Several groups of privacy and security experts are expected to release research later today that points to multiple, serious security flaws present in “XCP,” the anti-piracy software used on an undisclosed number of Sony BMG music CDs. (For the record, Security Fix observed that experts were busily searching for such flaws shortly after this whole fiasco began).
According to details provided by prominent security researcher Dan Kaminsky, the resulting public outcry could make Sony feel like the last two weeks of consumer backlash were a walk in the park.
In the article, Kaminsky stated “The net effect is that it’s not in doubt that Sony has created a major security event on the Net.”
Brian Krebs goes on to say “that it gets … er … better.”
Researchers have discovered a security flaw in XCP that apparently could give attackers a conduit for breaking into computers and worse still, the Sony’s web-based XCP uninstallation utility exposes users to serious security risk because in some situations the uninstaller opens a security hole on the computer and they have a working demonstration. So they are recommending that folks NOT download/run Sony’s Web-based XCP uninstaller.
Now it all begins to make sense – after proof that their software is dangerous, they continued to stonewall on recalling the CDs off the shelf, and/or offering a swap for customers who were bit by this, however – this morning I wake up to USAToday posting an article entitied “Sony to pull controversial CDs, offer swap and I am thinking, they NEVER offered to recall the CDs or offered to swap the CDs for upset purchasers before now, as a matter of fact they flat out said there wouldn’t be one in The Register’s article by Andrew Orlowski, entitled Sony suspends rootkit DRM:
Sony BMG has said it will suspend production of audio ‘CDs’ that use XCP, the rootkit-style DRM developed by British company First4Internet Ltd. However the music giant refused to apologize for the software, which exposes PCs to malware and which can disable the PC’s CD drive when users try to remove the software.
Sony also declined to follow EMI’s example in September and recall CDs already in the retail channels.
So What gives? Something is happening here.
Also in the article, there is a reference to ‘a blogger’ (not a security researcher and software developer, which is what Mark Russinovich and Bryce Cogswell do for a living at Sysinternals and Winternals and discusses on his Sysinternals blog) who “traced a hidden, spyware-type file on his computer to the CD.”
I will be keeping an eye on the following blogs over the next couple days for the developments mentioned in Brian Krebs Security Fix:
Dan Kaminsky who ‘will be unveiling research that indicates just how many networks have Sony’s anti-piracy software installed on them” according to Brian Kreb’s article.
Alex Halderman and I have confirmed that Sonyâ€™s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sonyâ€™s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit.
Ah, yes, it definitely makes sense now. Big corporations never do anything without a reason, and often not until they really feel the pressure.
While I give a nod to Sony for finally deciding to pull the CDs off the shelf and offer to swap the bad CDs for something else, which may or may not also have copy protection on it as well, I say after allowing their customer’s computers to be at risk since the springtime when this copy protection scheme came out and the indication that probably around 4 million people’s computers may have been put at risk thinking they were safely just playing a CD on their system, at home (where banking sites, etc. might be visited) or at work (maybe even at confidential jobs), and at least some of those same people’s computers were likely put at additional risk by using Sony’s uninstaller … I say, it is just too little, too late.
I seriously think consumers have every right to be pissed off, and very, very wary of any Copy Protected CDs in the future. A perfect example of this is mentioned in this article: “One angry “customer reviewer” of Van Zant’s album put it another way on Amazon.com: “Boycott Sony! It looks like it’s now safer to download pirated copies than to buy CDs!”
Being a Computer Technician who cleans up computers that are infected by things installed by some of the ‘seeded files’ filesharing networks, the holes being punched in their firewalls to allow such filesharing, and much of the filesharing software having spyware, adware in them, I wouldn’t go that far, but I totally understand the outrage and I also wonder, like Alyce Lomax at Motley Fool, “What Were You Thinking, Sony?” in light of this copy protection debacle, combined with an earlier fauxpaux by Sony which is mentioned in Motley Fool’s prior article entitled “Fabricated Film Critic Haunts Sony.”
I think we should all be contacting congress because this has gone far enough, and this thursday’s triple punch oversight hearing could just make it all that much worse.
EDIT: 10:39AM 11/15/2005
Fired up yet? I certainly am, especially after reading the following items today.
Over at BBR’s DRM implementors == black hats topic, you will find some amazing comments and links. I have spent some time reading over all the pages and have picked up just a few items for your consideration:
Let’s start with when they are saying this all started this year. I have read articles that say that they have been selling these ‘copy protected’ CDs since June 2005. Really? Well what is this posted on June 1, 2005 at CNET?
Since March, the company has released at least 10 commercial titles — more than 1 million discs in total — featuring technology from UK antipiracy specialist First4Internet that allows consumers to make limited copies of protected discs, but blocks users from making copies of the copies.
The concept is known as ‘sterile burning’. And in the eyes of Sony BMG executives, the initiative is central to the industry’s efforts to curb casual CD burning.
(Bold emphasis mine.)
Second item was this topic at CastleCops entitled “Hidden files and directories – DRM or trojan?” posted August 12, 2005 and here’s just the first part of the first post by jgk4cfc:
Here is a brief background and history…
Over the last few weeks, I have had several (maybe 3-4) blue screens on startup. Stop message complained of not being able to find a driver file called aries.sys. The first two times this happened, I searched HD for aries.sys but couldn’t find. Also did a fairly thorough Google search on aries.sys (I hate the fact that search engines ignore dots in file names, even when search term is put in double quotes!) turned up nothing.
Last week, I upgraded to the just released ZA Pro version 6.0.631. [I keep ZAP pretty up-to-date. My company uses McAfee, which I don’t prefer.] After the upgrade, ZAP was notifying me of lots of new ‘dangerous behavior’ (new capabilities in v6.0 I guess). One of them caught my eye – $sys%DRMServer.exe was accessing csrss.exe. I denied access, then went on a hunt. The ZAP info said that the path was WINDOWS\System32\$sys$filesystem\. The directory cannot be viewed in windows, but I was able to open a command prompt and explicitly go to the directory, using quotes around path name in CD command. Here are the files listed in the directory:
Directory of C:\WINDOWS\SYSTEM32\$sys$filesystem
08/09/2005 06:54 PM .
08/09/2005 06:54 PM ..
03/31/2005 04:18 AM 6,400 aries.sys
11/03/2004 10:28 AM 11,776 crater.sys
10/07/2004 10:43 AM 765,440 DbgHelp.dll
12/08/2004 07:05 AM 10,368 lim.sys
03/30/2005 07:01 AM 12,032 oct.sys
10/07/2004 10:43 AM 246,424 Unicows.dll
Two additional files show up when I booted into safemode..
06/15/2005 03:24 PM 300.00 KB $sys$DRMServer.exe
06/15/2005 03:25 PM 2.09 KB $sys$parking
Next, we have The Big Picture: DRM Crippled CD: A bizarre tale in 4 parts. Here’s just Part 2:
Here’s where our tale takes a turn for the bizarre: According to the Band/Label’s website, these DRM restrictions were put on the CD without their knowledge or permission:
Information Regarding Our Artists’ Music, Copy-Protected CDs and your iPod
We at ATO Records are aware of the problems being experienced by certain fans due to the copy-protection of our distributor. Neither we nor our artists ever gave permission for the use of this technology, nor is it our distributor’s opinion that they need our permission. Wherever it is our decision, we will forego use of copy-protection, just as we have in the past.
That’s simply a stunner.
The loss of good will and fan support must be significant to the band. That’s a very real monetary damage to the band. (I wonder what their legal options are). It becomes even more absurd when you consider that “ATO Records permits audiotaping at our artists’ performance.” So this is a very forward looking, copyright-friendly bunch of folk.
I would hope that in the future, music agents and attorneys remember to address this in label contracts on the band’s behalf.
From F-Secure’s weblog where they have wav audio clip of Thomas Hess, President Global Digital business, Sony BMG that was released last week on NPR Morning Edition â€œSony Music CDs Under Fire from Privacy Advocatesâ€ which we posted last week. In addition, there is a good article at The Inquirer as well:
MICROSOFT FINALLY WEIGHED in with a whimper not a bang on the Sony DRM malware rootkit infection issue, and in no uncertain terms, they did the right thing. MS is going to remove the Sony malware, a week or two late. The problem to me is not that it doing it, but the things that lead up to it.
MS is a big proponent of DRM infections, they are built into the core of the next version of Windows. MS also has shown a tendency to look the other way on malware and spyware when it is profitable, check out the recent near buy of Claria for more information. In the link above, it claims to have objective standards to determine whether -ware is mal- or ben-.
Later in the article:
But enough ranting. Let me end this with a couple of up notes. If you want to find a trustworthy security vendor, I would recommend looking for ones that stood up on the Sony malware DRM infection issue and said ‘this is bad’ early and loudly. F-Secure comes to mind, but there are others. The ones that said ‘grumble, mumble, maybe, sorta’ a week later are not what you want to have protecting your machines.
The other happy note is this gives us a really nice test of who is looking out for your best interests. Does the removal tool remove all the infection, or just the cloak? To me, that is the best current test of who is actually looking out for you, not their chequebook.
And, last but not least:
While lawsuits against Internet file-sharing outposts like Grokster (and a few shots at individual Napster users) have grabbed headlines, major record labels have quietly shifted their target to casual CD copying between friends and family members. This, they now claim, is the real scourge behind the industry’s prolonged slump. In contrast to pay-for-play download sites, physical CDs have always been wide open, and consumers now expect that they can play the discs in standard CD players, rip the audio files to their computers for desk-side listening, download the tracks into a portable music player, burn a compilation of favorite tunes, and make a physical backup copy for safe keeping, all easily and cheaply.
Much more in the articles noted above, and in the comments on BBR. Must read to get an overall picture of what’s going on.