Jeff Dwoskin and Alex Halderman have developed a simple tool that can immunize a Windows system against the dangerous CodeSupport ActiveX control that we have written about over the past few days. The immunization tool should disable CodeSupport if it is already on your system, and it should prevent any future reinstallation or reactivation of CodeSupport.

You can test whether the vulnerable CodeSupport component is installed on your system using our CodeSupport detector web page. If you are infected, we strongly recommend that you run our immunization tool. Even if you are not infected, you can apply our patch to prevent the flawed control from being installed in the future.

To install the tool, download this file to a temporary location, then double click on the file’s icon in Windows. (Windows may ask you to confirm that you wish to add the information in the file to the system registry–choose “Yes.”) After the tool has been applied, you may delete the file. The tool will take effect as soon as you close and restart Internet Explorer.

The tool works by putting an entry into the Windows registry that tells Internet Explorer not to activate any ActiveX control that uses the unique identifier (or “classid”) associated with CodeSupport. This registry area is described in a Microsoft KnowledgeBase article.

Sony has modified their uninstaller sequence so that users who want to start the uninstallation process will not download CodeSupport. That’s good. But unfortunately the CodeSupport component is still up on the company’s web site, so users who were already partway through the uninstall process might still download CodeSupport. That’s not good; but it’s easy to fix. Let’s hope Sony fixes it.

Meanwhile, the company is reportedly working to develop a safe uninstaller. We’ll let you know when they release an uninstaller, and we’ll tell you what we think of it.

[This post was co-written by J. Alex Halderman and Ed Felten.]

Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

We have constructed a demonstration code package and web page that exploits this design flaw to install unwanted files on a target computer. The exploit does not actually harm the computer, but it demonstrates that hostile code can be run on a target computer, and that the hostile code can perform operations that should be forbidden. At present we are not releasing the demonstration exploit to the public.

CodeSupport was also installed as part of the original web-based updater that Sony released to remove First4Internet’s rootkit. Sony has since replaced the web-based version of the updater with a downloadable EXE or ZIP file; these are safe to use as far as we know. If you didn’t use the original web-based updater, and you haven’t requested the full uninstaller from Sony, then you are safe from this particular vulnerability, as far as we know.

How can you protect yourself against this vulnerability? First, for now don’t accept the installation of any software delivered over the net from First4Internet. (Eventually First4Internet may deliver a fix over the net. That may be worth installing.) That will keep CodeSupport off you machine, if it’s not already there.

To see whether CodeSupport is on your computer, try our CodeSupport detector page.

If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)

cmd /k del “%windir%downloaded program filescodesupport.*”

This is not an ideal solution – depending on your security settings, it may not prevent the software from installing again – but it’s better than nothing. We’ll have to wait for First4Internet to develop a complete patch.

UPDATE: USA Today reports that Sony will recall the affected CDs. Discs in the supply chain will not be sold, and customers who have already bought discs will be able to exchange them. Sony will announce details of the recall plan later in the week. We hope the plan will include distribution of cleanup tools to customers who still have potentially dangerous XCP software on their machines.

Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit.

We are working furiously to nail down the details and will report our results here as soon as we can. [UPDATE (Nov. 15): We have now posted more details.]

In the meantime, we recommend strongly against downloading or running Sony’s Web-based XCP uninstaller.

Kudos to Muzzy for first suggesting that such a hole might exist.

UPDATE: If you’re technically sophisticated, and you have run the XCP uninstaller on your computer, you may be able to help us in our investigations. It won’t take long. Please contact Alex to volunteer. Thanks.

Here’s a handy bag of tricks for people whose computers are (or might be) infected by the SonyBMG/First4Internet rootkit DRM. The instructions here draw heavily from research by Alex Halderman and Mark Russinovich.

This DRM system operates only on recent versions of Windows. If you’re using MacOS or Linux, you have nothing to worry about from this particular DRM system. The instructions here apply to Windows XP.

How to tell whether the rootkit is on your computer: On the Start menu, choose Run. In the box that pops up, type this command:

cmd /k sc query $sys$aries

and hit the Enter key. If the response includes “STATE: 4 RUNNING”, then your machine is infected with the rootkit. If the response includes “The specified service does not exist as an installed service”, then your machine is not infected with the rootkit.

How to disable the rootkit: On the Start menu, choose Run. In the box that pops up, type this command:

cmd /k sc delete $sys$aries

and hit the Enter key. Then reboot your system, and the rootkit will be permanently disabled.

Note that this does not remove or disable the main anti-copying technologies. It only turns off the rootkit functionality that hides files, programs, and directory entries. The main DRM software is still present.

How to remove the DRM software entirely: Use the official uninstaller offered by the vendors. They’ll make you jump through unnecessary hoops, and give them unnecessary information, before you can uninstall. Feel free to complain to the vendors about their refusal to offer a simple uninstaller for download.

It is possible to remove the DRM software by hand, but I recommend against it – if you mess up, you can render your machine unbootable.

Probably someone will create an unofficial but easy-to-use uninstaller, but I haven’t seen one yet.

How to get songs from these discs into iTunes, an iPod, or anywhere else you can legally put them: SonyBMG will send instructions on how to do this to anyone who asks. Note that their instructions direct you to agree to their End User License Agreement; be sure to read the agreement and think about whether you want to accept it.

To save you time, I’ll quote their instructions here:

Place the CD into your computer and allow the supplied Sony BMG audio player on the CD to start. If our player software does not automatically start, open your Windows Explorer. Locate and select the drive letter for your CD drive. On the disc you will find either a file named LaunchCD.exe or Autorun.exe. Double-click this file to manually start the player.

Once the Sony BMG player application has been launched and the End User License Agreement has been accepted, click the “Copy Songs” icon/button and follow the instructions to copy the secured Windows Media Files (WMA) to your PC’s hard drive.

TIP: Once the WMA files are on your hard drive, be sure to remove the original CD from your optical drive before proceeding. The original CD is designed to only allow playback using the Sony BMG audio player software included on the disc.

Once the WMA files are on your PC, open and listen to the songs with Windows Media Player 9.0 or higher (version 10 is recommended for XP) to verify that they imported correctly. Then use Windows Media Player to burn the songs as a standard Audio CD.

TIP: By default Windows Media Player may assume that you want to create a data CD rather than an audio CD. This just creates a data CD of the audio files in their secured WMA format rather than first converting them to standard Red Book Audio format. Before creating the CD be sure to verify “Audio CD” is selected.

Having followed these instructions, you will then have a copy of the CD that is unencumbered by copy protection. You can then proceed to make any lawful use of the music, including ripping it into iTunes and downloading it onto your iPod.

You read that correctly – SonyBMG, which is willing to surreptitiously install a rootkit on your computer in the name of retarding copying of their music, will send, to anyone who asks, detailed instructions for making an unprotected copy of that same music.

Mark Russinovich has yet another great post on the now-notorious SonyBMG/First4Internet CD “copy protection” software. His conclusion: “Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.”

Here’s how the uninstall process works:

• The user somehow finds the obscure web page from which he can request the uninstaller.
• The user fills out and submits a form requesting the uninstaller. The form requests information that is not necessary to perform the uninstallation.
• The vendor sends the user an email asking them to install a patch, and then to visit another page if he still wants to uninstall the software.
• The user is directed to install and run yet more software – an ActiveX control – on his computer.
• The user has to fill out and submit yet another form, which asks unnecessarily for still more information.
• The vendor sends the user an email containing a cryptic web link.
• The user clicks on that web link. This will perform the uninstall, but only if the user is running on the same computer on which he performed the previous steps, and only if it is used within one week.

None of these steps is necessary. It would be perfectly feasible to provide for download a simple uninstaller that works on any computer that can run the original software. Indeed, it would have been easier for the vendor to do this.

In all the discussion of the SonyBMG software, I’ve been avoiding the S-word. But now it’s clear that this software crosses the line. It’s spyware.

Let’s review the evidence:

• The software comes with a EULA which, at the very least, misleads users about what the software does.
• The software interferes with the efforts of ordinary users and programs, including virus checkers and other security software, to identify it.
• Without telling the user or obtaining consent, the software sends information to the vendor about the user’s activities.
• No uninstaller is provided with the software, or even on the vendor’s website, despite indications to the contrary in the EULA.
• The vendor has an uninstaller but refuses to make it available except to individual users who jump through a long series of hoops.
• The vendor makes misleading statements to the press about the software.

This is the kind of behavior we’ve come to expect from spyware vendors. Experience teaches that it’s typical of small DRM companies too. But why isn’t SonyBMG backing away from this? Doesn’t SonyBMG aspire to at least a modest level of corporate citizenship?

There are three possibilities. Maybe SonyBMG is so out of touch that they don’t even realize they are in the wrong. Or maybe SonyBMG realizes its mistake but has decided to stonewall in the hope that the press and the public will lose interest before the company has to admit error. Or maybe SonyBMG realizes that its customers have good reason to be angry, but the company thinks it is strategically necessary to defend its practices anyway. The last possibility is the most interesting; I may write about it tomorrow.

Outside the SonyBMG executive suite, a consensus has developed that this software is dangerous, and forces are mobilizing against it. Virus researchers are analyzing malware now in circulation that exploits the software’s rootkit functionality. Class-action lawsuits have been filed in California and New York, and a government investigation seems likely in Italy. Computer Associates has labeled the software as spyware, and modified its PestPatrol spyware detector to look for the software. Organizations such as Rutgers University are even warning their people not to play SonyBMG CDs in their computers.