[This post was co-written by J. Alex Halderman and Ed Felten.]
Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.
The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.
A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.
We have constructed a demonstration code package and web page that exploits this design flaw to install unwanted files on a target computer. The exploit does not actually harm the computer, but it demonstrates that hostile code can be run on a target computer, and that the hostile code can perform operations that should be forbidden. At present we are not releasing the demonstration exploit to the public.
CodeSupport was also installed as part of the original web-based updater that Sony released to remove First4Internet’s rootkit. Sony has since replaced the web-based version of the updater with a downloadable EXE or ZIP file; these are safe to use as far as we know. If you didn’t use the original web-based updater, and you haven’t requested the full uninstaller from Sony, then you are safe from this particular vulnerability, as far as we know.
How can you protect yourself against this vulnerability? First, for now don’t accept the installation of any software delivered over the net from First4Internet. (Eventually First4Internet may deliver a fix over the net. That may be worth installing.) That will keep CodeSupport off you machine, if it’s not already there.
To see whether CodeSupport is on your computer, try our CodeSupport detector page.
If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)
cmd /k del “%windir%downloaded program filescodesupport.*”
This is not an ideal solution – depending on your security settings, it may not prevent the software from installing again – but it’s better than nothing. We’ll have to wait for First4Internet to develop a complete patch.
UPDATE: USA Today reports that Sony will recall the affected CDs. Discs in the supply chain will not be sold, and customers who have already bought discs will be able to exchange them. Sony will announce details of the recall plan later in the week. We hope the plan will include distribution of cleanup tools to customers who still have potentially dangerous XCP software on their machines.
Every new product will have problems it just needs to be tested and tested, and tested and debuged and tested , so help them by letting them know the problems, maybe then it will be fixed properly.
tracy
Am always pleased to see that Companies are willing to admit and backtrack on these issues.
Surely anyone wanting to make illegal copies of XCP-protected CDs can simply do so using a different operating system, eg. Linux?
So XCP inconveniences legitimate users, but does nothing to stop those determined to make copies….
Hi there sorry for asking but need to encode my Sony DVD player as it doesnt want to read some disks. Could you help me please. Cheers. Alena
how can i download the tinker soft ware oold version plse help to me
[…] (Excerpt) Read more at theinquirer.net … TOPICS: TechnicalKEYWORDS: DRM; SONY The Freedon to Tinker analysis supporting the article is here. Also, here is the top part of the country list: […]
[…] The news follows a similar security hole in Sony’s other DRM technology: XCP. An uninstaller enabled by installing an ActiveX control to download the components was discovered to be subject to misuse – by persuading a victim to visit a specially built website, the ActiveX component could be triggered, allowing malicious code to be downloaded and run. Simon Aughton […]
[…] By Charlie Demerjian: Tuesday 15 November 2005, 20:45 SONY PULLS OFF ANOTHER blatant stupidity in the ‘cure is worse than the disease’ category. No, not the DRM infection itself, not the security compromising removal agreement, but the removal tool itself. Yes, this one appears to put you in MORE danger than the original rootkit. Silly Sony, no cookie. According to Freedon To Tinker, the web based installer is a worse vulnerability than the original rootkit. More on the story here, FTT goes into detail. It seems the ‘cure’ from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine. See a problem? See a big problem? To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole you can drive a truck through on your system, silently of course. The more disturbing part is that it appears the control is signed. I wonder who at MS approved this, and how this blatant security hole got through the barest minimum of QC? Moral, if you bought Sony products, you are screwed. If it causes you problems, you are screwed more. If you uninstall, you are screwed yet harder. If you uninstall it yourself, you are a criminal under the DMCA. If you use an antivirus program to uninstall it, you spent money to fix Sony’s problems, and you are still a criminal. That’s what you get for buying music.µ Home Discuss on our Forum Flame Author Recommend this article Print […]
[…] This drama is also about incompetence. Sony’s latest rootkit-removal tool actually leaves a gaping vulnerability. And Sony’s rootkit — designed to stop copyright infringement — itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library’s license agreement. But even that is not the real story. […]
well, i had to take the computer in to be fixed. it seems that that program cloaked more that it should. had to end up having the drive wiped and the os re-installed to the tune of $200.00. yeah,sony way to go. and just think 2.1 million of these cds are out there waiting to do harm. i hope sonybmg goes broke because of this and other companies take the notice…
MOVIES NOT MUSIC CD’S:
Ok, you have done a good job on music, but you have not gone far enough.
Now visit your local Blockbusters, rent a few CDs and observe that “movie playing software” that gets installed or attempts to install. I will bet you will uncover all the big entertainment companies are loading software similiar to Sony BMG’s rootkit. The software scandal is bigger than discovered, so far.
Is Freedom-to-Tinker available as an automatically issued email newsletter each time it’s published?
Thanks and regards,
Pete Ford
Columbus, OH
I will not be spending any more money on Sony products. I don’t trust them now. There are a lot of other manufacturers and service providers.
Yeah, I have bought a Xbox 360 Glenn, and it’s okay, but from a technical standpoint. Sony Playstation III is gonna blow 360 out of the water, no offense if you’re a Xbox or Microsoft Lover, but I do agree that the first xbox was better than playstation 2, but this is not gonna be the case the second time around. By the way. Just thought I’d tell you that the Sony and SonyBMG are the same company, but two entirely different branches, and if they were any more far apart then they wouldn’t even be the same company. BMG is a music company, and Sony is a electronic products maker. So, thinking that SonyBMG’s treturous acts is gonna be included with anything done with Sony is wrong. Sony in it’s entirety is not the one to blame, but SonyBMG, but I do think alot of compliants need to made about this. If you signed a agreement at the beginning saying that it’s okay for this rootkit to be there, but for them to just install it, without permission is going way too far. I don’t even think this should be an issue personally. If I buy the cd, I should be able to do what the heck I want to do with it. If I want to burn a copy, it’s my priotrity because I paid the 13-20bucks for it, and it’s my property.
THANKS MATT, RANDALL & tired of this crap. YOUR INFO IS GREAT. YOU WILL ALSO BE HAPPY TO KNOW I HAVE FILED A OFFICIAL COMPLAINT WITH THE STATE OF WA. ATTORNEY GENERAL… SCREW SONY-BUY AN XBOX 360 GLICHES OR NOT:-)
I have done a advanced search on my computer for all files associated with First4Internet, and $sys$upgtool.exe did come up, it is the only file I missed apparently. However, since you’ve already deleted all the files it uses to run, it’s not a threat anyways, but yeah, it’s not supposed to be there. Go, ahead and delete it, and you should be tottally clean of the rootkit. Keep in mind, that SP2 is a rootkit too, so if you see files with example: $NTUninstall$ don’t be alarmed, because it’s XP Files, but however if you ever catch a glimspe of a file that has $ anywhere in it’s name, and it’s not distributed by Microsoft. It’s always a good idea, to go ahead and check by doing a spyware check. Anyways, I’m glad my instructions worked for you. Just don’t EVER put another SonyBMG in your computer that say it’s protected by Rogue software, and you should be fine.
Randal – You rock! Your instructions worked perfectly!!
THANK YOU THANK YOU THANK YOU THANK YOU!!!
🙂
One more quick question if you don’t mind…should $sys$upgtool.exe be deleted out of System32 folder? It seemed to be named similar to the other files…
Again, thanks for the instructions. I’m now successfully listening to a non-sony/bmg/columbia CD on my computer!
Hey, sorry, I left out some information in the earlier post, but yes, you do delete $sys$crater and $sys$cor from
HKEY_Local_MachineSYSTEMCurrentControlSetServices. Those files you could not find, were either removed by Microsoft AntiSpyware or where installed when I downloaded the uncloaking the device, and if you did not, then this explains while they were there for me, and not for you. You have gotten rid of this rootkit though, the evidence is shown with you not having your cd-rom drives show. Download the Pstools from this website, unzip it, then take all the contents (do not put it in a folder), and move it to C:WindowsSystem32 to install it, you will be asked if you want to replace this dll file with the other one say yes or yes to all. Then, go to run, type in psexec -s -i -d regedit.exe then click run, this will open regedit, but in a different way so that you can delete what is necessary. Go to HKEY_Local_MachineSYSTEMCurrentControlSetEnumIDE. Underneath this you will find your cd-rom drive(s) click on the name of your cd drive, and then click the number underneath a list of different keys will pop up, find the one that says lowerfilters and beside it saying either $sys$crater, or $sys$crater imapi. Then after deleting those two go to HKEY_Local_MachineSYSTEMCurrentControlSetEnumPCIIDEIDE Channel. There will be two sequences of numbers under these the first is primary, and the one under that is secondary. Since your cd rom is hooked up to secondary then, you will want to click the second one. Then look for the key that contains $sys$cor, delete this key. Close Registry Editor, and restart your computer, your cd drives should be back up.
Well I d/led the microsoft spyware and finally picked up on the $sys$DRMserver.exe. I deleted all the HKEY_Local_Machine and found a couple of others under SYSTEM/CurrentControlSet/Services:
$sys$cor
$sys$crater
I found all you stated for the System32 but XPCPlugins.dll, XCPPhoneix.dll and ClientSyncLoader. I think perhaps the spyware picked up on it. However I also found $nCSp$.inf, $winnt$.inf and $sys$upgtool.exe
I don’t know if I should delete these or not. I rebooted and the $sys$DRMserver.exe is now completely gone.
However, now my DVD and CD drives are missing. I don’t know what to do about that.
I posted here in case anyone else has any suggestions, because I don’t know how to get my drives back. Do I need to download drivers again or something?!?!
This is a good site: http://blogs.technet.com/antimalware/
I’ve scanned my computer about 5 times tonight with various registry, virus, spyware, etc. So I hope that it’s off…but now I just need to figure out how to get my CD drives back.
http://www.sysinternals.com/Blog/
Glenn, see the Oct. 31 post at the above address. This is the guy who broke the rootkit story first. He appeared to have a similar problem while removing the rootkit. I believe he can explain better than I.
Hey tired of this crap. Yeah, that’s how I was feeling about this time too. It may be that you can’t find some of this stuff that I had posted if you have ran a spyware or viruscan (one that searches for more than just viruses.) Upon doing this your scanner may have picked up on some things, and removed what it could find, and then left some still on there. I’m not sure how big of a threat it actually is if $sys$DRMServer.exe is not running, but however it is most important that you delete the folder $sys$filesystem in the directory C:WindowsSystem32. If this is not found there I would say that you don’t have the rootkit still on there, and that it’s something else causing this problem. Try using Microsoft Antispyware, this will pick up on the rootkit if still there. Antispyware is unsucessful in removing it, but you will find it, then if not there, then try rootkitrevealer, if you’re not picking up anything anywhere then you no longer have Sony’s rootkit on there, and it must be something else causing this. This is just a recommendation, and I’m not saying that it’s not still on there, because I’ve been to alot of places where people say it’s not there, but it is. If you have any further questions visit my website. There is some contact information there. Email me, and I’ll try to help you the best I can. As for anyone else that needs help with this or any other problem.
i tried the code support detector page and it’s detected on my computer, but i tried following the instructions that randall nicely posted but am not having any luck.i don’t have the $sys$DRMserver.exe running under the processes tab. and all the HKEY files are not there i found one under HKEY software for Sony BMG with the following files Default, InstallRevisionHi, and InstallRevisionLo. I don’t know what to do, I just want get it off my computer (if it’s still there?) my system IS running slower and I fear a virus of some sort…I did send in for an uninstall request and I think I might have installed the DirectX….
If anyone can offer advice I’m all ears.
Thanks for all the information thus far!
after letting microsoft antispyware beta delete the xcp software i can no longer use my cd rom drive or my dvd rom drive. in the my computer screen it does not even show them on my computer!!!! is there a fix for this or am i going to have to pay someone to fix for me???
Everyone is talking about the subject, but no one is saying how to get rid of it. Well, here’s your answer.
How to manually remove SonyBMG’s Rootkit from your XP machine.
First unplug your source of internet. Then hit ctrl+alt+del, and click the process tab. Find $sys$DRMserver.exe and end this proccess.
Go to start, then run, type in “regedit” and then enter.
Delete these keys:
HKEY_Local_MachineSYSTEMCurrentControlSetServices$sys$DRM
HKEY_Local_MachineSOFTWARE$sys$References
HKEY_Local_MachineSONYBMG
Then after that delete these files.
C:WindowsSystem32$sys$caj.dll
C:WindowsSystem32AXPSupport.dll
C:WindowsSystem32InstallContinue.exe
C:WindowsSystem32XPCPlugins.dll
C:WindowsSystem32ECDPlayerControl.ocx
C:WindowsSystem32XCPPhoenix.dll
C:WindowsSystem32ClientSyncLoader.htm****or possibly html.
After that delete these two folders, and all of their contents.
C:WindowsSystem32SoftwareDistribution
C:WindowsSystem32$sys$filesystem
After doing all these steps, shutdown your computer. While the computer is shutdown, replug your source of internet back up to your computer. This is how we tell if your copy of the rootkit was succesfully removed. The process $sys$DRMserver.exe is activated by a source of connectivity to the internet. If it doesn’t start up at Windows XP’s Login then your computer is free from Sony’s harmful attempt to cut back on distribution of music, but my opinion is my cd, my priorty to do whatever I want with it. Hope that this helped. Just remember, if it says copy-protection software on the case, it would be a good idea not to insert into computer’s disk drive unless you check to make sure that the label of that cd does not belong to SONY BMG. PeAcE
P.S. After this, and any deletion of registry keys I recommend that you use a registry cleaner, for those of you that don’t have one here’s a free program that will take care of everything. However, I recommend that you do the registry scan more than once because it doesn’t get all in it’s first pass, but no worries this only take about 45seconds on a 600mhz proccessor, so if yours is faster then you really don’t have to worry about it.
http://www.ccleaner.com
WELL DONE TO AL WHO WHO HAVE SONY RECANT AND JUST FOR ONCE SUPPORT MICROSOFT THIER CRITISISEM
I love Sony’s products even though they are expensive. Sadly value for money trading betrayal deliberately done by Sony must be accountable all of her sincere customers with the acceptable betrayal compensation in addition to wasting her customers’ time
I love sony. Leave them alone please. It’s all Bill’s fault.
It’s not just Sony!
To totally remove the First4Internet CodeSupport insecure ActiveX control, do the following at a command prompt:
regsvr32 %windir%downlo~1codesupport.ocx /u
del %windir%”Downloaded Program files”codesupport.*
If you omit the first command, you’re left with a broken control listed in your downloaded program files. And I hate it when there’s garbage from an uninstaller left on my machine. 😉
On behalf of all of us who love using tech, but are soooo NOT ‘techies’: Thanks VERY much to everyone and especially Messrs. Halderman and Felten, and ‘Muzzy’. 🙂
Go to internet options, general tab, temporary internet files, settings button, see objects. Look for it and right click to remove.
Notes:
I’m on a not English version of windows, so guessing some names.
Browsing with Firefox is safe because FF is not based in ActiveX technology.
Removing the ActiveX obviously doesn’t remove any virusware that might have hit your system.
You have an alternate uninstaller for the rootkit at Sophos:
http://www.sophos.com/support/disinfection/rkprf.html
http://www.sony.com/SonySearch/Search.jsp?mode=go&pst=Shit&pti=0&psti=0&st=Yeah%21+Lots+of+shit&ti=0
has anyone found out where this company “First4Internet” is from? who the people are? Everything they’ve done looks so ridiculously fishy–both the initial DRM and the CodeSupport–that it doens’t seem farfetched at all that they either are in cahoots with hackers or are themselves a hacking group. Sheesh, how about that for a story? They develope malicious code and disseminate not through emails, how passé, but through CDs porduced by a megacorporation that people have to PAY FOR. Oh man, that be one for the history books
“Sad that sony didn’t see this themselves.. Nick if you are in need of help please e mail me blitze105 @yahoo.com is my e mail. (don’t forget to remove the space!)”
Who says Sony/First4Internet didn’t see this? Can you think of a better “punishment” (in their eyes) for those ungrateful people who want to remove the rootkit on their system?
And it IS a root kit. It bypasses and redirects kernel functions and low level OS and hardware access. The activeX app is not a rootkit but it does leave you extremely vulnerable to having another one installed on your system (perhaps even by the Sony/First4Internet sites before you leave).
“Sad that sony didn’t see this themselves.. Nick if you are in need of help please e mail me blitze105 @yahoo.com is my e mail. (don’t forget to remove the space!)”
Who says Sony/First4Internet didn’t see this? Can you think of a better “punishment” (in their eyes) for those ungrateful people who want to remove the rootkit on their system?
And it IS a root kit. It bypasses and redirects kernel functions and low level OS and hardware access. The activeX app is not a rootkit but it does leave you extremely vulnerable to having another one installed on your system (perhaps even by the Sony/First4Internet sites before you leave).
Reminds me of a line from the theme song from MASH:
“And suicide is painless”
What we are seeing here is incompetence above and beyond the call of duty.
Sad that sony didn’t see this themselves.. Nick if you are in need of help please e mail me blitze105 @yahoo.com is my e mail. (don’t forget to remove the space!)
I’ve been saying all along that it’s a mistake to call the software implementing the Sony DRM a “rootkit”. It’s cloaking software. That may be a component of your typical rootkit, and a component that isn’t found in anything but rootkits, but it’s not a rootkit.
The web uninstaller is much more of a rootkit. Unfortunately, having abused the term “rootkit”, people are going to sound like the little boy who cried “wolf” on this one.
You know if a kid did this, they’d have put him in jail for writing a virus. Isn’t the whole entirety of Sony actions frankly illegal?
Lawyers feel free to pipe in. This whole thing is so offensive I can’t even begin.
Wonder how many damage suits this could start. You don’t have to win to sue.
I almost installed Sony’s active-X uninstaller until I saw that it was written by First4Internet, the same people that wrote the original rootkit. I said, “you have to be kidding!”. There was no way that I was going to let the same company that put a rootkit on my computer also install an active-X program. I dodged that bullet with a little common sense. Fool me once, shame on you. Fool me twice, shame on me! And of course, shame on you Sony for doing this in the first place. I’m waiting to remove the rootkit until I’m convinced that the removal code is finally written well and correctly, and that it has been verified.
I’m just beyond frustrated!!! I bought stupid Neil Diamond’s new cd and now i’ve got to deal with this. I’ve trusted everything that Sony/BMG has told me to what end? I downloaded the patch and I’ve used the uninstall form. Sheesh.
So now I’ve tried deleting the codesupport components and I keep getting access denied. So yeah….any help would be appreciated.
I primarily use Firefox not IE. Does this offer any protection or am I pretty much screwed until something reliable comes out to remove this vulnerability?
Hey Sony — wake up
Here’s a column I posted at globeandmail.com about Sony’s DRM rootkit fiasco:
“For a company that has so much great technology behind it, including a number of firsts like the compact disc and the portable music player, Sony Corp. …
All that’s left is for sony to burn my house down.
Sometimes I like to eat cheese, often with crackers.
I hope this won’t affect my ability to enjoy cheese and crackers.
Bob
I havn’t seen it covered much in this blog entry or in the comments, but the fact that First4Internet’s/Sony’s web uninstaller is even more nefarious than the original rootkit.
http://www.freedom-to-tinker.com/?p=927
By going through the uninstall process, you are supposed to feel more protected as you just got rid of nasty malware. Well you are now open to all sorts of new exploits, and you are supposed to think you are protected again.
Amazing how the programmers at First4Internet are so incompetent and continue to introduce security holes onto your system.
I have one question about this mess. Sony is both a content company and a consumer electronics company. In particular, they make CD & DVD drives for personal computers, for instance:
http://cnet.search.com/search?chkpt=astg.cnet.fd.search.cnet&q=sony+internal+CD+drives&tag=srch
Is it possible that the bundled drivers for these products could include similar rootkit/spyware/use restriction technology? Has anybody in the press even ASKED Sony whether they do? Or what about their Vaio product line – could these it the same junk pre-installed at the factory?
I have a Sony CD-RW drive that I bought in 2000, but I’d be very reluctant to purchase any new computer hardware or software from them — or even install a product patch or update — unless Sony clearly promises not to sneak any DRM-related restrictionware into their products.
Analysis of cached DNS queries shows that the malware is installed on more than half a million computers in at least 165 countries:
http://www.doxpara.com/
I’m surprised nobody’s picked up on this angle to the story: Here’s First4Internet’s other flagship product:
“ICAâ„¢ Image Composition Analysis:ICA technology accurately detects pornographic and inappropriate images and text in digital data transmission providing effective filtering solutions for email, websites and Internet chatrooms.”
Don’t I recall hearing that this had been debunked a few years ago? Does anybody beleive this actually works?
Should we be surprised at the ethics and quality of XCP (and the XCP remover), given that it comes from the same shop as ICA?
You know, Sony is only missing some SCO code in there to be complete….
SONY IV – the return of the emperor
Sony has surrendered, and is recalling their DRM-tainted CDs. They have an uninstaller that removes their spyware. The good side is finally triumphant.
But is it? Turns out they left you with an even bigger
Well, my reboot demo is as dangerous as the uninstall request link that’s also in the article. It, too, will prompt to install the ActiveX control. I just copypasted the html from there so it’s identical. A safer demonstration would make sense, though, rebooting the system isn’t really a nice thing 🙂
Never mind, found it.
I keep seeing references to that article on dewinter.com saying that the Sony/F4I DRM/rootkit breaches the LGPL or GPL by using parts of LAME without abiding by the license agreement. But every story I’ve seen on the web makes the claim and links to the dewinter.com article without attempting to verify it.
Have you guys made such verification attempts yet, or do you know of someone else who has?
Sony DRM code violates open source LGPL license and uninstaller opens a big security hole!
This story just keeps getting weird and weird!
A Dutch article is now reporting that the Sony DRM spyware application contains code from the LAME MP3 encoder project, which is licensed under LGPL (perhaps part of a detection routine to circumve…
Careful guys: That test link to reboot the machine wil actually prompt some machines to install the first4Internet plugin.
[Thanks! We’ve taken down the link and will post a safe alternative. — Ed Felten]