Page 4 of 9 FirstFirst 12345678 ... LastLast
Results 31 to 40 of 89

Thread: Sony DRM

  1. #31
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    SONY BMG STATEMENT ON XCP COPY PROTECTION
    http://blog.sonymusic.com/sonybmg/archives/xcp.html

    SONY BMG STATEMENT

    We are aware that a computer virus is circulating that may affect computers with XCP content protection software. The XCP software is included on a limited number of SONY BMG content protected titles. This potential problem has no effect on the use of these discs in conventional, non-computer-based, CD and DVD players.

    In response to these events, SONY BMG has swiftly provided a patch to all major anti-virus companies and to the general public that guards against precisely the type of virus now said to exist. The patch fixes the possible software problem, and still allows CDs to be played on personal computers. It can be downloaded at http://cp.sonybmg.com/xcp/. Starting today, we will also be adding this link to the SONY BMG label and corporate sites. We deeply regret any possible inconvenience this may cause.

    We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use. More information about our content protection initiative can also be found at: http://cp.sonybmg.com/xcp.
    Opinion: Rather than just "… temporarily suspending the manufacture of CDs containing XCP technology.", do the right thing and recall the CDs that contain the XCP DRM software that are currently available to consumers through retailers. Without taking this step you are continuing to subject more and more people who are unaware of the problem to possible hidden malware using the rootkit that you install with these CDs.

    I believe that you have the right to protect your intellectual property, however, the XCP DRM that you employed went far beyond the terms and conditions of the EULA that "… this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER."

    Consumers' have rights too. One of those rights is the unrestricted and uninterrupted enjoyment of personal property (their computer). Apparently those rights were not a major concern in the development of the XCP DRM when you hooked the operating system to hide files and intercept device drivers. In addition, you provided no means to uninstall the software. All this without disclosing this in the EULA. As it turns out your XCP DRM is something I would expect from hackers or malware purveyors, not from a legitimate music company.

    Come on Sony BMG Music Entertainment start doing the right thing, recall the CDs that are still in the market place!!!
    Last edited by md usa spybot fan; 2005-11-14 at 22:27.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  2. #32
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    md usa spybot fan: Thanks for the good words, your opinion is of course widely shared by consumers including myself.

    In addition to recalling the CDs in the marketplace, Sony needs to "make the uninstaller freely available as a standalone executable download" as Russinovich stated. Until this is done, infected consumers are limited to uncloaking the files vis-a-vis Microsoft, Symantec, etc. or going through the Sony uninstall process which is tedious and not without peril. A simple and reliable uninstall executable is needed for the thousands of people that are likely infected.
    Last edited by el cpu; 2005-11-14 at 22:16.

  3. #33
    Junior Member
    Join Date
    Nov 2005
    Posts
    5

    Default

    Perhaps someone who has downloaded the full uninstaller from Sony can post it online, and it can just be spread from there (without involving Sony). Since it seems that they they want people to go through the hassle of emailing them and having to manually download the patch...

  4. #34
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    Pogue, while your suggestion would good under normal circumstances, such is not possible with the Sony uninstaller and that is one of the many complaints Mark Russinovich and the AV community have of Sony. In order to uninstall, Sony makes one register and an Active X is then sent to your computer. Sony then replies back with the uninstaller however the uninstaller verifies that it is in the same computer as the original request. If it is not, it does not work and an error message appears. The uninstaller is also time limited. Sony wants this to be a machine-by-machine effort with them in full control. This of course is contrary to accepted computer practices - I can uninstall Office, PhotoShop or any other reputable software as I choose without having to go back to the developer. Check out the Russinovich posts which will elaborate in detail.
    http://www.sysinternals.com/blog/200...ant-to_09.html
    Last edited by el cpu; 2005-11-15 at 02:23.

  5. #35
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    Well.... Sony is finally pulling the CDs off the market.... According to USA Today: "Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs. Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC. .... Details about how long it will take to replace the XCP CDs and about its consumer exchange program will come later in the week, Sony said."

    http://www.usatoday.com/money/indust...sony-cds_x.htm

  6. #36
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    Sony’s Web-Based Uninstaller Opens a Big Security Hole...
    - http://www.freedom-to-tinker.com/?p=927
    November 15, 2005
    "Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
    The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #37
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy

    More...

    - http://www.theinquirer.net/?article=27714
    15 November 2005
    "...Blatant stupidity in the 'cure is worse than the disease' category... FTT goes into detail. It seems the 'cure' from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine. See a problem? See a big problem? To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole you can drive a truck through on your system, silently of course. The more disturbing part is that it appears the control is signed. I wonder who at MS approved this, and how this blatant security hole got through the barest minimum of QC? Moral, if you bought Sony products, you are screwed. If it causes you problems, you are screwed more. If you uninstall, you are screwed yet harder. If you uninstall it yourself, you are a criminal under the DMCA. If you use an antivirus program to uninstall it, you spent money to fix Sony's problems, and you are still a criminal. That's what you get for buying music."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #38
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    This keeps getting worse... What AplusWebMaster pointed out above has hit the national news big time via the Associated Press, see the MSNBC article: http://msnbc.msn.com/id/10053831/ In addition, Princeton University has confirmed what the Finnish researcher discovered, that the Sony Active X is blatantly flawed. The MSNBC piece goes on to say: "Mark Russinovich, the security researcher who first discovered the hidden Sony software, is advising users who played one of the CDs on their computer to wait for the companies to release a stand-alone uninstall program that doesn’t require filling out the online form. There’s absolutely no excuse for Sony not to make one immediately available, he wrote in an e-mail Tuesday."

    If the stand-alone program comes from Sony via First4Internet, who is going to trust it at this point; their track record is as low as it gets. I wonder if AV companies will be able to independently write a complete uninstaller (or if they will choose to, due to legal concerns). We'll see....

    Further, it now appears that there are upwards of 500,000 computers infected so far. See: http://www.wired.com/news/privacy/0,...w=wn_tophead_2

    indeed....
    Last edited by el cpu; 2005-11-16 at 00:44.

  9. #39
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb

    FYI...

    - http://www.freedom-to-tinker.com/?p=927
    "To see whether CodeSupport is on your computer, try our CodeSupport detector page:
    - http://www.cs.princeton.edu/~jhalderm/xcp/detect.html

    If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)
    cmd /k del “%windir%\downloaded program files\codesupport.*”

    Last edited by AplusWebMaster; 2005-11-16 at 01:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #40
    Junior Member
    Join Date
    Nov 2005
    Posts
    3

    Default

    Firstly, it looks as though the player's AX control actually does contain LGPL'ed mp3lib code, and code from id3lib. Ironic that the DRM system itself violates copyright (the EULA is LGPL-incompatible, even if source were distributed).

    More importantly, I followed up on my earlier work, because I was curious, and I extended my exploit to operate on a flaw in DRMServer that is remotely exploitable (in some scenarios, i.e., anonymous RPC access required and not firewalled) via the named pipe through which it communicates with the player application, chaining a kernel-mode privilege escalation vulnerability in crater.sys.

    Obviously, I won't give this out, because there are at least half a million, possibly a million, vulnerable machines right now according to doxpara's estimates and my own metrics. Quite easily "worm food". Chilling.

    It is worth pointing out that the aries cloaking component is not required for this exploit to work, and it works on the three versions I tested (including the post-Sony patch version).

    So far, I haven't seen a properly working uninstaller. Of course, the uninstaller Sony have also leaves CodeSupport, another threat as previously discussed. And it doesn't seem to work properly anyway.

    In my view, it's probably time to get tough; uninstallation really should, at this stage, not just remove aries, but schedule for the next reboot to blat out every single file XCP drops, including CodeSupport at this time, and unlink the XCP drivers from the Upper and Lower filter chains of the IDE channels and CD-ROM drives. That would indeed do it properly. (Ensure that you don't make the same mistake many others do; don't try to unload the drivers on the fly.)

    Even MS have stated their intention to list $sys$aries (but not the rest) in the Malware Detection and Removal Tool that will be pushed out in the next (2005-12-13) Windows Update; a distinction normally afforded only to actual, highly prevalent, botnet variants.

    I note it is still not listed in the signatures. I hope Team Spybot can be proud to be the first to provide a complete solution to this?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •