Amazon.com has begun to recall and replace all the SONY-BMG XCP CDs bought from its site. They have also sent letters to users and have published a note on its website alongside all products that contain the XCP technology.
“Due to security concerns raised about the use of CDs containing this software on PCs, Sony has recalled these CDs and has asked Amazon.com to remove all unsold CDs with XCP software from our store. If you purchased this CD from Amazon.com, you may return it to us for a full refund regardless of whether the CD is opened or unopened. Just visit www.amazon.com/returns and indicate that the CD is “defective” as the reason for return,” the Amazon note reads.
People with too much time on their hands have developed viruses that exploit the vulnerability in SONY-BMG’s rootkit DRM software, XCP (Extended Copy Protection) that came bundled with selected music CDs. Essentially, files whose names begin with “$sys$” were hidden from the user and could only be revealed by a rootkit scanner, such as RootKit Revealer.
What exactly is a rootkit? Here’s a definition from Wikipedia.com.
“A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user’s knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.”
If you were clever enough to uninstall SONY’s rootkit, you ran the risk of making your CD-rom drive inoperable or having your computer repeatedly crashing or reboot. To make matters worse, if you downloaded and installed SONY’s “patch”, you created even more vulnerabilities on your computer. The patch, designed to remove portions of the XCP software that would allow the first vulnerability, actually installs another program on your computer that stays resident, after the patch has done its job. Believe it or not, but the way the tool works, it actually allows any web page that you visit to now download and execute code that it likes!!! Talk about going from the frying pan and into the fire!
When you visit SONY’s website to fill out the form for the “patch”, the form downloads an Active X control created by the same company that created XCP (First 4 Internet) called CodeSupport. CodeSupport is marked as safe for scripting and consequently, any website can force CodeSupport to download and execute code from any website without the user’s permission or knowledge.
SONY has recalled unsold CDs with the XCP software from stores and will allow customers to return them, as well. Approximately 4.7 million “infected” CDs were sold, mostly in the US.
At the moment, however, those who have the XCP software on their computers will be awaiting a better solution. Those who installed the notorious “patch”, whether they were infected with XCP or not, are also waiting for SONY to do something. It’s no surprise that SONY is already the target of class action lawsuits. The California suits claims that the DRM software damaged computers and violated three state laws.
The latest news about Sony’s DRM woes has them contacting customers who downloaded an uninstaller program for DRM software made by SunnComm Technologies and featured on other SONY-BMG releases. Like the XCP uninstaller, the SunnComm program allows malicious websites to download and execute code on your computer!
The list of XCP CDs can be found here: http://cp.sonybmg.com/xcp/english/titles.html
The Electronic Freedom Foundation has examined SONY-BMG’s end user license agreement, which you just know, few people will read. Among some of the points that you have to agree to are:
1. If you lose your CD, you have to delete the ripped CD from your home computer. The EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
2. If you move out of the country, you have to delete all your music. The EULA specifically forbids “export” outside the country where you reside.
3. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.
4. Sony-BMG can install and use backdoors in the copy protection software or media player to “enforce their rights” against you, at any time, without notice. And Sony-BMG disclaims any liability if this “self help” crashes your computer, exposes you to security risks, or any other harm.
5. The EULA says Sony-BMG will never be liable to you for more than $5.00. That’s right, no matter what happens, you can’t even get back what you paid for the CD.
Digital Rights Management is a hot and controversial topic that is still a developing story that promises to get even bigger in the future as more and more devices are introduced for consuming copyrighted materials. Bill Gates recently said that the DVD is now obsolete and that the future will be online movies and music. Working in concert with hardware manufacturers, Microsoft will try to introduce hardware-based DRM on future computers. If the control mechanism is on a chip, people will have a harder time, in theory, getting around DRM. Stay tuned for more about this hot topic and the conclusion, hopefully, to SONY’s current DRM woes.
Read the other Blogcritics.org articles about this topic:
Sony Music CDs Install Hidden PC Root Kit by Bruce Kratofil, November 2, 2005
Sony Needs Sued for Their Malicious DRM Programs by Al Barger, November 5, 2005
Microsoft Helps Clean Up Sony DRM Rootkit Mess by Al Barger, November 13, 2005