Sony BMG's DRM woes deepen by flawed update
Sony BMG's DRM woes deepen by flawed update
Nov 16, 2005: The online uninstaller for Sony BMG's XCP benighted copy protection software presents a greater security risk than the program it seeks to fix.
The flaw, initially discovered by a Finnish researcher named Muzzy, was confirmed yesterday by Princeton University computer science professor Ed Felton.
The patching process involves submitting a request form on Sony BMG's site. An ActiveX control called CodeSupport - created by First4Internet, the company behind the original XCP code itself - is then downloaded and installed. CodeSupport is marked as safe for scripting and enables Sony BMG to send requests to the unwitting customer's machine to uninstall XCP.
The problem, according to Felton, is that the ActiveX control: "...doesn't verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user's permission."
Felton reinforces the severity of the CodeSupport hole saying: "Any web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get."
According to Felton, downloadable versions of the uninstall tools are available on Sony BMG's site - and are safe to use.
Sony has issued a recall on all 4.7 million affected discs, 2.1 million of which have already been sold.
Releases covering artists such as Celine Dion, Van Sant and Neil Diamond make use of XCP software. Music fans who listen to one of the 20 CDs using XCP on a Windows computer will have been unaware that the flawed XCP software installed itself in the background.
Sony says it "deeply regret(s) any possible inconvenience".
If you think your PC may have been exposed to the flaw, you can use the online detector page
Let us know if you've had any experiences with Sony's XCP digital rights management software.
Related Article: