Earlier today Ed Felten and I reported a serious security hole opened by the uninstaller that Sony provides to users who want to remove the First4Internet copy protection software. Further testing has confirmed that computers remain vulnerable even after the uninstall process is complete.
Sony's web-based uninstaller is a three step process:
- You fill out an uninstall request on Sony's web site.
- Sony sends you an email with a link to a second request form. When you follow this link, Sony's site automatically installs a piece of software–an ActiveX control created by First4Internet–called CodeSupport.
- After delay, Sony sends another email with a link to a third web page that removes the copy protection software. However, the CodeSupport component remains on your computer indefinitely.
Due to a serious design flaw, the CodeSupport component allows any web site you visit to download and run software on your computer. A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously performed at least step 2 of Sony's uninstall process, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.
You can tell whether you are vulnerable by visiting our CodeSupport detector page.
If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.
UPDATE (11/16, 2am): Sony has removed the initial uninstaller request form (step 1, above). In its place is the following message:
November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.
This is a positive step that will help prevent additional users from being exposed to the flawed component, but customers who already used the web-based uninstaller remain at risk.
Front page posts
Watching Sony respond to this situation has been extremely dissapointing for me. I currently own many Sony products and I am hoping (wishing and praying actually) that Sony will change course so that they will not deserve to become the target of a boycott. I have been a fan and major customer of Sony for most of my adult life, but I am not blind. I see that Sony has not been profitable for some time, and to an outside observer it looks as though they are becoming increasingly desperate and are making more and more decisions that seem unwise and rushed. I think that you are doing the right thing with this blog. Hopefully pressure from the gadget buying public will cause Sony and other corporations to act more responsibly and value the consumer more.
It had to happen sometime. Congrats on reporting useful information so consumers can make informed decisions on who to buy from.
I'm unsympathetic to Sony.
The people who made the choices to inflict this software on their own customers betrayed both their customers and Sony itself by acting irresponsibly. Sony management who supported the decision should be sacked.
I have no objection if Sony makes things right, but until then I will not buy Sony products, support Sony products, or positively influence others regarding purchase of Sony products.
Does anyone know if this same hole exists when removing Sony's other DRM software - SunnComm MediaMax? If this is the case, the problem could be many times larger.
You advise to "avoid using Internet Explorer" (good advice!), but your own detector page complains that you need to use that despicable browser to access the page!
Dan--
I concede that it's ironic, but the detector can't tell whether the ActiveX control is installed if the browser doesn't have ActiveX support.
The behavior of the CodeSupport ActiveX control reminds me very much of the Yahoo! Toolbar installer. To install the Yahoo! Toolbar, you must first install an ActiveX control called, "Yahoo! Installation Helper", which is basically a control that allows all ActiveX controls from the Yahoo! website to install on IE without a security prompt. I first found this out after I installed the toolbar and then uninstalling it. The toolbar was gone, but a strange ActiveX control remained that was signed by Yahoo!. I then realized that if I went to any Yahoo! webpage that uses ActiveX, any new ActiveX controls would be installed without prompting. If wonder if their ActiveX control exhibits the same vulnerabilities as the First4Internet one.
[...] Further details here. [...]
Sony has removed the uninstaller from his site.
You can no longer uninstall Sony XCP DRM
The Sony uninstaller request page now says:
November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this sof...
The request form does not automatically installs the Active-X. It asks the user to install the Active-X. (Depending, of-course, on the security settings of the user...)
Looks like Muzzy's friend got proof that Sony / F4I have indeed breached the LGPL:
http://www.the-interweb.com/serendipity/index.php?/archives/52-Is-Sony-i...
http://www.the-interweb.com/serendipity/index.php?/archives/51-Is-Sony-i...
So, in order to protect copyright they have breached copyright!
[...] Freedom to Tinker - Update: Sony Uninstaller Hole Stays Open [...]
[...] Freedom to Tinker » Blog Archive » Update: Sony Uninstaller Hole Stays Open [...]
[...] A solution to remove the software is located at Freedom to Tinker and more information can be found on CNN.com and Yahoo! News [...]
A train of Sony Flaws and an Owl Hoots!
Hello World, I just let Sony stuff pass for a day and Boom. So much news! I just finished reading Brian Krebs' writings and man, he is a busy one. So is "Freedom to Tinker" There are a bunch of must read articles. He is a google news featured guy! T...
Has anyone seen a list of CDs that contain the XCP rootkit?
For those interested in writing and/or posting on repealing the Digital Millennium Copyright Act as a result of the Sony debacle:
------------------------------------------------------------------------------
F. James Sensenbrenner, Jr., Chairman
Committee on the Judiciary
U.S. House of Representatives
2138 Rayburn House Office Building
Washington, DC 20515
http://judiciary.house.gov/default.aspx
-----------------------------------------------------------------
Joe Barton, Chairman
The Committee on Energy and Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, DC 20515
http://energycommerce.house.gov/
-----------------------------------------------------------------------------------------
Arlen Specter, Chairman
Committee on the Judiciar
U.S. Senate
224 Dirksen Senate Office Building
Washington, DC 20510
http://judiciary.senate.gov/
---------------------------------------------------------------------------
Senator Ted Stevens, Chairman
Senate Committee on Commerce, Science, and Transportation
U.S. Senate
508 Dirksen Office Building
Washington, DC 20510
http://commerce.senate.gov/
------------------------------------------------------------------------------------------------
Response to Hayhurst. Nov. 9th list of CDs http://www.eff.org/deeplinks/archives/004144.php
[...] Even the installer isn’t all that hot… [...]
[...] Secondly, Sony’s uninstaller, as you may have heard, is possibly worse than the actual malware itself. [...]
Matti Nikki has done all the job to reveal this, so don't take the credit for it.
Aikka
Any recent updates on this?? We've just fallen victim to Sunncomm Mediamax... Desperately in need of a solution...
[...] SEE ALSO: Microsoft to remove Sony CD code 14 Nov 05 | Technology Sony stops making anti-piracy CDs 12 Nov 05 | Technology The rootkit of all evil? 04 Nov 05 | Technology Sony tries to patch up piracy row 07 Nov 05 | Technology Sony sued over copy-protected CDs 10 Nov 05 | Technology RELATED INTERNET LINKS: Mark Russinovich on XCP technology Sony BMG Sony on XCP copy protection technology First 4 Internet Boycott Sony blog Microsoft anti-spyware software Freedom to Tinker Freedom to Tinker on XCP uninstaller Dan Kaminsky on XCP users The BBC is not responsible for the content of external internet sites TOP TECHNOLOGY STORIES NOW Rivals to take bite out of Apple The great firewall of China Google opens online video store Microsoft rushes out Windows fix getRssUrlStory('/rss/newsonline_uk_edition/technology/rss.xml') [...]