he found a Start.app that, when run, shows a license agreement, then asks you for an admin password. On entering this, it installs two kernel extensions, PhoenixNub1.kext and PhoenixNub12.kext.

Jim Hinton · Post by **Jim Hinton** » 17 Nov 2005 5:49 am

Here's the latest new devopment, check out this link: http://news.bbc.co.uk/1/hi/technology/4445550.stm

Wiz Feinberg · Post by **Wiz Feinberg** » 17 Nov 2005 8:05 pm

<h1>Anti-Malware Engineering Team</h1>
<h2>Sony rootkit signatures now available</h2>

We have analyzed several versions of the rootkit that have been shipped as part of Sony’s XCP software. We are calling the family WinNT/F4IRootkit. We chose the name based on the company that authored this component. We have added detection and removal for those versions via the online scanner at the Windows Live Safety Center. To quickly scan and remove those versions of the rootkit from your computer, you can select the "Full Service Scan" followed by the "Quick scan" option.

The Windows AntiSpyware Beta will be able to detect and remove this as well with the 11/17/05 signature release. Detection and removal will also be added to the December release of the Malicious Software Removal Tool which will be released the second Tuesday of December.

We also wanted to take a moment to confirm that we are not removing or disabling Sony’s XCP software. We are only removing the rootkit component published by First 4 Internet which is included as part of Sony’s XCP software. We will continue to monitor the situation and react as conditions change.

There has also been quite a bit of discussion on the web around the ActiveX control that was later released by First 4 Internet and Sony to neutralize the rootkit. The ActiveX control has been cited with a variety of issues / vulnerabilities and it was quickly pulled off of the Sony site. If you have concerns with this ActiveX control it can be blocked by following the directions at the MSRC blog.

Source: http://blogs.technet.com/antimalware/archive/2005/11/17/414741.aspx
<hr>
If you are using Microsoft AntiSpyware with Automatic Updates you should already have the new signatures installed. To be sure you should run a manual check for updates, then after obtaining them, run a full system scan.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

[This message was edited by Wiz Feinberg on 17 November 2005 at 08:07 PM.]

J W Alexander · Post by **J W Alexander** » 18 Nov 2005 1:17 am

Furthering this thread I just received this from Amazon dot com:

Hello from Amazon.com.

We're writing about your order for the following CD(s):

Dreamin' My Dreams

Dreamin' My Dreams

The Sony CD(s) listed above contain XCP digital rights management
(DRM) software. Due to security concerns raised about the use of CDs
containing this software on PCs, Sony has recalled these CDs and has
asked Amazon.com to remove all unsold CDs with XCP software from our
store.

Since you purchased this CD from Amazon.com, you may return it to us
for a full refund regardless of whether the CD is opened or unopened.
Just visit www.amazon.com/returns and indicate that the CD is
"defective" as the reason for return.

Thank you for your understanding. We hope to see your again soon at
Amazon.com.

Seems even Sony has "seen the light". Only worry is what will they develop now that this has been halted??

J W

David L. Donald · Post by **David L. Donald** » 18 Nov 2005 7:39 am

Still love my Mac.
I have to be a complete twit to let it install
the crap...
Oh please let me install this unknown oddley name item kind sir.
As opposed to business as usual on a windoze machine.

Of course Sony would target Mac's too.

So I guess Linux sounds pretty good these days
as a listehning platform...

Total Recall, starts to get a new meaning.[This message was edited by David L. Donald on 18 November 2005 at 07:41 AM.]

b0b · Post by **b0b** » 18 Nov 2005 4:42 pm

Here's BMG Sony's list of CDs that install the XCP rootkit. I notice George Jones and Louis Armstrong in the list.

How dare they!

Tommy Mc · Post by **Tommy Mc** » 20 Nov 2005 9:58 am

Sony is apparently making good on the exchange program. From their website:
<BLOCKQUOTE>quote:<HR>Information on the CD Exchange Program
Consumers who wish to exchange their XCP content protected CDs or also receive MP3 files of the titles in addition to their replacement CDs should visit http://cp.sonybmg.com/xcp for a list of titles and versions, specific instructions and shipping information. There will be no charge to consumers for shipping in either direction.

In addition to providing replacement CDs by mail, SONY BMG is making available MP3 files to consumers who are exchanging their XCP content protected CDs. Consumers who choose to receive MP3 files will receive an e-mail with a link to the MP3 downloads upon SONY BMG's receipt and verification of their XCP CDs.
<HR></BLOCKQUOTE>
An odd twist: since they are being pulled off the shelves and exchanged, my daughter is questioning if the XCP protected copies will end up having collector value. Go figure!

Wiz Feinberg · Post by **Wiz Feinberg** » 28 Nov 2005 10:26 pm

<h1>This just in from Sony/BMG...</h1>

Bear in mind that this issue is almost a month old today

This was sent today as a followup to a request for assistance in uninstalling the Sony DRM rootkit. The request was sent during the first week of November, 2005 and this reply arrived on November 28, 2005.
<BLOCKQUOTE>quote:<HR>
Thank you for contacting Sony BMG Online.

SUBJECT: Notification of potential security issue

Our records indicate that you recently sent us an email in connection with the purchase of a content protected CD, requesting a program to uninstall the XCP content protection software. We are sending you this email because we have been notified of a potential security issue that may arise in connection with the uninstaller program previously provided.

To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased. The security issue may arise when a user downloads the program to uninstall the XCP software files from a computer.

The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal. Nevertheless, for your protection, we are sending this notice to provide you with instructions as to how you may remove the XCP uninstaller files from your computer, curing any associated security risk.

Follow these instructions to remove the original uninstaller files:

1. Using Windows Explorer, go to WINDOWS\Downloaded Program Files\
2. Locate CodeSupport
3. Right click on the file and select Remove from the pop-up window
4. The file is now removed from you computer system

If you cannot find the file in the Windows\Downloaded Program folder then you should run a search for the file as follows:

1. Click Start.

2. Click to open "My Computer."

3. Press the key combination Ctrl + F to open the search window.

4. In the "Search for files or folders named" box, type codesupport.
The word "codesupport" does not contain a space.

5. Click Search Now.

6. If the file is located, right-click on the file to reveal a menu.

7. In the menu click to select the "Remove" option.
This choice forces Windows to safely uninstall the control.

If the file CodeSupport is not found then your computer is not affected.

We sincerely apologize for any inconvenience this may cause. We are in the process of providing an updated version of the uninstaller program for the XCP content protection software through our customer support site ht*p://cp.sonybmg.com/xcp. This web site also contains general information about XCP protection as well as the various additional steps SONY BMG has taken to address consumer concerns regarding the XCP software.
<snip>
<HR></BLOCKQUOTE>[This message was edited by Wiz Feinberg on 29 November 2005 at 07:56 AM.]

Jeff Agnew · Post by **Jeff Agnew** » 29 Nov 2005 5:20 am

To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased.

This is complete and utter BS. Although the removal tool does create an additional security hole, the mere presence of the rootkit itself leaves one's computer vulnerable. There are already exploits in the wild that take advantage of the rootkit.

Charlie McDonald · Post by **Charlie McDonald** » 29 Nov 2005 6:06 am

The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal.

I liked that one too.

I used to be a big Sony fan.

Wiz Feinberg · Post by **Wiz Feinberg** » 29 Nov 2005 7:54 am

<BLOCKQUOTE>quote:<HR>To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased. The security issue may arise when a user downloads the program to uninstall the XCP software files from a computer.

The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal.
<HR></BLOCKQUOTE>
This, obviously, is the current thinking about the insignificance of the threats posed by the rootkit and it's uninstaller, at Sony/BMG. We are on our own to resolve the problems they have created. Thankfully, there are good people on our side.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services[This message was edited by Wiz Feinberg on 29 November 2005 at 07:57 AM.]

Kenny Yates · Post by **Kenny Yates** » 8 Dec 2005 12:09 pm

More great news about sony. I have three netmds (mini Disk) recorders. I have always transfered legally bought music to the minidisk for listening ease or sometimes I transfer Tracks for people to use in church for singing, and now all of a sudden I can no longer transfer tracks to the minidisk. The sony software says it cannot read the Cd however it can play the CD.

Wiz Feinberg · Post by **Wiz Feinberg** » 12 Dec 2005 7:09 am

Some topics that should die refuse to do so, and this is no exception. I just read this today...

<h3>New Sony DRM Patch Insecure</h3>

Just one day after jointly announcing a patch to correct a security
flaw in the SunnComm MediaMax copy protection included on 27 CDs, Sony BMG and the Electronic Frontier Foundation are urging users not to install it. The update includes a vulnerability similar to the one it
attempted to fix.

SunnComm's MediaMax version 5 software does not properly protect a directory it installs, opening the door for a privilege escalation
attack. Thus, a restricted user account could replace the executables within the MediaMax directory with malicious code, which would then be executed by an administrator upon inserting a CD.

Sony said it would notify customers of the SunnComm problem through an advertising banner within the MediaMax software, and via an online ad campaign. It also began distributing an update on the Sony BMG Web
site and to security vendors.

But despite claims that "independent software security firm NGS Software have determined that the security vulnerability is fully
addressed by the update," Princeton researcher Alex Halderman has
found otherwise.

"It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch," Princeton professor Edward Felten
explained. "The previously released MediaMax uninstaller is also insecure in the same way."

Halderman and Felten also discovered that even if a user declines the MediaMax license agreement, the vulnerable software is still installed on their computer. However, those users will not see the advertising banner Sony is using to notify customers.

"The consequences of this problem are just as bad as those of the XCP rootkit whose discovery by Mark Russinovich started SonyBMG's woes," added Felten. "This problem, like the rootkit, allows any program on
the system to launch a serious security attack that would normally be available only to fully trusted programs."

This isn't the first time Sony's fix for vulnerable DRM has done more harm than good. Last month, Felten reported that the Web based uninstaller for the XCP copy protection contained a security flaw that could enable malicious software to be automatically installed on a PC.

Sony has recalled all CDs with XCP due to the furor surrounding the software's rootkit, but much to the chagrin of security experts, it is not following suit with SunnComm.

"Every disc sitting on somebody's shelf, or in a record-store bin, is just waiting to install the vulnerable software on the next PC it is inserted into. The only sure way to address this risk is take the discs out of circulation," warns Felten. "The time has come for SonyBMG to recall all MediaMax CDs."

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services[This message was edited by Wiz Feinberg on 12 December 2005 at 07:11 AM.]