Dear Microsoft: Please clean up the Sony mess

Update: Microsoft will indeed add the Sony rootkit software to the list of software detected by its Malicious Software Removal Tool. This capability will appear in the December 2005 update to the utility. Signatures for the XCP component will also be added to Windows AntiSpyware, Windows Defender, and the Windows Live Safety Center. Details here.

Mark Russinovich has analyzed Sony’s “patch” for its rootkit-based software and discovers that the patch is crap and Sony is still lying.

Microsoft’s John Howard just found out about the Sony rootkit debacle and says, “Be worried – very worried”:

Normally, I wouldn’t comment on news like this except on anything except my personal blog, but I’m am so outraged and stunned by what I’ve discovered having spent the past hour or so researching and reading about the techniques and implications of the “RootKit” approach and the legalities, the fact that a half-baked patch has been issued, and the follow up entry from yesterday on Marks blog about the way that the software “calls” home.

Yes, there is a huge amount of publicity out there about this, but what worries me most now is that even with that publicity, how many home users are really going to take action on it? There is a probable chain reaction:

Home users generally won’t read or hear about this, are highly unlikely to run a root kit revealer to discover the “rootkit”, blame XP for potentially crashing or certainly being slower due to the “rootkit” performance overhead.

By not knowing about it means the majority of infected users will not visit the appropriate site to patch/remove the DRM software (which it appears is not flawless either).

Many people will purchased CDs with this DRM “rootkit” software.

Given a significant percentage of purchasers will play those CDs on home machines, there will be many home machines installed with an unpatched rootkit

Joe Hacker now has it on a plate with an easy way to cloak their worms/viruses on “infected” machines through the sys$ file prefix.

My proposed solution?

Each month, Microsoft updates its Malicious Software Removal Tool and pushes it down to all Windows XP clients via Automatic Updates. The next release of this software should target the First 4 Internet software and automatically remove it. It should also inoculate the system so that the software cannot be reinstalled.

Yes, I know this is unlikely to happen because the software doesn’t technically qualify as “malicious.” But it could happen if Sony gave its permission to Microsoft.

So, add one more item to my list of things Sony should do immediately:

Fire First 4 Internet immediately and publicly.
Remaster the CDs with DRM-free versions.
Offer free replacement CDs to anyone who purchased one of the rootkit-infected CDs.
Provide toll-free tech support for anyone who experiences a problem with their Windows computer that they think is related to this software.
Assist Microsoft in updating the Malicious Software Removal Tool to remove the rootkit-based software from any infected systems and prevent it from being reinstalled.

Background:

Sony wants to hijack your PC

Sony’s even sleazier than I thought

Sony tries to stop the bleeding

Sony’s phony patch

Is Sony violating the law?

Windows AntiSpyware gets a name change and then some

In case you’ve been wondering why Windows AntiSpyware has been in beta for what seems like two years (it’s actually been only 10 months), Microsoft’s Steve Dodson spills the beans. Three pieces of news:

The new name is Windows Defender.

It will be integrated into Windows Vista. Steve explains:

You will be able to run another spyware product instead of Windows Defender if you would like. Although I may shed a small tear, you will be able to disable or turn off Windows Defender and install whichever 3rd party anti-spyware application you would like. The really cool thing is that the Windows Security Center in Vista will be redesigned to detect if an Anti-Spyware application such as Windows Defender is running and operating normally.

And it will soon receive signature updates via Automatic Updates rather than through a separate update engine.

More details in a somewhat breathless post at the Anti-Malware Engineering Team blog:

Windows Defender is about what Windows will do for customers, defending them from spyware and other unwanted software. Our solution has really been about more than just the standard definition of “spyware”. We’ve always said we will provide visibility and control, as well as protection, detection and removal from other potentially unwanted software, including rootkits, keystroke loggers and more.

Making the engineering change from “Windows AntiSpyware” to “Windows Defender” took a lot of careful coordination across our team to ensure that the strings in the UI got changed, the help files all got updated, registry keys, file names and properties, as well as a couple of images all got changed. All this work was completed and tested last Thursday, and is currently making its way through our build systems in Windows to make it into the main build environment, where official builds come from. We’re pretty excited by the name, and by the sleek new UI and other improvements we’ve been making in it to help make Windows Vista the best operating system around! But Windows Defender is about a lot more than just a name change. The engine is now moved to a system service, and signatures are delivered over Windows Update. The detection mechanisms have also been radically improved by applying to spyware threats all the great detection technology we use in our antivirus engine.

~~Unanswered question: What happens to anyone using Windows XP or Windows 2000?~~

Update: The new software will be available for Windows XP, according to the AMET Blog post. But no word on Windows 2000.

Also see this follow-up story.

Sony’s phony patch

At Freedom to Tinker, Edward Felten says Sony is trying to weasel out of its obligations to come clean with customers:

Yesterday, [Sony and First 4 Internet] released a software update that they say “removes the cloaking technology component that has been recently discussed in a number of articles”. Reading that statement, and the press statements by company representitives, you might think that that’s all the update does. It’s not.

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function — they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.

No doubt they’ll ask us to just trust them. I wouldn’t. The companies still assert — falsely — that the original rootkit-like software “does not compromise security” and “[t]here should be no concern” about it. So I wouldn’t put much faith in any claim that the new update is harmless. And the companies claim to have developed “new ways of cloaking files on a hard drive”. So I wouldn’t derive much comfort from carefully worded assertions that they have removed “the … component .. that has been discussed”.

Whoever is making these decisions at Sony has no idea how badly they are damaging the company’s reputation.

Is Sony violating the law?

I’m not qualified to pass judgment on legal issues, so when I run across infuriating behavior like what Sony has been engaging in (see Sony wants to hijack your PC“>here for background), I try to find an expert on the subject. For this question, I can’t think of anyone more qualified than Ben Edelman. He’s most famous as an expert on spyware, which is noteworthy given the spyware-like behavior of these copy-protected CDs.

I asked Edelman if he thought that Sony’s behavior was potentially illegal. Here’s his reply:

It all comes down to consent. If Sony’s EULA is taken to obtain a user’s consent for the installation, perhaps Sony is on strong ground. But if the “consent” procedure is deemed defective (too vague, too hard to find, no clear manifestation of assent, too inconsistent with the premise of buying a CD), suddenly Sony is in trouble — for a nonconsensual installation of software onto users’ PCs. One might reasonably accuse Sony of committing a trespass to chattels, or even of exceeding authorized access to a computer system (a Computer Fraud and Abuse Act violation).

I’m also struck by the fact these items, though apparently labeled as CDs and of course sold in CD stores, aren’t actually genuine CDs (as the official “red book” CD standard defines that format). Could Sony be committing fraud by claiming to sell users CDs, when in fact what Sony is offering is something else altogether?

There are a pair of 800-pound gorillas that might have something to say about that latter question. One is Philips, which owns the CD trademark and has been vocal about its objections to copy protection since at least 2002. If Sony is using the CD logo, they’re infringing on that trademark. The other party who might want to stomp on Sony is Eliot Spitzer, Attorney General of the State of New York, who has already taken on some big names in the spyware industry. I hope he’ll weigh in here.

Sony tries to stop the bleeding

When you shoot yourself in the foot, you can expect some bleeding. That, presumably, is why Sony and its partner in crime are rushing out a patch for the crapware that comes with their copy-protected CDs. CNET News.com has the details:

Sony BMG’s technology partner First 4 Internet, a British company, said Wednesday that it has released a patch to antivirus companies that will eliminate the copy-protection software’s ability to hide. In consequence, it will also prevent virus writers from cloaking their work using the copy-protection tools.

The record label and First 4 Internet will post a similar patch on Sony BMG’s Web site for consumers to download directly, the companies said.

“We want to make sure we allay any unnecessary concerns,” said Mathew Gilliat-Smith, CEO of First 4 Internet. “We think this is a pro-active step and common sense.”

This is a tiny, tiny first step, but unless they go a lot further, a lot faster, their reputation is shredded.

Free advice for Sony:

Fire First 4 Internet immediately and publicly.
Remaster the CDs with DRM-free versions.
Offer free replacement CDs to anyone who purchased one of the rootkit-infected CDs.
Provide toll-free tech support for anyone who experiences a problem with their Windows computer that they think is related to this software.

That would be a positive response.

Update: I’ve got one more idea…

Sony’s even sleazier than I thought

In the comments to my earlier post on the sleazy DRM software that Sony is pushing, Charles Arthur (who has a very cool new job) points out that I was mistaken to accuse Sony of installing this crap “without any notification or any attempt to obtain your consent.” Fair enough. As Charles points out, the original post from Mark Russinovich at Sysinternals.com includes a reference to the end-user license agreement (EULA) for the Sony DRM software that does indeed refer to a software installation and could be construed to be a notification. In fact, Russinovich’s post is unclear on this issue. He has posted a copy of the EULA for the DRM software (with a key clause highlighted in yellow), but that license agreement is not the one that pops up when you first insert the CD. To see that license agreement, read the F-Secure write-up. (I’ve posted a copy of the screen shot here.)

This is how the makers of spyware work. See anything in the first screen that says you’re about to install a hidden file-system filter driver that will run at all times and cannot be uninstalled? See the scroll box (the small handle in the scroll bar) on the right of the dialog box? Judging by the size of the box, I estimate that you would need to scroll through approximately 25 screens to read the entire license agreement, and way down at the end it includes this line: “The SONY BMG PARTIES may from time to time provide you with updates of the SOFTWARE in a manner that the SONY BMG PARTIES deem to be appropriate.”

Folks, this is how spyware makers work. They provide misleading end-user license agreements that they count on users ignoring. They fail to disclose the true purpose or impact of their product. They fail to provide removal tools. They reserve the right to update their sleazy software at any time without any further notice or consent.

It’s even worse than I thought.

My latest book is out

Microsoft Windows XP Networking and Security Inside Out is officially released. It covers all the changes in SP2 and has very thorough treatment of viruses, spyware, and firewalls.

I haven’t seen a copy yet, so if you get one first, let me know what you think!

Q&A: Is this license legal?

Q: I bought a box full of computer stuff at an auction yesterday. It contained a (what appears to be) retail copy of XP home edition (version 2002) including product key (sticker still attached to the manual). Right now I’m running Me on a custom built pc (900mhz athlon) that did NOT come with any os discs or recovery software. I meet the system requirements for running Windows XP, but… will I be able to reformat my hd and install this operating system? Any advice would be greatly appreciated.

A: Yes, you will be able to install that operating system. The real question is whether you will be able to activate it over the Internet. If that product key has never been used, or if was last activated more than 120 days ago, then you probably will be able to activate. If the key has recently been used on another computer (one owned or controlled by the person from whom you bought the computer), then your online activation request will be rejected and you’ll have to talk to a representative on the phone and convince that person that you legitimately own the license.

I’m not a lawyer, so I can’t give you definitive advice on this. There are specific provisions in the Windows XP license agreement for transferring ownership. But in your case the practical concerns of activation are more important.

[Updated to correct error in grace period for activation. See the comments for more details.]

A new feature: Q&A

I get a lot of comments on this site every week, and lately it’s dawned on me that many of those comments are actually questions. I usually try to answer the question with a follow-up comment, if I can. But that means that the question and answer reach only a tiny percentage of the people who actually visit here.

So, beginning today, I have a new policy – and a new feature. If I find a question in the comments, I’ll answer it in a Q&A post, where everyone can see it and follow up on it.

And don’t feel like you have to leave a comment if you have a question. I’m also going to create an Ask Ed form and e-mail alias where you can send me questions. Those will appear in the sidebar along the right.

Coming up next, the first installment.

Tip of the day: Troubleshoot mysterious crashes

What does it mean when your system restarts for no apparent reason, or when you experience frequent program crashes and file corruption? The problem might not be with Windows at all. These baffling symptoms can be the result of a bad memory chip.

If you suspect you might have a failing memory module, Microsoft has a free downloadable memory test program that you can use:

The Windows Memory Diagnostic tests the Random Access Memory (RAM) on your computer for errors. The diagnostic includes a comprehensive set of memory tests. If you are experiencing problems while running Windows, you can use the diagnostic to determine whether the problems are caused by failing hardware, such as RAM or the memory system of your motherboard. Windows Memory Diagnostic is designed to be easy and fast. On most configurations, you can download the diagnostic, read the documentation, run the test and complete the first test pass in less than 30 minutes.

To run Windows Memory Diagnostic, you must reboot your computer with the disk or CD-ROM on which you installed Windows Memory Diagnostic in the drive. After the reboot, Windows Memory Diagnostic will load and its interface will appear. After loading, the first test pass will begin, using the default standard test suite, and continue until complete, unless Windows Memory Diagnostic is either paused or exited. Once the first test pass is complete, Windows Memory Diagnostic will begin a second test pass using the same settings as before. Windows Memory Diagnostic will continue to run test passes until you exit.

If you find a problem, try pulling the suspected memory chip and running with reduced memory for a short time. If the problems vanish, replace the memory.