Earlier today Ed Felten and I reported a serious security hole opened by the uninstaller that Sony provides to users who want to remove the First4Internet copy protection software. Further testing has confirmed that computers remain vulnerable even after the uninstall process is complete.
Sony’s web-based uninstaller is a three step process:
- You fill out an uninstall request on Sony’s web site.
- Sony sends you an email with a link to a second request form. When you follow this link, Sony’s site automatically installs a piece of software–an ActiveX control created by First4Internet–called CodeSupport.
- After delay, Sony sends another email with a link to a third web page that removes the copy protection software. However, the CodeSupport component remains on your computer indefinitely.
Due to a serious design flaw, the CodeSupport component allows any web site you visit to download and run software on your computer. A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously performed at least step 2 of Sony’s uninstall process, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.
You can tell whether you are vulnerable by visiting our CodeSupport detector page.
If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.
UPDATE (11/16, 2am): Sony has removed the initial uninstaller request form (step 1, above). In its place is the following message:
November 15th, 2005 – We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.
This is a positive step that will help prevent additional users from being exposed to the flawed component, but customers who already used the web-based uninstaller remain at risk.
Any recent updates on this?? We’ve just fallen victim to Sunncomm Mediamax… Desperately in need of a solution…
Matti Nikki has done all the job to reveal this, so don’t take the credit for it.
Aikka
Response to Hayhurst. Nov. 9th list of CDs http://www.eff.org/deeplinks/archives/004144.php
For those interested in writing and/or posting on repealing the Digital Millennium Copyright Act as a result of the Sony debacle:
——————————————————————————
F. James Sensenbrenner, Jr., Chairman
Committee on the Judiciary
U.S. House of Representatives
2138 Rayburn House Office Building
Washington, DC 20515
http://judiciary.house.gov/default.aspx
—————————————————————–
Joe Barton, Chairman
The Committee on Energy and Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, DC 20515
http://energycommerce.house.gov/
—————————————————————————————–
Arlen Specter, Chairman
Committee on the Judiciar
U.S. Senate
224 Dirksen Senate Office Building
Washington, DC 20510
http://judiciary.senate.gov/
—————————————————————————
Senator Ted Stevens, Chairman
Senate Committee on Commerce, Science, and Transportation
U.S. Senate
508 Dirksen Office Building
Washington, DC 20510
http://commerce.senate.gov/
————————————————————————————————
Has anyone seen a list of CDs that contain the XCP rootkit?
Looks like Muzzy’s friend got proof that Sony / F4I have indeed breached the LGPL:
http://www.the-interweb.com/serendipity/index.php?/archives/52-Is-Sony-in-violation-of-the-LGPL-Part-II.html
http://www.the-interweb.com/serendipity/index.php?/archives/51-Is-Sony-in-violation-of-the-LGPL.html
So, in order to protect copyright they have breached copyright!
The request form does not automatically installs the Active-X. It asks the user to install the Active-X. (Depending, of-course, on the security settings of the user…)
You can no longer uninstall Sony XCP DRM
The Sony uninstaller request page now says:
November 15th, 2005 – We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this sof…
Sony has removed the uninstaller from his site.
The behavior of the CodeSupport ActiveX control reminds me very much of the Yahoo! Toolbar installer. To install the Yahoo! Toolbar, you must first install an ActiveX control called, “Yahoo! Installation Helper”, which is basically a control that allows all ActiveX controls from the Yahoo! website to install on IE without a security prompt. I first found this out after I installed the toolbar and then uninstalling it. The toolbar was gone, but a strange ActiveX control remained that was signed by Yahoo!. I then realized that if I went to any Yahoo! webpage that uses ActiveX, any new ActiveX controls would be installed without prompting. If wonder if their ActiveX control exhibits the same vulnerabilities as the First4Internet one.
Dan–
I concede that it’s ironic, but the detector can’t tell whether the ActiveX control is installed if the browser doesn’t have ActiveX support.
Does anyone know if this same hole exists when removing Sony’s other DRM software – SunnComm MediaMax? If this is the case, the problem could be many times larger.
It had to happen sometime. Congrats on reporting useful information so consumers can make informed decisions on who to buy from.
I’m unsympathetic to Sony.
The people who made the choices to inflict this software on their own customers betrayed both their customers and Sony itself by acting irresponsibly. Sony management who supported the decision should be sacked.
I have no objection if Sony makes things right, but until then I will not buy Sony products, support Sony products, or positively influence others regarding purchase of Sony products.
Watching Sony respond to this situation has been extremely dissapointing for me. I currently own many Sony products and I am hoping (wishing and praying actually) that Sony will change course so that they will not deserve to become the target of a boycott. I have been a fan and major customer of Sony for most of my adult life, but I am not blind. I see that Sony has not been profitable for some time, and to an outside observer it looks as though they are becoming increasingly desperate and are making more and more decisions that seem unwise and rushed. I think that you are doing the right thing with this blog. Hopefully pressure from the gadget buying public will cause Sony and other corporations to act more responsibly and value the consumer more.