Jeff Dwoskin and Alex Halderman have developed a simple tool that can immunize a Windows system against the dangerous CodeSupport ActiveX control that we have written about over the past few days. The immunization tool should disable CodeSupport if it is already on your system, and it should prevent any future reinstallation or reactivation of CodeSupport.

You can test whether the vulnerable CodeSupport component is installed on your system using our CodeSupport detector web page. If you are infected, we strongly recommend that you run our immunization tool. Even if you are not infected, you can apply our patch to prevent the flawed control from being installed in the future.

To install the tool, download this file to a temporary location, then double click on the file’s icon in Windows. (Windows may ask you to confirm that you wish to add the information in the file to the system registry–choose “Yes.”) After the tool has been applied, you may delete the file. The tool will take effect as soon as you close and restart Internet Explorer.

The tool works by putting an entry into the Windows registry that tells Internet Explorer not to activate any ActiveX control that uses the unique identifier (or “classid”) associated with CodeSupport. This registry area is described in a Microsoft KnowledgeBase article.

Sony has modified their uninstaller sequence so that users who want to start the uninstallation process will not download CodeSupport. That’s good. But unfortunately the CodeSupport component is still up on the company’s web site, so users who were already partway through the uninstall process might still download CodeSupport. That’s not good; but it’s easy to fix. Let’s hope Sony fixes it.

Meanwhile, the company is reportedly working to develop a safe uninstaller. We’ll let you know when they release an uninstaller, and we’ll tell you what we think of it.

Earlier today Ed Felten and I reported a serious security hole opened by the uninstaller that Sony provides to users who want to remove the First4Internet copy protection software. Further testing has confirmed that computers remain vulnerable even after the uninstall process is complete.

Sony’s web-based uninstaller is a three step process:

1. You fill out an uninstall request on Sony’s web site.
2. Sony sends you an email with a link to a second request form. When you follow this link, Sony’s site automatically installs a piece of software–an ActiveX control created by First4Internet–called CodeSupport.
3. After delay, Sony sends another email with a link to a third web page that removes the copy protection software. However, the CodeSupport component remains on your computer indefinitely.

Due to a serious design flaw, the CodeSupport component allows any web site you visit to download and run software on your computer. A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously performed at least step 2 of Sony’s uninstall process, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

You can tell whether you are vulnerable by visiting our CodeSupport detector page.

If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.

UPDATE (11/16, 2am): Sony has removed the initial uninstaller request form (step 1, above). In its place is the following message:

November 15th, 2005 – We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.

This is a positive step that will help prevent additional users from being exposed to the flawed component, but customers who already used the web-based uninstaller remain at risk.

[This post was co-written by J. Alex Halderman and Ed Felten.]

Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

We have constructed a demonstration code package and web page that exploits this design flaw to install unwanted files on a target computer. The exploit does not actually harm the computer, but it demonstrates that hostile code can be run on a target computer, and that the hostile code can perform operations that should be forbidden. At present we are not releasing the demonstration exploit to the public.

CodeSupport was also installed as part of the original web-based updater that Sony released to remove First4Internet’s rootkit. Sony has since replaced the web-based version of the updater with a downloadable EXE or ZIP file; these are safe to use as far as we know. If you didn’t use the original web-based updater, and you haven’t requested the full uninstaller from Sony, then you are safe from this particular vulnerability, as far as we know.

How can you protect yourself against this vulnerability? First, for now don’t accept the installation of any software delivered over the net from First4Internet. (Eventually First4Internet may deliver a fix over the net. That may be worth installing.) That will keep CodeSupport off you machine, if it’s not already there.

To see whether CodeSupport is on your computer, try our CodeSupport detector page.

If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)

cmd /k del “%windir%downloaded program filescodesupport.*”

This is not an ideal solution – depending on your security settings, it may not prevent the software from installing again – but it’s better than nothing. We’ll have to wait for First4Internet to develop a complete patch.

UPDATE: USA Today reports that Sony will recall the affected CDs. Discs in the supply chain will not be sold, and customers who have already bought discs will be able to exchange them. Sony will announce details of the recall plan later in the week. We hope the plan will include distribution of cleanup tools to customers who still have potentially dangerous XCP software on their machines.

Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit.

We are working furiously to nail down the details and will report our results here as soon as we can. [UPDATE (Nov. 15): We have now posted more details.]

In the meantime, we recommend strongly against downloading or running Sony’s Web-based XCP uninstaller.

Kudos to Muzzy for first suggesting that such a hole might exist.

UPDATE: If you’re technically sophisticated, and you have run the XCP uninstaller on your computer, you may be able to help us in our investigations. It won’t take long. Please contact Alex to volunteer. Thanks.

Now that virus writers have started exploiting the rootkit built into Sony-BMG albums that utilize First4Internet’s XCP DRM (as I warned they would last week), Sony has at last agreed to temporarily stop shipping CDs containing the defective software:

We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use.

What few people realize is that Sony uses another copy protection program, SunnComm‘s MediaMax, on other discs in their catalog, and that this system presumably is not included in the moratorium. Though MediaMax doesn’t resort to concealing itself with a rootkit, it does behave in several ways that are characteristic of spyware.

I originally wrote about MediaMax back in 2003. It was the first copy restricting technology that installed software in an attempt to block ripping and copying. SunnComm has continued to develop its anti-copying tools, and today MediaMax is distributed on albums from Sony-BMG and several smaller labels. Sony titles that use MediaMax include Grown and Sexy by Babyface and Z by My Morning Jacket. These discs aren’t hard to spot; the back album covers usually contain a label that includes a sunncomm.com URL.

Like XCP, recent versions of MediaMax engage in spyware-style behavior. They install software without meaningful consent or notification, they include either no means of uninstalling the software or an uninstaller that claims to remove the entire program but doesn’t, and they transmit information about user activities to SunnComm despite statements to the contrary in the end user license agreement and on SunnComm’s web site. I’ll describe each of these problems in detail below.

1. MediaMax installs without meaningful consent or notification

When a MediaMax-protected CD is inserted into a computer running Windows, the Windows Autorun feature launches a program from the CD called PlayDisc.exe. Like most installers, this program displays a license agreement, which you may accept or decline. But before the agreement appears, MediaMax installs around a dozen files that consume more than 12 MB on the hard disk. Most are copied to the folder c:Program FilesCommon FilesSunnComm Shared, shown below:

These files remain installed even if you decline the agreement. One of them, a kernel-level driver with the cryptic name “sbcphid”, is both installed and launched. This component is the heart of the copy protection system. When it is running, it attempts to block CD ripping and copying applications from reading the audio tracks on SunnComm-protected discs. MediaMax refrains from making one final change until after you accept the license—it doesn’t set the driver to automatically run again every time Windows starts. Nevertheless, the code keeps running until the computer is restarted and remains on the hard disk indefinitely, even if the agreement is declined. [Update 11/28: In several common scenarios, MediaMax goes a step further and sets the driver to automatically run again every time Windows starts, even if the user has never agreed to the license.]

To see if SunnComm’s driver is present on a Windows XP system, open the start menu and select Run. In the box that pops up, type

cmd /k sc query sbcphid

and click OK. If the response includes “STATE: 1 STOPPED”, the driver is installed; if it includes “STATE: 4 RUNNING”, the driver is installed and actively restricting access to music. Alternately, you can look for the driver’s file, sbcphid.sys, which will be located in the c:windowssystem32drivers folder if it is installed.

(Newer version of SunnComm’s software can also block copying on Mac systems, as reported by MacInTouch. However, since Mac OS X does not automatically run software from CDs, Mac users will only be affected if they manually launch the installer.)

Is there any meaningful notice before the program is installed? On the contrary, the Sony license agreement (which happens to be identical to the agreement on XCP discs, despite significant differences between XCP and MediaMax) states that the software will not be installed until after you accept the terms:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.

Notice too that while the agreement partially describes the protection software, it fails to disclose important details about what the software does. Yes, the MediaMax driver tries to “protect the audio files embodied on the CD,” but it also attempts to restrict access to any other CD that use SunnComm’s technology. You only need to agree to installation on one album for the software to affect your ability to use many other titles.

2. MediaMax discs include either no uninstaller or an uninstaller that fails to remove major components of the software

None of the MediaMax albums I’ve seen from Sony-BMG include any option to uninstall the software. However, some titles from other labels do include an uninstall program. For instance, the album You Just Gotta Love Christmas by Peter Cetera (Viastar Records) adds MediaMax to the Windows Add/Remove Programs control panel, the standard interface for removing programs. If you elect to remove the software, it displays the following prompt:

Clicking “Yes” does cause parts of MediaMax to be deleted, including nearly all the files in the SunnComm shared folder. However, the protection driver remains installed and active despite the suggestion that “MediaMax and all of its components” would be removed. That means iTunes and other programs still cannot access music for any SunnComm-protected CD.

[Update: Apparently SunnComm was providing an uninstaller to users who persistently demanded one, but the uninstaller opened a severe security hole in users’ systems.]

3. MediaMax transmits information about you to SunnComm without notification or consent

Sony and SunnComm seem to go out of their way to suggest that MediaMax doesn’t collect information about you. From the EULA:

[T]he SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

SunnComm’s customer care web page is equally explicit:

Is any personal information collected from my computer while using this CD?:
No information is ever collected about you or your computer without you consenting.

Yet like XCP, the MediaMax software “phones home” to SunnComm every time you play a protected CD. Using standard network monitoring tools, you can observe MediaMax connecting to the web server license.sunncomm2.com and sending the following request headers:

POST /perfectplacement/retrieveassets.asp?id=
   7F63A4FD-9FBD-486B-B473-D18CC92D05C0 HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: license.sunncomm2.com
Content-Length: 39
Connection: Keep-Alive
Cache-Control: no-cache


This shows that MediaMax opens a web page from a SunnComm server and sends a 32-character identifier (highlighted)—apparently a unique code that tells SunnComm what album you’re listening to. The request also contains standard HTTP headers from which the company can learn what operating system you are running (in the above example, NT 5.1, a.k.a. Windows XP) and what version of Internet Explorer you use (here, IE 6).

SunnComm also gets to observe your computer’s IP address, which is transmitted to every Internet server you connect to. You are assigned an IP address by your Internet service provider or system administrator. Many users are issued frequently changing “dynamic” IP addresses that make it difficult to track them individually, but others have fixed, “static” addresses. If you have a fixed address, SunnComm can piece together the messages from your computer to find out all the protected discs you listen to and how often you play them. In some cases, such as if you are a Princeton student, knowing the address is enough to let SunnComm track down your name, address, and phone number.

So why does MediaMax contact a SunnComm server in the first place? The server’s response to the above request isn’t very informative:

Microsoft VBScript runtime

error ‘800a000d’

Type mismatch: ‘ubound’

/perfectplacement/retrieveassets.asp, line 26

Apparently a bug in the server software prevents it from returning any useful information. However, the name “Perfect Placement” in the URL provides a valuable clue about the server’s purpose. A SunnComm web page describes “Perfect Placement” as a MediaMax feature that allows record labels to “[g]enerate revenue or added value through the placement of 3rd party dynamic, interactive ads that can be changed at any time by the content owner.” Presumably the broken site is supposed to return a list of ads to display based on the disc ID.

Just because the server software is buggy doesn’t mean it isn’t collecting data. If SunnComm’s web site is configured like most web servers, it logs the information described above for every request. We can’t know for certain what, if anything, SunnComm does with the data, but that’s why transmitting it at all raises privacy concerns.

…

To summarize, MediaMax software:

• Is installed onto the computer without meaningful notification or consent, and remains installed even if the license agreement is declined;
• Includes either no uninstall mechanism or an uninstaller that fails to completely remove the program like it claims;
• Sends information to SunnComm about the user’s activities contrary to SunnComm and Sony statements and without any option to disable the transmissions.

Does MediaMax also create security problems as serious as the Sony rootkit’s? Finding out for sure may be difficult, since the license agreement specifically prohibits disassembling the software. However, it certainly causes unnecessary risk. Playing a regular audio CD doesn’t require you to install any new software, so it involves minimal danger. Playing First4Internet or SunnComm discs means not only installing new software but trusting that software with full control of your computer. After last week’s revelations about the Sony rootkit, such trust does not seem well deserved.

Viewed together, the MediaMax and XCP copy protection schemes reveal a pattern of irresponsible behavior on the parts of Sony and its pals, SunnComm and First4Internet. Hopefully Sony’s promised re-examination of its copy protection initiatives will involve a hard look at both technologies.