I've been keeping quiet on this subject since although Sony and First4Internet have badly handled the process, it's obviously heading in the right direction; maybe bouncing off walls would be a better description.
Anyway, I feel the following requires a simple sanity check:
el cpu said:
For those of you considering the Nancy McAleavey (Privacy Software) removal process mentioned above, please be aware that Russinovich recommends against unloading the Aries driver while Windows is running, quote: "I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence..."
Though Mark Russinovich is undoubtedly correct about the proper method here and there is a potential risk, so what? What "thread might be just about to execute the first instruction of a hooked function when the driver unloads"? Most likely, this would be something related to the CD drive. Would you stick a CD in the drive while trying to remove software that uses it? What is the
real likelyhood that such an event would occur under normal circumstances rather then under a test situation intended to show that it could occur? Though I don't know the answer myself, I doubt it's very probable.
Even if the situation did occur and the dreaded 'blue screen' happened, what would the result be? Since the blue screen is really a processor halt condition created by the detection of the thread jumping into invalid memory, this simply locks up the PC to protect it. Only software that was open at the time would be affected, so who leaves important programs open when performing an uninstall of any software, escpecially something like copy protection?
Though I understand and agree that both the software itself and the uninstallers to this point have potential problems, the only one that really concerns me is the ActiveX control used in the uninstall that appears to have an extremely bad vulnerability. Remember that the mass drive by the public is what is causing Sony to rush, which has helped create the current situation. Not defending Sony here, it's just always true that putting pressure on a bad technical situation will only make it worse. Sony's backout is no surprise to me, I knew it would happen the second I saw Mark's initial post, just not how quickly.
At this point it's also obvious that anti-malware developers will have to become involved in the cleanup effort. Since the original software had no automatic update facility (that I've heard of anyway) there's no way to inform those with the issue directly. It would be best, however, if this was a coordinated effort between the ASC/AV vendors and Sony. The fiasco to this point is due in large part to the lack of any coordination by anyone and the less then useful 'help' of the news media and general public, neither of which have a clue. Read some of the comments at Mark's site or even many of the Articles and Blogs referencing his site, they're rife with inaccuracies and just plain dumb statements.
My respect for Mark Russinovich as a programmer and helper within the anti-malware community in general is as solid as ever. However, my respect for his methods and handling of this situtaion are less then glowing. Posting this entire technical discussion directly in public without warning Sony and the anti-malware community first, giving them a chance to respond appropriately, was bound to create the mess that's ensued. It's made me question his motives more then once in the last few weeks. However, I'll give him the benefit of a doubt that he was concerned he might otherwise be stiffled by an injunction suit before he could go public.
Either way, I'd prefer to see this thing slow down before the compound mistakes get even worse. Unfortunately, there's new ugency created by the ActiveX control, so that may need immediate attention. At this point I've seen no effective direct threat from the original or patched versions of the software, only proof of concept. It would be best to leave this piece alone at least until someone has a removal tool that will deal with all variants; unpatched, patched, partially uninstalled and never really installed and not create more problems then exist already. This is and should be Sony's job and should only be taken over by others if they're ready for the same flack that Sony's gotten, since it will be their fault if it doesn't work, not Sony's.
Remember that the average person's tendancy is to just 'fix everything' and not research what's been found on their PC. So you better be sure your 'complete solution' will work before advertising it to the world or you'll end up linked with Sony in this debacle. So far I see no one coming up roses and the best profile has been to keep your head down in the crossfire.
