[This post was co-written by J. Alex Halderman and Ed Felten.]
Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get.
The root of the problem is a serious design flaw in Sony's web-based uninstaller. When you first fill out Sony's form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony's site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn't verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user's permission.
A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony's uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.
We have constructed a demonstration code package and web page that exploits this design flaw to install unwanted files on a target computer. The exploit does not actually harm the computer, but it demonstrates that hostile code can be run on a target computer, and that the hostile code can perform operations that should be forbidden. At present we are not releasing the demonstration exploit to the public.
CodeSupport was also installed as part of the original web-based updater that Sony released to remove First4Internet's rootkit. Sony has since replaced the web-based version of the updater with a downloadable EXE or ZIP file; these are safe to use as far as we know. If you didn't use the original web-based updater, and you haven't requested the full uninstaller from Sony, then you are safe from this particular vulnerability, as far as we know.
How can you protect yourself against this vulnerability? First, for now don't accept the installation of any software delivered over the net from First4Internet. (Eventually First4Internet may deliver a fix over the net. That may be worth installing.) That will keep CodeSupport off you machine, if it's not already there.
To see whether CodeSupport is on your computer, try our CodeSupport detector page.
If you're vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)
cmd /k del "%windir%\downloaded program files\codesupport.*"
This is not an ideal solution – depending on your security settings, it may not prevent the software from installing again - but it's better than nothing. We'll have to wait for First4Internet to develop a complete patch.
UPDATE: USA Today reports that Sony will recall the affected CDs. Discs in the supply chain will not be sold, and customers who have already bought discs will be able to exchange them. Sony will announce details of the recall plan later in the week. We hope the plan will include distribution of cleanup tools to customers who still have potentially dangerous XCP software on their machines.
Front page posts
Careful guys: That test link to reboot the machine wil actually prompt some machines to install the first4Internet plugin.
[Thanks! We've taken down the link and will post a safe alternative. -- Ed Felten]
[...] It looks as though the uninstaller as claimed last night, does have more serious implications than the original rootkit, in Sony’s continuing DRM nightmare. Basically, the uninstaller will allow any web page to run arbitrary code and or remotely control your pc. Which is sort of the holy grail of remote exploits. The ActiveX control called CodeSupport that is required to get the uninstaller is the culprit here. It remains on system after uninstall and is marked safe for scripting. [...]
Sony DRM code violates open source LGPL license and uninstaller opens a big security hole!
This story just keeps getting weird and weird!
A Dutch article is now reporting that the Sony DRM spyware application contains code from the LAME MP3 encoder project, which is licensed under LGPL (perhaps part of a detection routine to circumve...
I keep seeing references to that article on dewinter.com saying that the Sony/F4I DRM/rootkit breaches the LGPL or GPL by using parts of LAME without abiding by the license agreement. But every story I've seen on the web makes the claim and links to the dewinter.com article without attempting to verify it.
Have you guys made such verification attempts yet, or do you know of someone else who has?
Never mind, found it.
Well, my reboot demo is as dangerous as the uninstall request link that's also in the article. It, too, will prompt to install the ActiveX control. I just copypasted the html from there so it's identical. A safer demonstration would make sense, though, rebooting the system isn't really a nice thing :)
SONY IV - the return of the emperor
Sony has surrendered, and is recalling their DRM-tainted CDs. They have an uninstaller that removes their spyware. The good side is finally triumphant.
But is it? Turns out they left you with an even bigger
You know, Sony is only missing some SCO code in there to be complete....
I'm surprised nobody's picked up on this angle to the story: Here's First4Internet's other flagship product:
"ICAâ„¢ Image Composition Analysis:ICA technology accurately detects pornographic and inappropriate images and text in digital data transmission providing effective filtering solutions for email, websites and Internet chatrooms."
Don't I recall hearing that this had been debunked a few years ago? Does anybody beleive this actually works?
Should we be surprised at the ethics and quality of XCP (and the XCP remover), given that it comes from the same shop as ICA?
The cure worse than the cause?
Analysis of cached DNS queries shows that the malware is installed on more than half a million computers in at least 165 countries:
http://www.doxpara.com/
I have one question about this mess. Sony is both a content company and a consumer electronics company. In particular, they make CD & DVD drives for personal computers, for instance:
http://cnet.search.com/search?chkpt=astg.cnet.fd.search.cnet&q=sony+inte...
Is it possible that the bundled drivers for these products could include similar rootkit/spyware/use restriction technology? Has anybody in the press even ASKED Sony whether they do? Or what about their Vaio product line - could these it the same junk pre-installed at the factory?
I have a Sony CD-RW drive that I bought in 2000, but I'd be very reluctant to purchase any new computer hardware or software from them -- or even install a product patch or update -- unless Sony clearly promises not to sneak any DRM-related restrictionware into their products.
[...] Sony to recall all XCP DRM Music CD’s With the revelation that the web uninstall activeX controll is a greater security risk than the original Rootkit. It makes the mind boggle at where this will go next. Sony have released an update that is now in downloadable .exe or .zip format. If you were one of the people unfortuante enough to have had their favorite music do this to your personal computer I am very sorry you have had to endure this. Freedom to Tinker has a post pointing to USAToday, they have posted an article regarding Sony doing a full-product recall of all CD’s containg First4Internet’s XCP DRM software. [...]
I havn't seen it covered much in this blog entry or in the comments, but the fact that First4Internet's/Sony's web uninstaller is even more nefarious than the original rootkit.
http://www.freedom-to-tinker.com/?p=927
By going through the uninstall process, you are supposed to feel more protected as you just got rid of nasty malware. Well you are now open to all sorts of new exploits, and you are supposed to think you are protected again.
Amazing how the programmers at First4Internet are so incompetent and continue to introduce security holes onto your system.
[...] More details about the exchange program will be posted on Sony-BMG’s website later this week. CDs with the rootkit can be identified by the text "?cp.sonybmg.com/xcp" on the reverse of the CD itself, or the text "cp.sonybmg.com/xcp" in the URL on the bottom or right side of the CD case. Those who have been infected by Sony’s malware should use caution when using Sony’s "patch." According to security researchers, the web-based install of Sony’s "patch" opens users up to an entirely different security risk, one that is even worse than the original rootkit. The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get. The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission. [...]
[...] lordy, lordy: first, sony installed malware on your computer, then it turns out their removal kit opens up a massive security breach. The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get. so they screw you up front, and then they fuck you in the backdoor. sweet. [...]
[...] Read more about it here by Shahab | posted in Technology, Security Trackback URL | Comment RSS Feed Tag at del.icio.us | Incoming links [...]
Sometimes I like to eat cheese, often with crackers.
I hope this won't affect my ability to enjoy cheese and crackers.
Bob
All that's left is for sony to burn my house down.
[...] It gets worse : Sony’s Web-Based Uninstaller Opens a Big Security Hole and the Sony / xcp-aurora rootkit have infected at least one machine on more than 500,000 networks , including military and gov networks! Way to go Sony! Scriptkiddes have nothing on you. Perhaps Sony should be charged with compromising National Security (pick a country, any country) [...]
[...] The ‘Freedom to Tinker’ blog reports: Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit. [...]
[...] E a coisa só fica mais feia pra Sony BMG pelo caso do rootkit/DRM. Se 500 mil redes com pelo menos 1 máquina infectada não for suficientemente ruim… o desinstalador do DRM cria um rombo de segurança. Dá-lhe Sony BMG! [...]
Hey Sony — wake up
Here’s a column I posted at globeandmail.com about Sony’s DRM rootkit fiasco:
“For a company that has so much great technology behind it, including a number of firsts like the compact disc and the portable music player, Sony Corp. ...
[...] Here we go again, the software Sony provided to remove the rootkit has a security hole. This is how you install the malicious code. [...]
[...] å一月å一日,Sony發表è²æ˜Žï¼Œ ä»ç„¶æ‹’絕承èªéŒ¯èª¤ï¼Œä½†ç”應åœæ¢åœ¨æ–°CD上安è£rootkit。å°æ–¼ç•¶å‰ä»åœ¨ç™¼å”®çš„CD,以åŠæ•¸åè¬è¨ˆå¯èƒ½å·²å—感染的電腦,Sony當時沒有進一æ¥å›žæ‡‰ã€‚隨 後,Sonyåˆç™¼ä½ˆäº†ä¸€å€‹web-basedçš„uninstaller,讓人å¯ä»¥é †åˆ©ç§»é™¤rootkit。å¯æ˜¯ï¼Œå一月å三日,芬è˜ç ”究員Muzzy發ç¾è©²uninstaller「越攪越大鑊ã€ï¼Œæœ€åš´é‡å¯ä»¥ä»¤é»‘客é€éŽç¶²é å…¥ä¾µä½ çš„é›»è…¦ã€‚ [...]
Sony backs down - a teensy bit
The flaw in the uninstaller is revealed: Sony uses an ActiveX control (known as “CodeSupportâ€) as part of the process, which is marked “Safe for scripting†and left on your computer, leaving it wide open to attack from dodgy web sites. What a ...
[...] The Princeton team has a blog entry here at Freedom-to-Tinker.com that has more details as well as tips and tools for detecting and deleting CodeSupport. [...]
[...] Here we go again, the software Sony provided to remove the rootkit has a security hole. This is how you install the malicious code. [...]
[...] Here we go again, the software Sony provided to remove the rootkit has a security hole. This is how you install the malicious code. [...]
I'm just beyond frustrated!!! I bought stupid Neil Diamond's new cd and now i've got to deal with this. I've trusted everything that Sony/BMG has told me to what end? I downloaded the patch and I've used the uninstall form. Sheesh.
So now I've tried deleting the codesupport components and I keep getting access denied. So yeah....any help would be appreciated.
I primarily use Firefox not IE. Does this offer any protection or am I pretty much screwed until something reliable comes out to remove this vulnerability?
[...] Freedom to Tinker … is your freedom to understand, discuss, repair, and modify the technological devices you own. « Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs [...]
I almost installed Sony's active-X uninstaller until I saw that it was written by First4Internet, the same people that wrote the original rootkit. I said, "you have to be kidding!". There was no way that I was going to let the same company that put a rootkit on my computer also install an active-X program. I dodged that bullet with a little common sense. Fool me once, shame on you. Fool me twice, shame on me! And of course, shame on you Sony for doing this in the first place. I'm waiting to remove the rootkit until I'm convinced that the removal code is finally written well and correctly, and that it has been verified.
You know if a kid did this, they'd have put him in jail for writing a virus. Isn't the whole entirety of Sony actions frankly illegal?
Lawyers feel free to pipe in. This whole thing is so offensive I can't even begin.
Wonder how many damage suits this could start. You don't have to win to sue.
I've been saying all along that it's a mistake to call the software implementing the Sony DRM a "rootkit". It's cloaking software. That may be a component of your typical rootkit, and a component that isn't found in anything but rootkits, but it's not a rootkit.
The web uninstaller is much more of a rootkit. Unfortunately, having abused the term "rootkit", people are going to sound like the little boy who cried "wolf" on this one.
Sad that sony didn't see this themselves.. Nick if you are in need of help please e mail me blitze105 @yahoo.com is my e mail. (don't forget to remove the space!)
[...] Luckily, there are instructions to remove the ActiveX control that is a source of this vulnerability. You can also test your system to see if it is vulnerable by going to the CodeSupport detector page. [...]
[...] This is not before time - their initial response was to offer an almost unusable uninstaller, which when it did uninstall, it created a big security hole on the pc it ran on! You couldn’t make this stuff up! [...]
Reminds me of a line from the theme song from MASH:
"And suicide is painless"
What we are seeing here is incompetence above and beyond the call of duty.
"Sad that sony didn’t see this themselves.. Nick if you are in need of help please e mail me blitze105 @yahoo.com is my e mail. (don’t forget to remove the space!)"
Who says Sony/First4Internet didn't see this? Can you think of a better "punishment" (in their eyes) for those ungrateful people who want to remove the rootkit on their system?
And it IS a root kit. It bypasses and redirects kernel functions and low level OS and hardware access. The activeX app is not a rootkit but it does leave you extremely vulnerable to having another one installed on your system (perhaps even by the Sony/First4Internet sites before you leave).
"Sad that sony didn’t see this themselves.. Nick if you are in need of help please e mail me blitze105 @yahoo.com is my e mail. (don’t forget to remove the space!)"
Who says Sony/First4Internet didn't see this? Can you think of a better "punishment" (in their eyes) for those ungrateful people who want to remove the rootkit on their system?
And it IS a root kit. It bypasses and redirects kernel functions and low level OS and hardware access. The activeX app is not a rootkit but it does leave you extremely vulnerable to having another one installed on your system (perhaps even by the Sony/First4Internet sites before you leave).
has anyone found out where this company "First4Internet" is from? who the people are? Everything they've done looks so ridiculously fishy--both the initial DRM and the CodeSupport--that it doens't seem farfetched at all that they either are in cahoots with hackers or are themselves a hacking group. Sheesh, how about that for a story? They develope malicious code and disseminate not through emails, how passé, but through CDs porduced by a megacorporation that people have to PAY FOR. Oh man, that be one for the history books
[...] The cooler, geekier part of the story is that a dude who’s a professor of computer science at Princeton is the Washington Post’s chief source for this. Man, what would the rest of the world do without geeks to keep our computers running? Do yourself and a geek a favor and hug one today. if you squint your eyes just right you can see dom @ 10:41 pm [...]
[...] Freedom to Tinker » Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs Since Sony’s XCP copy protection scheme for its CD’s was such a bad idea (raising privacy concerns and exposing users to hackers), Sony distributed an uninstaller for its offending XCP software. [...]
http://www.sony.com/SonySearch/Search.jsp?mode=go&pst=Shit&pti=0&psti=0&...
Go to internet options, general tab, temporary internet files, settings button, see objects. Look for it and right click to remove.
Notes:
I'm on a not English version of windows, so guessing some names.
Browsing with Firefox is safe because FF is not based in ActiveX technology.
Removing the ActiveX obviously doesn't remove any virusware that might have hit your system.
You have an alternate uninstaller for the rootkit at Sophos:
http://www.sophos.com/support/disinfection/rkprf.html
On behalf of all of us who love using tech, but are soooo NOT 'techies': Thanks VERY much to everyone and especially Messrs. Halderman and Felten, and 'Muzzy'. :)
[...] Well, true to their word … and it’s sad information really for the frustrated and vulnerable users of Sony’s XCP ‘protected’ CDs. Earlier today Ed Felten and I reported a serious security hole opened by the uninstaller that Sony provides to users who want to remove the First4Internet copy protection software. Further testing has confirmed that computers remain vulnerable even after the uninstall process is complete. [...]
Microsoft free desktop search (and blue screens of death gallery)
In today's IT Blogwatch, we look at Microsoft's latest offering: an enterprise desktop search solution. Not to mention a gallery of blue screen of death photos ...
A Windows Enterprise Desktop Search tool made its "hola" in Spain...
[...] Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs [ http://www.freedom-to-tinker.com/?p=927 ] [...]
[...] read more [...]