I have good news and bad news about Sony’s other CD DRM technology, the SunnComm MediaMax system. (For those keeping score at home, Ed and I have written a lot recently about Sony’s XCP copy protection technology, but this post is about a separate system that Sony ships on other CDs.)

I wrote last weekend about SunnComm’s spyware-like behavior. Sony CDs protected with their technology automatically install several megabytes of files without any meaningful notice or consent, silently phone home every time you play a protected album, and fail to include any uninstall option.

Here’s the good news: As several readers have pointed out, SunnComm will provide a tool to uninstall their software if users pester them enough. Typically this requires at least two rounds of emails with the company’s support staff.

Now the bad news: It turns out that the web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony’s other DRM, XCP, that we announced a few days ago. I have verified that it is possible for a malicious web site to use the SunnComm hole to take control of PCs where the uninstaller has been used. In fact, the the SunnComm problem is easier to exploit than the XCP uninstaller flaw.

To be clear, the SunnComm security flaw does not apply to the software that ships on CDs, but only to the uninstaller that SunnComm distributes separately for removing the CD software. So if you haven’t used the uninstaller, you’re not vulnerable to this flaw and you don’t need to do anything.

If you visit the SunnComm uninstaller web page, you are prompted to accept a small software component—an ActiveX control called AxWebRemoveCtrl created by SunnComm. This control has a design flaw that allows any web site to cause it to download and execute code from an arbitrary URL. If you’ve used the SunnComm uninstaller, the vulnerable AxWebRemoveCtrl component is still on your computer, and if you later visit an evil web site, the site can use the flawed control to silently download, install, and run any software code it likes on your computer. The evil site could use this ability to cause severe damage, such as adding your PC to a botnet or erasing your hard disk.

You can tell whether the vulnerable control is installed on your computer by using our AxWebRemoveCtrl detector.

We have created a tool that will disable the control and/or block it from being installed. To apply our tool, download this file to a temporary location, then double click on the file’s icon in Windows. (Windows may ask you to confirm that you wish to add the information in the file to the system registry–choose “Yes.”) After the tool has been applied, you may delete the file you downloaded. The tool will take effect as soon as you close and restart Internet Explorer. We recommend that anyone who has used the SunnComm uninstaller run our tool as soon as possible.

Unfortunately, if you use our tool to block the control, you won’t be able to use SunnComm’s current uninstaller to remove their software. It’s up to them to replace the flawed uninstaller with a safe one as soon as possible, and to contact those who have already used the vulnerable uninstaller with instructions for closing the hole.

UPDATE (Nov. 18): We are currently helping SunnComm test a new version of the uninstaller.

Jeff Dwoskin and Alex Halderman have developed a simple tool that can immunize a Windows system against the dangerous CodeSupport ActiveX control that we have written about over the past few days. The immunization tool should disable CodeSupport if it is already on your system, and it should prevent any future reinstallation or reactivation of CodeSupport.

You can test whether the vulnerable CodeSupport component is installed on your system using our CodeSupport detector web page. If you are infected, we strongly recommend that you run our immunization tool. Even if you are not infected, you can apply our patch to prevent the flawed control from being installed in the future.

To install the tool, download this file to a temporary location, then double click on the file’s icon in Windows. (Windows may ask you to confirm that you wish to add the information in the file to the system registry–choose “Yes.”) After the tool has been applied, you may delete the file. The tool will take effect as soon as you close and restart Internet Explorer.

The tool works by putting an entry into the Windows registry that tells Internet Explorer not to activate any ActiveX control that uses the unique identifier (or “classid”) associated with CodeSupport. This registry area is described in a Microsoft KnowledgeBase article.

Sony has modified their uninstaller sequence so that users who want to start the uninstallation process will not download CodeSupport. That’s good. But unfortunately the CodeSupport component is still up on the company’s web site, so users who were already partway through the uninstall process might still download CodeSupport. That’s not good; but it’s easy to fix. Let’s hope Sony fixes it.

Meanwhile, the company is reportedly working to develop a safe uninstaller. We’ll let you know when they release an uninstaller, and we’ll tell you what we think of it.

Earlier today Ed Felten and I reported a serious security hole opened by the uninstaller that Sony provides to users who want to remove the First4Internet copy protection software. Further testing has confirmed that computers remain vulnerable even after the uninstall process is complete.

Sony’s web-based uninstaller is a three step process:

1. You fill out an uninstall request on Sony’s web site.
2. Sony sends you an email with a link to a second request form. When you follow this link, Sony’s site automatically installs a piece of software–an ActiveX control created by First4Internet–called CodeSupport.
3. After delay, Sony sends another email with a link to a third web page that removes the copy protection software. However, the CodeSupport component remains on your computer indefinitely.

Due to a serious design flaw, the CodeSupport component allows any web site you visit to download and run software on your computer. A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously performed at least step 2 of Sony’s uninstall process, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

You can tell whether you are vulnerable by visiting our CodeSupport detector page.

If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.

UPDATE (11/16, 2am): Sony has removed the initial uninstaller request form (step 1, above). In its place is the following message:

November 15th, 2005 – We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.

This is a positive step that will help prevent additional users from being exposed to the flawed component, but customers who already used the web-based uninstaller remain at risk.

[This post was co-written by J. Alex Halderman and Ed Felten.]

Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

We have constructed a demonstration code package and web page that exploits this design flaw to install unwanted files on a target computer. The exploit does not actually harm the computer, but it demonstrates that hostile code can be run on a target computer, and that the hostile code can perform operations that should be forbidden. At present we are not releasing the demonstration exploit to the public.

CodeSupport was also installed as part of the original web-based updater that Sony released to remove First4Internet’s rootkit. Sony has since replaced the web-based version of the updater with a downloadable EXE or ZIP file; these are safe to use as far as we know. If you didn’t use the original web-based updater, and you haven’t requested the full uninstaller from Sony, then you are safe from this particular vulnerability, as far as we know.

How can you protect yourself against this vulnerability? First, for now don’t accept the installation of any software delivered over the net from First4Internet. (Eventually First4Internet may deliver a fix over the net. That may be worth installing.) That will keep CodeSupport off you machine, if it’s not already there.

To see whether CodeSupport is on your computer, try our CodeSupport detector page.

If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)

cmd /k del “%windir%downloaded program filescodesupport.*”

This is not an ideal solution – depending on your security settings, it may not prevent the software from installing again – but it’s better than nothing. We’ll have to wait for First4Internet to develop a complete patch.

UPDATE: USA Today reports that Sony will recall the affected CDs. Discs in the supply chain will not be sold, and customers who have already bought discs will be able to exchange them. Sony will announce details of the recall plan later in the week. We hope the plan will include distribution of cleanup tools to customers who still have potentially dangerous XCP software on their machines.