Sony Music CD Woes, Continued

Posted by Brian Wong Sony BMG Music Entertainment (Sony) has announced it will remove music CDs containing First4Internet XCP digital rights management (DRM) software from stores, and it will offer exchanges for discs already sold. As we explained here, the XCP DRM requires the installation of a rootkit deep within the Windows operating system in order for a PC to play the CD, and the rootkit represents a potential security flaw [UPDATE: Make that several flaws.] Sony stated that more than 20 titles have been released with XCP software, and of those CDs, over 4 million have been manufactured, and 2.1 million sold. Sony has posted a statement and FAQ on the XCP software issue. The statement notes Sony is “instituting a program that will allow customers to exchange any CD with XCP software for the same CD without copy protection.” The FAQ states that the XCP software “is included on about 50 commercial CD titles recently issued or reissued by Sony BMG.” The FAQ says Sony has provided major software and anti-virus companies with a security update, and continues: “As an alternative to downloading the update, we shortly will provide a revised and secure procedure in order to uninstall the XCP software completely from your computer. This uninstall procedure will soon be made available for download on this website.” CDs containing XCP can be identified from the back of the CD packaging; if it includes a black and white table with “Compatible With” on the side, the CD contains some form of content protection. If the URL at the bottom of table ends with the letters “XCP” – specifically http://cp.sonybmg.com/xcp – the CD contains the XCP software. Microsoft plans to update its Windows AntiSpyware and Malicious Software Removal Tool, and the online scanner on Windows Live Safety Center, to detect and remove the XCP DRM, according to a Microsoft corporate blog and subsequent media reports. As we noted previously, Computer Associates and Symantec have issued warnings and added XCP rootkit detection capabilities in their products, and Symantec also offers a removal tool. A researcher has analyzed the proliferation of the Sony XCP DRM using the rootkit “phone home” function (the rootkit contacts First4Internet to retrieve lyrics and album art, transmit information such as the CD being played on the computer and possibly the user’s IP address.). Phoning home requires a DNS query, and DNS queries are cached. Caches are externally testable, he said, with a list of all the name servers. Based on the DNS list he created, he found that at least 568,200 name servers have witnessed DNS queries related to the rootkit. He does not know many hosts that corresponds to, but concluded that “at that scale, it doesn’t take much to make this a multi-million host, worm-scale Incident.” Finally, he geolocated the data and created striking pictures of the rootkit proliferation in the USA, Asia and Europe. Sony said it will issue all its major releases with copy-protection in 2006; EMI will do the same. Sony also uses SunnComm MediaMax DRM software on some of its releases, including the Foo Fighters and the Dave Matthews Band. MediaMax does not conceal itself with a rootkit, but one researcher has concluded “it does behave in several ways that are characteristic of spyware” by: installing software without meaningful consent or notification; including either no means of uninstalling the software or an uninstaller that claims to remove the entire program but does not; and transmitting information about user activities to SunnComm despite statements to the contrary in the end user license agreement (EULA) and on SunnComm’s web site. The researcher noted that when a MediaMax-protected CD is inserted into a computer running Windows, the program displays an EULA, but that before the EULA appears MediaMax installs around a dozen files of over 12 MB in size. Finally, researchers have warned that the web-based XCP uninstaller offered by Sony represents a “far greater security risk than even the original Sony rootkit.” The “serious design flaw” of the uninstaller arises because completing Sony’s online form to request a copy of the uninstaller downloads and installs an ActiveX control program created by First4Internet called CodeSupport. CodeSupport remains on the computer and is marked as safe for scripting, which means any web page can instruct CodeSupport to, for example, download and install a program from a web site without asking the user’s permission. Because CodeSupport does not verify that the program came from Sony or First4Internet, it allows any web page visited by a user with ActiveX enabled in their web browser to instruct CodeSupport to download and install a program from any web address. Sony has replaced the web-based XCP uninstaller with a downloadable file.