« Sun is about to change the world |


| Washington DC's Zero Tolerance: Ticketed While Dying »

December 07, 2005

Sony's DRM security fix leaves your computer more vulnerable

Cory Doctorow: This morning, I blogged about a bug that EFF discovered in the Mediamax spyware that Sony includes on 50 of the CDs it releases in Canada and the US. EFF got Sony to release a bug-fix for it, but it turns out that the uninstaller leaves your computer more insecure than the bug!

Sony seems incapable of writing programs to uninstall the malicious software it secretly installs on your computer when you play its CDs (Mediamax installs on your PC even if you decline the agreement and eject the CD). Sony also seems incapable of producing a DRM system that doesn't contain rootkits, spyware, and/or security vulnerabilities. The combination is deadly.

# SonyBMG has released a patch that purports to fix the problem. However, our tests show that the patch is insecure. It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch.

# The previously released MediaMax uninstaller is also insecure in the same way, allowing an adversary to booby-trap files so that hostile software is run automatically when you try to use the uninstaller.

evious installments of the Sony Rootkit Roundup: Part I, Part II, Part III, Part IV

(Cool Sony CD image courtesy of Collapsibletank)

Posted by dymaxion at December 7, 2005 08:56 PM


Post a comment

Remember Me?