Sony to replace XCP-protected CDs

By Matt Whipp

Posted on 16 Nov 2005 at 16:06

Sony is replacing its XCP-protected CDs after mounting pressure from all sides.

The company had already said it would halt production of CDs using the controversial copy-protection software which has proven both a security nightmare for purchasers and a public relations disaster for the company.

It said: 'We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets. We deeply regret any inconvenience this may cause our customers.'

Sony points out that the CDs in question do not pose a security risk when played on standard hi-fi equipment or through a DVD player. The CDs were sold in the US, although it is possible that some may have been imported into the UK via purchases on Amazon.com for example.

Roughly 2.1m of these CDs are believed to have already been sold, with some 2.6m still in retail channels.

Sony's statement continued: 'These initiatives are in addition to the measures we have already taken... We also provided to all major software companies and the general public a patch that guards against precisely the type of virus now said to exist and fixes the possible software problem while allowing CDs to be played on personal computers.'

However, even this patch has fallen into question. F-Secure reported that of the various viruses around taking advantage of the 'cloaking' ability of the DRM software to hide undetected on a victim's system, only patched versions would allow that to successfully happen.

None of the viruses tested by the company were hidden by the original version. Either the victim was first infected by the virus and then installed the Sony DRM software, or installed the patched DRM software and then was infected - both of which resulted in the viruses being hidden. In fact the company found that the original DRM software actually stopped the viruses from installing in the first place.

But there have been yet more twists in this series of unfortunate events for Sony. Internet Security Systems says the software also contains a privilege escalation vulnerability. On the Freedom to Tinker blog, researchers write that the procedure Sony requires for uninstalling the DRM components involves the installation of an ActiveX component into Internet Explorer, built by first4internet, the company behind the DRM software in question.

Not a great track record therefore, but one that looks set to continue. This ActiveX control - called CodeSupport - will uninstall the DRM software but remain on the computer indefinitely. The problem is that there is no restriction on others using this same component to inject code into the browser, simply by getting you to visit a dodgy website.

Sony has now withdrawn this fix, saying 'We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.'

Freedom to Tinker has created a webpage that can detect whether your copy of Internet Explorer has this CodeSupport control in place.