News 

The company had already said it would halt production of CDs using the controversial copy-protection software which has proven both a security nightmare for purchasers and a public relations disaster for the company.

It said: 'We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets. We deeply regret any inconvenience this may cause our customers.'

Sony points out that the CDs in question do not pose a security risk when played on standard hi-fi equipment or through a DVD player. The CDs were sold in the US, although it is possible that some may have been imported into the UK via purchases on Amazon.com for example.

Roughly 2.1m of these CDs are believed to have already been sold, with some 2.6m still in retail channels.

Sony's statement continued: 'These initiatives are in addition to the measures we have already taken... We also provided to all major software companies and the general public a patch that guards against precisely the type of virus now said to exist and fixes the possible software problem while allowing CDs to be played on personal computers.'

However, even this patch has fallen into question. F-Secure reported that of the various viruses around taking advantage of the 'cloaking' ability of the DRM software to hide undetected on a victim's system, only patched versions would allow that to successfully happen.

None of the viruses tested

But there have been yet more twists in this series of unfortunate events for Sony. Internet Security Systems says the software also contains a privilege escalation vulnerability. On the Freedom to Tinker blog, researchers write that the procedure Sony requires for uninstalling the DRM components involves the installation of an ActiveX component into Internet Explorer, built by first4internet, the company behind the DRM software in question.

Not a great track record therefore, but one that looks set to continue. This ActiveX control - called CodeSupport - will uninstall the DRM software but remain on the computer indefinitely. The problem is that there is no restriction on others using this same component to inject code into the browser, simply by getting you to visit a dodgy website.

Sony has now withdrawn this fix, saying 'We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.'

Freedom to Tinker has created a webpage that can detect whether your copy of Internet Explorer has this CodeSupport control in place.

It took little more than a week for the virus underground to come up with new malware strains to take advantage of the cloaking abilities of the Sony DRM it uses. It remains to be seen what they make of the potential for running remote code through the uninstall errors.