Sony Recalls Infected CDs
 

Posted on Tuesday, November 15 @ 17:52:49 GMT by tinfoil

Banner 10000059
It has been a busy couple of weeks for Sony. First they get busted with not one, but two rootkits on their audio CDs. They are then hit with lawsuits in Italy and the U.S.A. and finally a virus has been spotted in the wild that takes advantage of one of the rootkits ability to hide programs, processes and files from the Windows PC user. Still, they've only made some half-hearted attempts to fix the situation, with a half-baked patch and an uninstaller that the user has to jump through hoops to get. They've also stopped making CDs with these DRM schemes on them, yet they've not offered to replace the CDs or pulled the CDs out of the market-place.

Well, that is, until now.

Starting today, Sony is requesting all retailers to pull affected titles from store shelves. About 20 titles are involved, from Dave Matthews to Foo Fighters. It has said it will follow up later this week with information on how to get replacement CDs that do not contain the dangerous DRM schemes.

Affected CDs aren't necessarily clearly labeled as such. To be sure, flip the CD over and look near the bottom of the back of the case for the text: cp.sonybmg.com/xcp

"Sony BMG deeply regrets any inconvenience to our customers and remains committed to providing an enjoyable and safe music experience."

Some artists whos CDs where affected by the malware have spoken out against it, including Van Zant manager Ross Schilling. "I said we've got to be proactive, or it could destroy the business model," Schilling says. "Sony should be in the artist business, promoting and selling records. This type of issue sheds a negative light on their ability to do that." Van Zant's Get Right with the Man was the CD that kicked this all off.

Sony has certainly seen more than their allotment of negative light due to this issue, and rightly so given how deeply their software invades the PC it is installed on. Indeed, it is worse than some of the early AOL software.

SONY BMG STATEMENT
We are aware that a computer virus is circulating that may affect computers with XCP content protection software. The XCP software is included on a limited number of SONY BMG content protected titles. This potential problem has no effect on the use of these discs in conventional, non-computer-based, CD and DVD players.

In response to these events, SONY BMG has swiftly provided a patch to all major anti-virus companies and to the general public that guards against precisely the type of virus now said to exist. The patch fixes the possible software problem, and still allows CDs to be played on personal computers. It can be downloaded at http://cp.sonybmg.com/xcp/. Starting today, we will also be adding this link to the SONY BMG label and corporate sites. We deeply regret any possible inconvenience this may cause.

We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use. More information about our content protection initiative can also be found at: http://cp.sonybmg.com/xcp.

eh, doesnt surprise me one bit.

owned

So the problem is still seeded in many PC's even if they send the CD's back.

Funny how quickly a company can go from being respected and well liked to even fans boycotting it.

Stupid move Sony.

there is a tool and MS reported they will release a patch

So basically they tried to give CD-buyers the shaft but they got pwn3d hy hax0rz. bitches.

IOW, screw the rights of the buyers of the CDs. :mad:

Do these bozos sit around all day and come up with the latest and greatest schemes to piss off their customers? Sure seems like it...

actually

Fallout from Sony CD flap getting worse
Researchers says software removal scheme aggravates security hole

BOSTON - The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony’s suggested method for removing the program actually widens the security hole the original software created, researchers say.

Sony apparently has moved to recall the discs in question, but music fans who have listened to them on their computers or tried to remove the dangerous software they deposited could still be vulnerable.

“This is a surprisingly bad design from a security standpoint,” said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. “It endangers users in several ways.”
Story continues below ↓ advertisement

The “XCP” copy-protection program was included on at least 20 CDs, including releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion.

When the discs were put into a PC — a necessary step for transferring music to iPods and other portable music players — the CD automatically installed a program that restricted how many times the discs’ tracks could be copied, and made it extremely inconvenient to transfer songs into the format used by iPods.

That antipiracy software — which works only on Windows PCs — came with a cloaking feature that allowed it to hide files on users’ computers. Security researchers classified the program as “spyware,” saying it secretly transmits details about what music the PC is playing. Manual attempts to remove the software can disable the PC’s CD drive.

The program also gave virus writers an easy tool for hiding their malicious software. Last week, virus-like “Trojan horse” programs emerged that took advantage of the cloaking feature to enter computers undetected, antivirus companies said. Trojans are typically used to steal personal information, launch attacks on other computers and send spam.

Stung by the controversy, Sony BMG and the company that developed the antipiracy software, First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that uninstalls XCP.

But the uninstaller has created a new set of problems.

To get the uninstall program, users have to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet.

According to the Princeton analysis, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet.

“The consequences of the flaw are severe,” Felten and Halderman wrote in a blog posting Tuesday. “It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.”

Sony BMG spokesman John McKay did not return calls seeking comment. First 4 Internet was not making any comment, according to Lynette Riley, the office manager who answered the company’s phone Tuesday evening in England.

Mark Russinovich, the security researcher who first discovered the hidden Sony software, is advising users who played one of the CDs on their computer to wait for the companies to release a stand-alone uninstall program that doesn’t require filling out the online form.

“There’s absolutely no excuse for Sony not to make one immediately available,” he wrote in an e-mail Tuesday.

Other programs that knock out the original software are also likely to emerge. Microsoft Corp. says the next version of its tool for removing malicious software, which is automatically sent to PCs via Windows Update each month, will yank the cloaking feature in XCP.

Sony BMG said Friday it would halt production of CDs with XCP technology and pledged to “re-examine all aspects of our content protection initiative.” On Monday night, USA Today’s Web site reported that Sony BMG would recall the CDs in question.
http://www.msnbc.msn.com/id/10053831/

owned x2 :rofl: