News 

'Music fans shouldn't have to install potentially dangerous, privacy-intrusive software on their computers just to listen to the music they've legitimately purchased,' said Electronic Frontier Foundation legal director Cindy Cohn. 'Regular CDs have a proven track record and no-one has been exposed to viruses or spyware by playing a regular audio CD on a computer. Why should legitimate customers be guinea pigs for Sony BMG's experiments?'

But user restrictions are only the tip of the iceberg for Sony. The technology was intended to limit the number of copies music fans could make of CDs, but in a PR gaffe it instead instigated a string of security flaws. The Sony discs using First4Internet's copy-protection package XCP created a hidden directory, then installed proprietary device drivers and software that rerouted Windows commands and intercepted kernel-level APIs.

The carefully concealed commands were discovered by Windows computer engineer Mark Russinovich, who came across what he described as a rootkit (usually used by hackers for easy access after cracking a computer) while running a security scan. The issue snowballed because, according to Russinovich: 'Users who stumble across the cloaked files with a scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.'

Although Sony reluctantly suspended the use of this Digital Rights Management (DRM) software and recalled impregnated CDs, the repercussions rumble on, with Sony BMG passing the buck. 'This software was provided to us by a third-party vendor, First4Internet. Discussion has centred on security concerns raised about the use of CDs containing this software.'

Not the discussion on blogs and user groups, which point the finger firmly at Sony BMG.
Surely anyone infected would have legal recourse? Sadly not: a licence agreement gets Sony BMG off the hook, although several US campaigners are attempting legal action in the US.

'Because you click on an agreement before you install the CD, Sony almost certainly isn't breaching UK laws such as the Computer Misuse Act,' said Struan Robertson, senior partner at Pinsent Masons lawyers. 'It would need to be proved beyond any reasonable doubt that access to the computer was unauthorised

ADVERTISEMENT

and that the provider knew that such access was unauthorised.

'If there were complaints that licence terms were very unfair to consumers, the Office of Fair Trading could get involved and perhaps try to have them changed, although that seems unlikely,' he said.
For the computing professional, the biggest issues aren't the restrictive practices, but the wider security issues that give access to a computer.

Even Microsoft, always keen to protect copyright despite its poor track record on security, has raised fears over vulnerabilities. In a thinly veiled criticism, the company said it would be releasing a tool to help Windows users remove the rootkit.

'We use a set of objective criteria for both Windows Defender (formerly Windows AntiSpyware) and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology,' said Microsoft anti-malware technology team architect and product manager Jason Garms. 'We have analysed this software, and determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta.'

So surely once the negative publicity broke, Sony had to react swiftly to rectify the problems? Up to a point, but even when an uninstall patch was rushed out, the embarrassment didn't end. Software released to counter the problems posed by XCP and another copy-protection program, SunnComm, have opened up even more security holes through ActiveX vulnerabilities.

'For affected users, this represents a far greater security risk than even the original Sony rootkit,' said Ed Felton, professor of computer science at Princeton University. 'The consequences of the flaw are severe.

It allows any web page you visit to download, install and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get.'

But perhaps the most worrying aspect of this outrage is the painfully slow response from the security firms, which we rely on to lock down our PCs and networks. Some of the CDs on Sony BMG's list of 52 discs containing the software were released way back in March.

'For at least seven months, Sony BMG music CD buyers have been unsuspectingly installing rootkits on their PCs,' said Jupiter Research analyst Joe Wilcox. 'Why then did no security software vendor detect a problem and alert customers? If Sony's software exhibits so many characteristics of a malicious rootkit, why wasn't it detected over the course of so many months?'

One thing is clear. From now on, we need to scrutinise all intrusive software, even from respected vendors, not just that written by traditional bedroom hackers.