December 22, 2024

More Suits Filed; MediaMax Insecurity Remains

Yesterday two lawsuits were filed against Sony, by the Texas Attorney General and the EFF. The Texas suit claims that Sony’s XCP technology violates the state’s spyware law. The EFF suit claims that two Sony technologies, XCP and MediaMax, both violate various state laws.

One interesting aspect of the EFF suit is its emphasis on MediaMax. Most of the other lawsuits have focused on Sony’s other copy protection technology, XCP. The EFF suit does talk about XCP, but only after getting through with MediaMax. Emphasizing MediaMax seems like a smart move – while Sony has issued an apology of sorts for XCP and has recalled XCP discs, the company is still stonewalling on MediaMax, even though MediaMax raises issues almost as serious as XCP.

As Alex wrote last week, MediaMax is spyware: it installs software without notice or consent; it phones home and sends back information without notice or consent; and it either doesn’t offer an uninstaller or makes the uninstaller difficult to get and use. MediaMax lacks the rootkit-like feature of XCP, but otherwise MediaMax shares all of the problems of XCP, including serious security problems with the uninstaller (mitigated by the difficulty of getting the uninstaller; see above).

But even if all these problems are fixed, the MediaMax software will still erode security, for reasons stemming from the basic design of the software.

For example, MediaMax requires administrator privileges in order to listen to a CD. You read that right: if you want to listen to a MediaMax CD, you must be logged in with enough privileges to manipulate any part of the system. The best practice is to log in to an ordinary (non-administrator) account, except when you need to do system maintenance. But with MediaMax, you must log in to a privileged account or you can’t listen to your CD. This is unnecessary and dangerous.

Some of the security risk of MediaMax comes from the fact that users are locked into the MediaMax music player application. The player app evades the measures designed to block access to the music; and of course the app can’t play non-MediaMax discs, so the user will have to use multiple music players. Having this extra code on the system, and having to run it, increases security risk. (And don’t tell me that music players don’t have security bugs – we saw two serious security security bugs in Sony music software last week.) Worse yet, if a security problem crops up in the MediaMax player app, the user can’t just switch to another player app. More code, plus less choice, equals more security risk.

Worse yet, one component of MediaMax, a system service called sbcphid, is loaded into memory and ready to run at all times, even when there is no disc in the CD drive and no music is being played. And it runs as a kernel process, meaning that it has access to all aspects of the system. This is another component that can only add to security risk; and again the user has no choice.

It’s important to recognize that these problems are caused not by any flaws in SunnComm and Sony’s execution of their copy protection plan, but from the nature of the plan itself. If you want to try to stop music copying on a PC, you’re going to have to resort to these kinds of methods. You’re going to have to force users to use extra software that they don’t want. You’re going to have to invoke administrator privileges more often. You’re going to have to keep more software loaded and running. You’re going to have to erode users’ ability to monitor, control, and secure their systems. Once you set off down the road of copy protection, this is where you’re going to end up.

Does Sony's Copy Protection Infringe Copyrights?

The Sony copy protection debacle has so many angles that the mainstream press is having trouble keeping track of them all. The rootkit. The spyware. The other spyware. The big security hole. The other big security hole. It’s not surprising, then, that at least one important angle has gone nearly undiscussed in the mainstream press: the likelihood that the Sony/First4Internet XCP copy protection software itself infringes several copyrights. (Note to geeks: Slashdot doesn’t qualify as the mainstream press.)

Matti Nikki (a.k.a. Muzzy) and Sebastian Porst have done great work unearthing evidence pointing to infringement. They claim that the code file ECDPlayerControl.ocx, which ships as part of XCP, contains code from several copyrighted programs, including LAME, id3lib, mpglib, mpg123, FAAC, and most amusingly, DVD-Jon’s DRMS.

These are all open source programs. And of course open source is not the same as public domain. Open source programs are distributed with license agreements. If you copy and redistribute such a program, you’re a copyright infringer, unless you’re complying with the terms of the program’s license. The licenses in question are the Free Software Foundation’s GPL for mpg123 and DRMS, and the LGPL for the other programs. The terms of the GPL would require the companies to distribute the source code of XCP, which they’re certainly not doing. The LGPL requires less, but it still requires the companies to distribute things such as the object code of the relevant module without the LGPL-protected code, which the companies are not doing. So if they’re shipping code from these libraries, they’re infringing copyrights.

How strong is the evidence of infringement? For some of the allegedly copied programs, the evidence is very strong indeed. Consider this string of characters that appears in the XCP code:

FAAC – Freeware Advanced Audio Coder (http://www.audiocoding.com/). Copyright (C) 1999,2000,2001 Menno Bakker.

Porst also reports finding many blocks of code that appear to have come from FAAC. Porst claims equally strong evidence of copying from mpglib, LAME, and id3lib. This evidence looks very convincing.

He also points to evidence of copying from DRMS, which doesn’t look quite as strong, though it is very suggestive. (There are extensive similarities between DRMS and the XCP code, but because DRMS implements a decryption algorithm that offers fewer implementation choices than ordinary code does, it’s easier to imagine that similarities might have arisen by chance. I would have to study the two programs in more detail to say more. But let me reiterate that the DRMS evidence is at least very suggestive.)

The upshot of all this is that it appears the authors of at least some of these programs can sue First4Internet and Sony for copyright infringement. First4Internet wrote the allegedly infringing software and gave it to Sony, and Sony distributed the software to the public. Sony might not have known that the code they were shipping infringed, but according to copyright lawyers, there is strict liability for copyright infringement, meaning that lack of knowledge is not a defense against liability. (Lack of knowledge might reduce the damages.) So both companies could face suits.

The big question now, I suppose, is whether any of the copyright holders will sue. The developers of LAME wrote an open letter to Sony, saying that they’re not the suing type but they expect Sony to resolve the situation responsibly. They don’t say exactly what this means, but I expect they would be happy if Sony recalls the affected CDs (which it is already doing) and doesn’t ship XCP anymore. To my knowledge, we haven’t heard from the other copyright owners.

Being accused of infringement must be horribly embarrassing for Sony, given the number of ordinary people it has sued for infringing on a much smaller scale that Sony is accused of doing, and given that the whole purpose of this software was supposedly to reduce infringement. This is just another part of the lesson that Sony must have learned by now – and that other entertainment companies would be wise to learn – that it’s a bad idea to ship software if you haven’t thought very, very carefully about how it was designed and what your customers will think of it.

Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole

I have good news and bad news about Sony’s other CD DRM technology, the SunnComm MediaMax system. (For those keeping score at home, Ed and I have written a lot recently about Sony’s XCP copy protection technology, but this post is about a separate system that Sony ships on other CDs.)

I wrote last weekend about SunnComm’s spyware-like behavior. Sony CDs protected with their technology automatically install several megabytes of files without any meaningful notice or consent, silently phone home every time you play a protected album, and fail to include any uninstall option.

Here’s the good news: As several readers have pointed out, SunnComm will provide a tool to uninstall their software if users pester them enough. Typically this requires at least two rounds of emails with the company’s support staff.

Now the bad news: It turns out that the web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony’s other DRM, XCP, that we announced a few days ago. I have verified that it is possible for a malicious web site to use the SunnComm hole to take control of PCs where the uninstaller has been used. In fact, the the SunnComm problem is easier to exploit than the XCP uninstaller flaw.

To be clear, the SunnComm security flaw does not apply to the software that ships on CDs, but only to the uninstaller that SunnComm distributes separately for removing the CD software. So if you haven’t used the uninstaller, you’re not vulnerable to this flaw and you don’t need to do anything.

If you visit the SunnComm uninstaller web page, you are prompted to accept a small software component—an ActiveX control called AxWebRemoveCtrl created by SunnComm. This control has a design flaw that allows any web site to cause it to download and execute code from an arbitrary URL. If you’ve used the SunnComm uninstaller, the vulnerable AxWebRemoveCtrl component is still on your computer, and if you later visit an evil web site, the site can use the flawed control to silently download, install, and run any software code it likes on your computer. The evil site could use this ability to cause severe damage, such as adding your PC to a botnet or erasing your hard disk.

You can tell whether the vulnerable control is installed on your computer by using our AxWebRemoveCtrl detector.

We have created a tool that will disable the control and/or block it from being installed. To apply our tool, download this file to a temporary location, then double click on the file’s icon in Windows. (Windows may ask you to confirm that you wish to add the information in the file to the system registry–choose “Yes.”) After the tool has been applied, you may delete the file you downloaded. The tool will take effect as soon as you close and restart Internet Explorer. We recommend that anyone who has used the SunnComm uninstaller run our tool as soon as possible.

Unfortunately, if you use our tool to block the control, you won’t be able to use SunnComm’s current uninstaller to remove their software. It’s up to them to replace the flawed uninstaller with a safe one as soon as possible, and to contact those who have already used the vulnerable uninstaller with instructions for closing the hole.

UPDATE (Nov. 18): We are currently helping SunnComm test a new version of the uninstaller.

Immunize Yourself Against Sony's Dangerous Uninstaller

Jeff Dwoskin and Alex Halderman have developed a simple tool that can immunize a Windows system against the dangerous CodeSupport ActiveX control that we have written about over the past few days. The immunization tool should disable CodeSupport if it is already on your system, and it should prevent any future reinstallation or reactivation of CodeSupport.

You can test whether the vulnerable CodeSupport component is installed on your system using our CodeSupport detector web page. If you are infected, we strongly recommend that you run our immunization tool. Even if you are not infected, you can apply our patch to prevent the flawed control from being installed in the future.

To install the tool, download this file to a temporary location, then double click on the file’s icon in Windows. (Windows may ask you to confirm that you wish to add the information in the file to the system registry–choose “Yes.”) After the tool has been applied, you may delete the file. The tool will take effect as soon as you close and restart Internet Explorer.

The tool works by putting an entry into the Windows registry that tells Internet Explorer not to activate any ActiveX control that uses the unique identifier (or “classid”) associated with CodeSupport. This registry area is described in a Microsoft KnowledgeBase article.

Sony has modified their uninstaller sequence so that users who want to start the uninstallation process will not download CodeSupport. That’s good. But unfortunately the CodeSupport component is still up on the company’s web site, so users who were already partway through the uninstall process might still download CodeSupport. That’s not good; but it’s easy to fix. Let’s hope Sony fixes it.

Meanwhile, the company is reportedly working to develop a safe uninstaller. We’ll let you know when they release an uninstaller, and we’ll tell you what we think of it.

Update: Sony Uninstaller Hole Stays Open

Earlier today Ed Felten and I reported a serious security hole opened by the uninstaller that Sony provides to users who want to remove the First4Internet copy protection software. Further testing has confirmed that computers remain vulnerable even after the uninstall process is complete.

Sony’s web-based uninstaller is a three step process:

  1. You fill out an uninstall request on Sony’s web site.
  2. Sony sends you an email with a link to a second request form. When you follow this link, Sony’s site automatically installs a piece of software–an ActiveX control created by First4Internet–called CodeSupport.
  3. After delay, Sony sends another email with a link to a third web page that removes the copy protection software. However, the CodeSupport component remains on your computer indefinitely.

Due to a serious design flaw, the CodeSupport component allows any web site you visit to download and run software on your computer. A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously performed at least step 2 of Sony’s uninstall process, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

You can tell whether you are vulnerable by visiting our CodeSupport detector page.

If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.

UPDATE (11/16, 2am): Sony has removed the initial uninstaller request form (step 1, above). In its place is the following message:

November 15th, 2005 – We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.

This is a positive step that will help prevent additional users from being exposed to the flawed component, but customers who already used the web-based uninstaller remain at risk.