April 19, 2024

Archives for November 2005

Sony, First4 Knew About Rootkit Issue in Advance

Security vendor F-Secure contacted SonyBMG and First4Internet about the companies’ rootkit software on October 4 – about four weeks before the issue became public – according to a Business Week story by Steve Hamm.

Here’s the key part of the article’s chronology:

Nevertheless, Sony BMG asked First4Internet to investigate. Both Sony BMG and F-Secure say that it was on Oct. 17 that F-Secure first spelled out the full scope of the problem to Sony. The security company’s report on the matter, sent that day to First4Internet and Sony BMG, confirmed there was a rootkit in XCP and warned that it made it possible for hackers to hide viruses and protect them from antivirus software products. F-Secure referred to XCP as a “major security risk,” according to a copy of the e-mail supplied to BusinessWeek Online by F-Secure.

Sony BMG says it asked the two software companies to investigate and find a solution to the problem. “From the moment our people learned that F-Secure had identified a potential problem we contacted our vendor and in no uncertain terms told them you have to get with F-Secure and find out what needs to be done about it,” says Daniel Mandil, Sony BMG’s general counsel.

BOGGED DOWN. What happened next is in dispute. F-Secure had a conference call with executives of First4Internet on Oct. 20. It says First4Internet argued that there was no real problem because only a few people knew of the vulnerability XCP created, and said an update of the XCP software, due out early next year, would fix the problem on all future CDs.

At first glance, this looks like a standard story about disclosure of a security vulnerability: vendor ships insecure product; researchers report flaw privately; vendor drags feet; researchers report flaw publicly; problem fixed right away. The story features the classic vendor error of seeing insecurity as a public relations problem rather than a customer safety issue: “there was no real problem because only a few people knew of the vulnerability”.

But if we read this as just another vulnerability disclosure, we’re missing an important part of the story. In the usual case, the security vulnerability exists by mistake – the vendor doesn’t know the vulnerability exists until somebody points it out. Here, the rootkit-like functionality was not a mistake but a deliberate design decision by the vendor.

Which suggests the question of what exactly F-Secure was disclosing to Sony and First4Internet, or more precisely what it was disclosing that they didn’t already know. They must have known about the rootkit already – it was a design decision they had made – and if they had any kind of clue they would have known that users would hate having a rootkit on their machines, especially one that provided an obvious hiding place for other malware. As far as I can see, the only new information F-Secure would have disclosed was that F-Secure planned to treat the program as malware.

It’s interesting, too, that other makers of anti-malware tools didn’t seem to notice the problem until Mark Russinovich’s public disclosure. As of mid-September, this malware had been on the market for months and presumably had been installed on hundreds of thousands of computers, but still none of the anti-malware vendors had discovered it. (According to the Business Week article, F-Secure didn’t discover the malware itself, but learned of it on Sept. 30 from John Guarino, a computer technician in New York who had discovered it on several clients’ computers.) It’s not a good sign that all of the major anti-malware vendors missed it for so long.

Finally, we have to consider the possibility that Sony and First4Internet understood the significance of the rootkit, but simply felt that copy protection trumped users’ security. First4Internet probably held that view – otherwise it’s hard to explain their design decision to deploy rootkit functionality – and Sony may well have held it too. We know already that entertainment companies want to redesign our computers in the hope (which is ultimately futile) of stopping copying. From there, it’s not so large a step to decide that users’ security simply must be sacrificed on the altar of copy protection.

What did SonyBMG know, and when did it know it? We’ll find out more as the lawsuits proceed.

MediaMax Permanently Installs and Runs Unwanted Software, Even If User Declines EULA

In an earlier post I described how MediaMax, a CD DRM system used by Sony-BMG and other record labels, behaves like spyware. (MediaMax is not the same as XCP, the technology that Sony-BMG has recalled; Sony-BMG is still shipping MediaMax discs.) MediaMax phones home whenever you play a protected CD, automatically installs over 12 MB of software before even displaying an End User License Agreement, and fails to include an uninstaller.

Part of the software that MediaMax installs is a driver meant to interfere with ripping and copying from protected discs. I had believed that MediaMax didn’t permanently activate this driver—set it to run whenever the computer starts—unless the user accepted the license agreement. As it turns out, this belief was wrong, and things are even worse that I had thought.

In the comments to our last MediaMax story, reader free980211 pointed out that the driver sometimes becomes permanently activated if the same protected CD is used more than once, even if the user never agrees to the EULA. This wasn’t apparent from my earlier tests because they were conducted under tightly controlled conditions, with each trial beginning from a fresh Windows installation and involving only carefully scripted operations. I’ve performed further tests and can now confirm that MediaMax is permanently activated in several common situations in spite of explicitly withheld consent.

When this happens depends on what version of MediaMax is being used. An older version, called CD-3, was introduced in 2003 and is present on albums released as recently as this summer. There is also a newer version, MediaMax MM-5, which has been shipping for a little over a year. You can tell which version is on a CD by examining the files in the disc’s root directory. Albums protected by MediaMax CD-3 contain a file called LAUNCHCD.EXE, while MM-5 albums include a file named PlayDisc.exe.

When you insert a CD containing either version of MediaMax, an installer program automatically starts (unless you have disabled the Windows autorun feature). This installer places the copy protection driver and other files on the hard disk, and then presents a license agreement, which you are asked to accept or decline. In the following scenarios the driver may become permanently activated even if you always decline the agreement:

  • You insert a CD-3 album, then later insert an MM-5 album
  • You insert an MM-5 album, then later insert a CD-3 album
  • You insert an MM-5 album, reboot, then later insert the same album or another MM-5 album

These steps don’t have to take place all at once. They can happen over a period of weeks or months.

This is bad news for people who like to play CDs in their computers. Many users are unaware that their CDs contain MediaMax until the license agreement appears on their screens, but by this time it may be too late to stop the driver from being permanently activated. Even if users are careful to decline the EULA every time, the circumstances when the software becomes active anyway are common enough to be practically inevitable.

This may be an annoyance to music fans—unless you disable the driver, you’ll have a hard time playing any MediaMax-protected titles, let alone copying them to your iPod—but it’s also a security risk, since the driver is loaded as part of the Windows kernel and has the ability to control virtually any aspect of the computer’s operation. We don’t know whether the MediaMax driver contains any vulnerability that can be exploited to do further damage, but the way it is installed creates a dangerous precedent.

Is this behavior illegal? It should be. Installation of system level software where the user has explicitly denied permission raises serious security concerns and is wrong.

What Does MediaMax Accomplish?

I wrote yesterday about the security risks imposed by the SunnComm MediaMax copy protection technology that ships on some Sony CDs. (This is not to be confused with the XCP technology that Sony recalled.) MediaMax advocates may argue that it’s okay to impose these security risks on users, because MediaMax effectively prevents copying of music. Which raises an obvious question: How effective is MediaMax, really, in stopping copying?

The answer: Not very.

MediaMax reportedly can be defeated by the well-known trick of drawing a circle around the outer edge of the CD with a felt-tip pen, or covering the outer edge with tape.

MediaMax can be defeated by the well-known trick of holding down the Shift key while inserting the CD.

MediaMax can be defeated by the well-known trick of rebooting the computer after inserting the CD.

(These first three attacks don’t work if MediaMax is installed on the user’s computer. But MediaMax has released an uninstaller than anyone can use.)

MediaMax can be defeated by the well-known trick of not using a Windows PC. (Amusingly, Mac users are allowed to install MediaMax if they want to. To do this, the user has to browse the CD and double-click a MediaMax installer icon which might as well be labeled “Click here to make this CD less useful.” Users who are smart enough not to do this can access the music normally.)

MediaMax can be defeated by telling Sony you want to move the music into iTunes or an iPod. They will then send you instructions for defeating MediaMax by making an unprotected copy of the CD.

All this, and I haven’t even started talking about the details of how the MediaMax technology works and any detailed flaws in its operation.

The bottom line: MediaMax makes your computer less secure and your music less available for lawful use, while achieving very little against pirates.

More Suits Filed; MediaMax Insecurity Remains

Yesterday two lawsuits were filed against Sony, by the Texas Attorney General and the EFF. The Texas suit claims that Sony’s XCP technology violates the state’s spyware law. The EFF suit claims that two Sony technologies, XCP and MediaMax, both violate various state laws.

One interesting aspect of the EFF suit is its emphasis on MediaMax. Most of the other lawsuits have focused on Sony’s other copy protection technology, XCP. The EFF suit does talk about XCP, but only after getting through with MediaMax. Emphasizing MediaMax seems like a smart move – while Sony has issued an apology of sorts for XCP and has recalled XCP discs, the company is still stonewalling on MediaMax, even though MediaMax raises issues almost as serious as XCP.

As Alex wrote last week, MediaMax is spyware: it installs software without notice or consent; it phones home and sends back information without notice or consent; and it either doesn’t offer an uninstaller or makes the uninstaller difficult to get and use. MediaMax lacks the rootkit-like feature of XCP, but otherwise MediaMax shares all of the problems of XCP, including serious security problems with the uninstaller (mitigated by the difficulty of getting the uninstaller; see above).

But even if all these problems are fixed, the MediaMax software will still erode security, for reasons stemming from the basic design of the software.

For example, MediaMax requires administrator privileges in order to listen to a CD. You read that right: if you want to listen to a MediaMax CD, you must be logged in with enough privileges to manipulate any part of the system. The best practice is to log in to an ordinary (non-administrator) account, except when you need to do system maintenance. But with MediaMax, you must log in to a privileged account or you can’t listen to your CD. This is unnecessary and dangerous.

Some of the security risk of MediaMax comes from the fact that users are locked into the MediaMax music player application. The player app evades the measures designed to block access to the music; and of course the app can’t play non-MediaMax discs, so the user will have to use multiple music players. Having this extra code on the system, and having to run it, increases security risk. (And don’t tell me that music players don’t have security bugs – we saw two serious security security bugs in Sony music software last week.) Worse yet, if a security problem crops up in the MediaMax player app, the user can’t just switch to another player app. More code, plus less choice, equals more security risk.

Worse yet, one component of MediaMax, a system service called sbcphid, is loaded into memory and ready to run at all times, even when there is no disc in the CD drive and no music is being played. And it runs as a kernel process, meaning that it has access to all aspects of the system. This is another component that can only add to security risk; and again the user has no choice.

It’s important to recognize that these problems are caused not by any flaws in SunnComm and Sony’s execution of their copy protection plan, but from the nature of the plan itself. If you want to try to stop music copying on a PC, you’re going to have to resort to these kinds of methods. You’re going to have to force users to use extra software that they don’t want. You’re going to have to invoke administrator privileges more often. You’re going to have to keep more software loaded and running. You’re going to have to erode users’ ability to monitor, control, and secure their systems. Once you set off down the road of copy protection, this is where you’re going to end up.

Does Sony's Copy Protection Infringe Copyrights?

The Sony copy protection debacle has so many angles that the mainstream press is having trouble keeping track of them all. The rootkit. The spyware. The other spyware. The big security hole. The other big security hole. It’s not surprising, then, that at least one important angle has gone nearly undiscussed in the mainstream press: the likelihood that the Sony/First4Internet XCP copy protection software itself infringes several copyrights. (Note to geeks: Slashdot doesn’t qualify as the mainstream press.)

Matti Nikki (a.k.a. Muzzy) and Sebastian Porst have done great work unearthing evidence pointing to infringement. They claim that the code file ECDPlayerControl.ocx, which ships as part of XCP, contains code from several copyrighted programs, including LAME, id3lib, mpglib, mpg123, FAAC, and most amusingly, DVD-Jon’s DRMS.

These are all open source programs. And of course open source is not the same as public domain. Open source programs are distributed with license agreements. If you copy and redistribute such a program, you’re a copyright infringer, unless you’re complying with the terms of the program’s license. The licenses in question are the Free Software Foundation’s GPL for mpg123 and DRMS, and the LGPL for the other programs. The terms of the GPL would require the companies to distribute the source code of XCP, which they’re certainly not doing. The LGPL requires less, but it still requires the companies to distribute things such as the object code of the relevant module without the LGPL-protected code, which the companies are not doing. So if they’re shipping code from these libraries, they’re infringing copyrights.

How strong is the evidence of infringement? For some of the allegedly copied programs, the evidence is very strong indeed. Consider this string of characters that appears in the XCP code:

FAAC – Freeware Advanced Audio Coder (http://www.audiocoding.com/). Copyright (C) 1999,2000,2001 Menno Bakker.

Porst also reports finding many blocks of code that appear to have come from FAAC. Porst claims equally strong evidence of copying from mpglib, LAME, and id3lib. This evidence looks very convincing.

He also points to evidence of copying from DRMS, which doesn’t look quite as strong, though it is very suggestive. (There are extensive similarities between DRMS and the XCP code, but because DRMS implements a decryption algorithm that offers fewer implementation choices than ordinary code does, it’s easier to imagine that similarities might have arisen by chance. I would have to study the two programs in more detail to say more. But let me reiterate that the DRMS evidence is at least very suggestive.)

The upshot of all this is that it appears the authors of at least some of these programs can sue First4Internet and Sony for copyright infringement. First4Internet wrote the allegedly infringing software and gave it to Sony, and Sony distributed the software to the public. Sony might not have known that the code they were shipping infringed, but according to copyright lawyers, there is strict liability for copyright infringement, meaning that lack of knowledge is not a defense against liability. (Lack of knowledge might reduce the damages.) So both companies could face suits.

The big question now, I suppose, is whether any of the copyright holders will sue. The developers of LAME wrote an open letter to Sony, saying that they’re not the suing type but they expect Sony to resolve the situation responsibly. They don’t say exactly what this means, but I expect they would be happy if Sony recalls the affected CDs (which it is already doing) and doesn’t ship XCP anymore. To my knowledge, we haven’t heard from the other copyright owners.

Being accused of infringement must be horribly embarrassing for Sony, given the number of ordinary people it has sued for infringing on a much smaller scale that Sony is accused of doing, and given that the whole purpose of this software was supposedly to reduce infringement. This is just another part of the lesson that Sony must have learned by now – and that other entertainment companies would be wise to learn – that it’s a bad idea to ship software if you haven’t thought very, very carefully about how it was designed and what your customers will think of it.