March 19, 2024

Don't Use Sony's Web-based XCP Uninstaller

Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit.

We are working furiously to nail down the details and will report our results here as soon as we can. [UPDATE (Nov. 15): We have now posted more details.]

In the meantime, we recommend strongly against downloading or running Sony’s Web-based XCP uninstaller.

Kudos to Muzzy for first suggesting that such a hole might exist.

UPDATE: If you’re technically sophisticated, and you have run the XCP uninstaller on your computer, you may be able to help us in our investigations. It won’t take long. Please contact Alex to volunteer. Thanks.

Comments

  1. […] Today, following up on this possibility, Ed Felten and Alex Halderman announced that they have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit. […]

  2. We need to get a listing of all the clients of F4I and when they started using this code.
    That could be the first course of action to finding a “cure” for this…Ghastly Mistake.
    Anyone got one?

  3. Does anyone have a list of companies that use the first$internet software?

    Boycott them all, for you own protection!

  4. How do you determine if XCP is installed?

  5. Wow, I just called Sony’s 800 number and got through immediately. My name isn’t really John Smith, but I gave them that name when they asked. It’s just a service (the gal ‘operator 21’ told me so herself), but I’m suprised that there was not a hold time. I think more people need to call that number so Sony can’t say that they haven’t heard (m)any complaints.

    My 2 cents (American, 1.2 cents Canadian 😉 )

  6. I guess you are safer using peer to peer file sharing, than legally purchasing a Sony/BMI CD.

  7. Eduardo: “IANAL, but I don’t think this would work. I am pretty sure that as part of corporate due diligence Sony was supposed to have its experts look over the code from First4Internet. At the very least they should have checked into the general design and had a third party go through the code. It was really dumb of them to not do this. If you were working for Sony, wouldn’t you have thought DRM code could cause security problems, and checked it out to guarantee it didn’t?”

    You’d think so, but no… I had a pleasure to work for a tiny agency who was writing some code for one of the big 3 PC sellers… I’ll give you a hint, it’s not Dell or IBM. Anyways, being a sole developer on some of the smaller projects nobody has even asked me for the source code.

    Big Corporation asks a Tiny Agency who has a genious sales person Bob who promised to deliver anything Big Corporation desires and then some more. When the final product is done and ready, big shot Bill at the Big Corporation looks over, gives a nod and off it goes.

    I imagine the process is the same in most companies where “financial liability” is not part of the business.

  8. I also am appalled at the response of Sony and went thru the step of filing out the form to get some solution to the cluster F copy protection of SONY CD but I did not install the uninstaller. I don’t trust company that acted unethically to provide a trustable fix. I will not buy any Sony CD’s and have put all my Sony gear up for sale on Ebay. I am selling SONY DV camcorder, SONY digital camera, Sony Minidisc , SONY Monitor, and SONY notebook. I will not buy SONY if this is how they treat customers. I ordered a HP Tablet PC and a Canon Camcorder and Apple IPOD 60 gig video and Dell LCD monitor. MY former loyalty to SONY brand is DEAD.
    Perhaps if more consumers voted with their dollars thye might get the message.

  9. Max Kennedy says

    This doesn’t look like something Sony can palm off on someone else “sneaking in code” or doing something its legal department wasn’t aware of. The EULA reads exactly the same way.

  10. For the iTunes music store… =)

  11. “J.B. Nicholson-Owens Says:
    November 15th, 2005 at 2:02 am

    I think I’m posting some of the most relevant information here–run a free software OS and only free software on top of that. ”

    Unfortunately that might not be an option for long. Here in Finland a project manager at IFPI (group representing phonographic industry) commented to a journalist that they don’t see it a problem if a CD cannot in the future be played in Mac or Linux workstation at all, since those represent only a marginal number of all the computers.

    So that’s the attitude now folks.

  12. Mike for South Africa says

    Hey guys, I see you have been talking about the legal implications of Sony’s little adventure. What about the INTERNATIONAL legal enviroment? Sony will be liable, both to CRIMINAL and CIVIL suites, all over the world. I4F is going to get it in the neck too.

    Serves them right!

  13. Don’t like the Sony rootkit? Don’t run the installer!

    Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your compute…

  14. I’ve cancelled my pre-order for my PS3, and although I was looking with interest at Sony’s consumer-level HD cameras I’m now going to look elsewhere; like a lot of people, although I’ve not been directly affected by this I find Sony’s behaviour throughout this whole debacle to be reprehensible. I do feel like I’m somewhat pissing against the wind — 99% of the non-technical people I’ve spoken to have no idea what I’m on about both in terms of Sony’s doings and what a root-kit actually is — but such is life.

    As always, of course, the only people who’ve suffered are the law-abiding citizens; the XCP protected albums are all available on P2P networks and are free of crappy DRM, so it’s almost as if Sony are trying to encourage people to seek an illicit source for their music. Oh, well…

  15. J.B. Nicholson-Owens says

    I think I’m posting some of the most relevant information here–run a free software OS and only free software on top of that. Someday a software proprietor won’t let you turn off autorun. Someday a proprietary program with functionality you want will come with a backdoor, virus, or some other program you don’t want. Then, assuming you learn about these problems before they adversely affect you, shallow reads on quick fixes (hold down this key as you put in the CD, change that registry setting, etc.) won’t pass muster with the tech-heads and you’ll be compelled to address the underlying problems at work. Hopefully you won’t be left with a computer that obeys someone else’s commands not yours. What’s sad is that such educated and technically literate people have such a hard time seeing any ethical component to computing and reaching the conclusion that the practical benefits of software freedom (lower prices, higher security, ability to fully understand what a program does, etc.) don’t come without the freedom.

  16. Have you looked into these details from F4I?

    Who else used this software. For distribution within the areas specified they must have had more than Sony as there single only client.

    http://www.xcp-aurora.com/xcp1.aspx
    How is XCP available?
    XCP1 is now available through our CDR duplication partners in the UK and US. Record Labels also have the option to license the Aurora software programs and install their own multiple drive towers for mass burning in-house. Please contact us for more information about becoming a CDR duplication partner or for use of Aurora in-house.

    London, UK
    Santa Monica, CA, US
    North Sydney, NSW, Australia
    Germany
    Osaka, Japan
    Oxfordshire, UK

  17. I think they undermined the power of blog media to their detriment. The sad fact for Music industry is that there is no fool-proof way to protect your music from being copied. All they can hope for is 80/20 rule, that most people will be decent enough to not copy or at least buy something else down the line.

  18. Urban terrorist: “who else did First4Internet sell the technology to?”

    I don’t know, Urban, but I found a listing of some of their clients:

    “… it’s certainly worth noting that Universal’s MCA unit, Warner Music Group, and EMI have all been customers of First4Internet, notwithstanding EMI’s claims of innocence.”

    http://www.boycottsony.us/?p=18

  19. J. J. Nicholson-Owen: “I feel sorry for the folks who are trusting this program to do something helpful for them. At the same time, I hope that people will take this as a learning experience”

    I wish *you* would take the responses to your former inept interventions as a learning experience and post something *relevant* to the discussion. But I’m not hopeful.

  20. J.B. Nicholson-Owens says

    I feel sorry for the folks who are trusting this program to do something helpful for them. At the same time, I hope that people will take this as a learning experience and come away with a better understanding of why software freedom (see http://www.gnu.org/philosophy/free-sw.html) is important, even for the non-technical computer user.

    Someday, users will be encouraged to examine the underlying ethical questions that software proprietors don’t want you to ask. The free software movement asks you to consider how should we treat other people when it comes to computer software. It’s an interesting discussion, particularly now. Here’s hoping that you’ll join the discussion and choose to run more free software.

  21. You know somewhere at Sony a fellow geek who “gets it” is saying “I told you so, I freakin’ told you so”

    that’s how it was at Intuit when the Turbo Tax DRM boot sector crap came out. We didn’t know about the boot sector crap, that was all 3rd party, but we knew strong armed DRM was a bad idea.

  22. Alex: “If it will get to the court, I image First4Internet will get shafted every which way for liability and Sony will deny any wrong doing and blame it all on First4Internet.”

    IANAL, but I don’t think this would work. I am pretty sure that as part of corporate due diligence Sony was supposed to have its experts look over the code from First4Internet. At the very least they should have checked into the general design and had a third party go through the code. It was really dumb of them to not do this. If you were working for Sony, wouldn’t you have thought DRM code could cause security problems, and checked it out to guarantee it didn’t?

  23. For what its worth– I was about to take delivery on my sony Bravia $3800 TV however, I’m quite happy with the new HD Samsung i’m wathing Monday night football on now.
    If Sony doesnt think it will have a univeral negative impact on their business they’re crazy. This story is going well beyond the “geeks” . (no offense to my fellow geeks)

  24. Being a musician, another unfortunate consequence of Sony’s mistake is the damage it will do to the artists whose works are on the CDs. If record sales are being hurt, then careers are being hurt too. I hope Sony has the integrity to take care of the artists who were the subject of the rootkit fiasco. However, I don’t think Sony has a good reputation at the moment where integrity is concerned.

  25. I think that someone made a decision, without the proper technical background to determine if the technology was safe, and that now Sony is paying the price for it. This has really hit their reputation badly, and probably hurt sales.

    And as for First4Internet, I would say that their viability as a company is in question, along with the programming skills of their staff.

    I don’t think we’ve heard the last of this – who else did First4Internet sell the technology to? What other plans does Sony have for DRM – especially in regards to the PlayStation 3? What about the anti-virus companies that supposedly advised First4Internet?

    Man this thing is a mess. Up till now I would have trusted Sony. Their release of a Linux adapation for the Play Station was a real coup. Now, I don’t think I’d trust them as far as I could throw them (and a 50 year old man can’t throw things very far).

  26. This is almost certainly true with respect to any copyright infringement claims Sony may face due to the rootkit. I would be very surprised if Sony did not have First4Internet indemnify them up the wazoo against claims that any code F4I developed for Sony was infringing.

    Of course, everything will depend on the nature and form of complaints against Sony. If Sony gets hit with claims having to do with consumer protection and consumer fraud, it may be difficult to lay off the liability on F4I, since they presumably provided a product to Sony’s specifications.

    All just speculation at this point, but very very interesting.

  27. Sorry for the second post.

    I think that somebody who is going to be shot shorty will be First4Internet. As in many cases, Sony might not have been aware at all of the code and danger it presents.

    The provider, being First4Internet, assured them everything was fine and dandy and so Sony PR people simply repeated that to the public.

    If it will get to the court, I image First4Internet will get shafted every which way for liability and Sony will deny any wrong doing and blame it all on First4Internet.

  28. I’ll try to summarize this in one word… “ouch”. Eagerly waiting for more info. This is equivalent of a soap opera, only for geeks. Gets more interesting as it develops. Somebody will get shot or stabbed very shortly.