In the comments to an earlier post, Ben Edelman makes a very smart suggestion:

I share your assessment that “Sony still has a long way to go.” In addition to the problems you raise, there’s also the question of whether and how Sony will provide meaningful notice to affected users. In http://www.benedelman.com/news/112105-1.html I show something of a novel approach — using Sony’s own “call-home” feature to send users a special banner ad describing the situation and users’ rights. Turns out Sony can do this with only a few lines of XML code placed on their web server. And I already ran a demo — using a HOSTS file to make one of my PCs look like Sony’s web server — to confirm that the banner system works as required.

Go look at Ben’s page. This is one of the best solutions anyone has yet come up with for the conundrum of how to recall a defective product that most users don’t even realize they have.

Sony has finally agreed to take back its rootkit-infected CDs. Visit this page for instructions on how to print out a pre-paid label you can use to exchange the affected CD for one that doesn’t contain XCP copy protection. (Interestingly, this and a similar page at Sony’s Web site represent the first official list of CDs that use the XCP software.)

No word yet on whether the replacement CDs will use another form of copy protection.

Meanwhile, Amazon is allowing its customers to return any XCP-infected CDs. This announcement appears on the order page for any Sony CD that includes the XCP software:

This Sony CD includes XCP digital rights management (DRM) software. Due to security concerns raised about the use of CDs containing this software on PCs, Sony has asked Amazon.com to remove all unsold CDs with XCP software from our store. If you have purchased this CD from Amazon.com, you may return it for a full refund regardless of whether the CD is opened or unopened, following our normal returns process. Simply indicate that the CD is “defective” as the reason for return.

Sony still has a long way to go. There’s no indication that they are actually accepting responsibility for their actions. They still have issued no apology or admission that they really, really screwed up. And they haven’t made any public contact with the people in the community who identified this problem. In a world run by sane people, someone at Sony would have been in contact with Mark Russinovich within 24 hours of the identification of this problem.

(Via Brian Krebs’ Security Fix blog.)

IT Hub says Sony’s DRM Rootkit Comes in Mac Flavor, Too:

Imogen Heap’s new CD, “Speak for Yourself,” on RCA Victor (a BMG subsidiary), has an extra partition for “enhanced” content. Along with Windows files, there is a Mac file present called “Start.app.”

When run, a EULA is first displayed (which does inform the user that software is going to be installed without saying exactly what that software will do).

PointerClick here to read more about Sony’s decision to temporarily suspend production of CDs with its DRM technology.

The user then is prompted by the program for a user name and password. After that information is provided, the program seemingly quits. However, it actually installs two kernel extensions, PhoenixNub1.kext and PhoenixNub12.kext, in the OS X system files.

These turn out to be part of a DRM codebase developed by SunnComm.

Will someone please tell me when the last cockroach crawls out from under Sony’s big mess?

A story filed late last night at USAToday.com says Sony has begun recalling CDs containing the XCP rootkit software from stores:

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

I haven’t seen this story elsewhere, and the statement quoted in the USA Today story isn’t on Sony’s Web site. If true, it’s yet another sign that Sony is finally beginning to realize how much it has messed up.

Maybe pressure from artists has something to do with the recall. The USA Today story quotes Ross Schilling, manager of the band Van Zant, which was an unwitting victim of the XCP malware:

“I said we’ve got to be proactive [about recalling these CDs], or it could destroy the business model,” Schilling says. “Sony should be in the artist business, promoting and selling records. This type of issue sheds a negative light on their ability to do that.”

[…]

[M]any artists have spoken out about all forms of copy-protected CDs, including Matthews, the Foo Fighters and Christian rock band Switchfoot. Bela Fleck and the Flecktones are set to release a new album on Sony in January, and it will not be copy protected, says Fleck’s manager, David Bendett.

Frustrated when he bought a copy-protected Dave Matthews release and couldn’t copy it to his Apple iPod, Fleck insisted that Sony not release his new album with such restrictions, Bendett says.

Meanwhile, do not use Sony’s Web-based uninstaller. Ed Felten and J. Alex Halderman of Princeton University just released their latest research, which show that Sony’s quick-and-dirty response to the problem is a nightmare waiting to happen:

Over the weekend a Finish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

It’s important to note that this flaw is caused by the limited patch Sony has released, which disables the Aries.sys file-system filter driver but leaves the DRM files intact. What Sony needs to do, right now, is to put their full uninstaller online so that anyone who has this software on their system can completely remove all traces of it.

(Thanks to Walter for the USA Today pointer.)

Ed Felten says Don’t Use Sony’s Web-based XCP Uninstaller:

Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit.

We are working furiously to nail down the details and will report our results here as soon as we can.

In the meantime, we recommend strongly against downloading or running Sony’s Web-based XCP uninstaller.

Oy.

Dan Goodin of Wired News published a piece today entitled Boycott Sony, which contains this stirring call to action:

A lot has been written about this issue already. But a lot more needs to be said to ensure Sony gets the message: This kind of behavior can never be tolerated. It may be unrealistic to think many will heed this call, but someone’s got to say it: Boycott Sony. Boycott them until they come clean and recall all the infected CDs. Boycott them until they distribute a removal program. Boycott them until they promise never do anything like this again.

“Someone’s got to say it.” Indeed. In fact, someone already did. I published a list of recommendations for Sony that was almost identical to Goodin’s list, except mine appeared nearly two weeks ago. And I had a Boycott Sony post as well, which linked to Tim Jarrett’s Sony Boycott Blog. That was, ahem, a full week ago.

A good idea is a good idea. But if you want to get a movement off the ground, it helps to link to the other people who are already doing the work.

Hot damn! Microsoft’s Anti-Malware Engineering Team is on the ball:

We are concerned about any malware and its impact on our customers’ machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems.

We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool. It will also be included in the signature set for the online scanner on Windows Live Safety Center.

That was fast! I hope my request from last week was at least partially responsible.

Here’s some good news:

Sony to stop making protected CDs:

Beleaguered Sony BMG will temporarily suspend the manufacture of copy-protected CDs and re-examine its digital-rights management strategy, the media giant said on Friday.

Maybe this stinging criticism from the Department of Homeland Security made them nervous?

[A]t a U.S. Chamber of Commerce-sponsored event in downtown Washington on combating intellectual-property theft … Stewart Baker, recently appointed by President Bush as the Department of Homeland Security’s assistant secretary for policy … wrapped up his opening comments with the following admonition for the industry:

“I wanted to raise one point of caution as we go forward, because we are also responsible for maintaining the security of the information infrastructure of the United States and making sure peoples’ [and] businesses’ computers are secure. … There’s been a lot of publicity recently about tactics used in pursuing protection for music and DVD CDs in which questions have been raised about whether the protection measures install hidden files on peoples’ computers that even the system administrators can’t find.”

In a remark clearly aimed directly at Sony and other labels, Stewart continued: “It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.

“If we have an avian flu outbreak here and it is even half as bad as the 1918 flu epidemic, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is a matter of life and death and we take it very seriously.”

It would be appropriate, in my opinion, if all of the executives in charge of this cascade of truly lame decisions would just resign.