EFF and Sony Disclose New DRM Security Hole

Dotnaught writes "The Electronic Frontier Foundation (EFF) and SONY BMG Music Entertainment said on Tuesday that SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs. Security firm iSEC Partners discovered the hole following a request by the EFF to examine the SunnComm software. The vulnerability involves a directory installed on users' computers by the MediaMax software that could allow a third party to gain control over the affected Windows PC. The EFF and iSEC delayed disclosing the problem until SunnComm could develop a fix."

Re:the paranoid ac

[ergo98]

I've never understood how any userland bullshit software could manage the complexities of opening up a hole *on accident*. Call me paranoid, but, when shit like this gets 'found', they call it being 'found' because someone put it there.

To install the software originally the user had to be an administrator (a lot of software requires admin rights because most of the system won't allow a basic user to install system-wide software. e.g. It could add files in your user directory and the like, but not in Program Files). From then on the software is running as System, operating as a part of the system (which is why it's called a root kit).

My guess is that the folder where the software is stored has the ACLs set to Everyone with Full Control, or something similar. Because this root kit is run as System when the system boots up, a simple user exploit could circumvent user isolation by overwriting some of the rootkit files, and on next boot it'll be running as System, with full local permissions.

iSecPartners

[under_score]

FWIW, I have known one of the founding partners at iSec, Jesse Burns, since high school. He's a very very smart guy with almost instinctual understanding of security issues and problems. This is a shameless plug for my friend's company: they're great and you'd do well to hire them if you want a good security audit or training done.

Re:yes we all know

[saskboy]

Patience...

http://www.boycottsony.us/ has the latest news on developments in the Sony case, and www.sonysuit.com lists the lawsuits.

A New lawsuit for Candians is being opened by http://www.glynhotz.com/ an Ontario lawyer. The XCP CDs appear to still be on many store shelves, more than a week after the recall was announced in Canada.

Wake up Artists

[4Dmonkey]

Someone should go and tell the artists that they dont need these greedy evil middlemen to sell their music nowadays. They can simply create their own portals.
That should solve a lot of problems.

How About a Removal Tool Instead!

[Junior+Samples]

I don't want a security patch for Sony's DRM malware. Just give me a removal tool and the problem will go away on it's own.

Not just age, also artificial narrowing of choices

[Morgaine]

why the new acts can't all sound like Lionel Richie or Billy Ocean.

I think that you missed the poster's point, since you mention old pop chart stars. The problem isn't that today's pop charts don't feature yesterday's pop chart music nor soundalikes --- expecting that would be totally dumb.

The problem is that today the music scene is ruled 99% by the pop charts as a result of the ruthless efficiency of the Big Business side of the music industry, to the extent that almost all other musical styles are marginalized to near extinction. Musicians no longer come out of art school wanting to do something novel for their own niche audience; greed has overcome artistic integrity.

Back in the day, the studios and labels were comparatively amateurish and ineffective, so public tastes were strongly influenced by radio station jockeys, through student union gigs/concerts, and by music tabloid reviews of live acts. These have almost no effect today. The image makers and immense marketting machine hold the scene in a vice-like grip.

So it's not old age, only. It's also that musical horizons have been slammed down tight all around us, with only a few wonderful exceptions to the rule offering a temporary escape.

Re:Sorry to be rude

[hokeyru]

Agreed. We can argue about whether evil is worse than incompetence, but the combination of the two is truly fearsome.

If you have have any of these CD's, return them. If you're a fan of any of these artists, write them a letter:

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia)

List from EFF.

zealots suck

Compare this with the original story from The Register, where the author was offering his viewpoint in absolute terms.

How is this any different than Slashdot?

The difference between the two is night and day.

You mean the difference between a brown turd and a black turd?

To reiterate, The Register article presented a viewpoint, the Slashdot article asked if The Register article was correct in its conclusions.

I can show you plenty of articles where the editor or submitter added their own opinion or conclusion to the story. On Slashdot.

Re:Big List of DRM CDs?

[spot35]

**Clicky - Google - Clicky**

MediaMax titles @Sony BMG website

XCP titles @SonyBMG website

Re:Thank you Sony!

[Phisbut]

A number of people I've spoken with have never heard of the Sony 'rootkit' case and had no idea that playing a recent Sony DRM-protected CD on a Windows PC could be dangerous to their computer system.

I dunno about the media where you are, but up here in Québec, the Sony DRM screwup made the evening news bulletin on more than one occasion on two of the most watched channels, even clearly stating that the music CD's installed spyware without your agreement. Although not everybody knows what a rootkit is, many people know what spyware is, so the choice of words was appropriate.

I love it that our media isn't sold (mostly) to the big corps. They even reported that the Xbox360 might have a heating problem that prevents some consoles from functionning. The Sony screwup is big enough a deal that the general public deserves to be informed.

Patch suffers from same security flaws...

[Robotech_Master]

...as previous patches. In other words, it leaves your computer even more vulnerable than before.

Don't see any mention of this on the entire last page of comments listed most recently first, so I figured it was worth risking a possible karma hit for duplication.

It seems Sony and SunComm just can't come up with a "real" fix to save their lives.