moneoa
November 13th, 2005, 02:00 AM
The uninstall tool posted by Sony BMG to get rid of its controversial digital-rights management software is worse than the original software, a security company says.
Computer Associates, maker of eTrust PestPatrol anti-spyware software, says that the technological protection measure (TPM) uninstall routine itself can be classified as spyware.
Sony BMG equipped some of its music CDs with a "rootkit" that did not explicitly say it was being installed on a computer. Rootkits are tools used by hackers to hide their tracks when they take over an innocent user's machine.
Sony's TPM went further, CA says. The media player that Sony ships with those CDs sends the IP address of the computer and the user's listening habits back to Sony and perhaps all its partners, without notice, consent or choice.
And that, CA says, is a classic definition of spyware.
But to uninstall the rootkit, Sony's website says that before you can download the uninstaller, you must give your identity, CD name, e-mail address, and other data back to First4Internet, the Sony-related company that makes the rootkit. And no uninstaller is made available after this disclosure. There is no way for the user to disable or modify this "phone home" technology.
After detailed testing, Computer Associate researchers found that the following all qualifies as spyware:
— The Sony XCP Application, which installs a rootkit on a PC when a CD is placed in a CD drive, failed CA's eTrust PestPatrol Spyware Scorecard, a behaviour-based list of criteria that defines what eTrust PestPatrol AntiSpyware products will detect, on eight out of 22 individual points.
— Sony issued a "patch," a 3MB download that contains a large amount of new software. That patch removes the rootkit, but also installs itself without notice to the user and without user permission. Moreover it cannot be removed either.
— The uninstall routine is so poorly made that the act of removing the rootkit can cause Windows to crash.
CA says it is investigating Sony's process, which requires users to dig several levels down on its website to receive an uninstaller.
The Sony website attempts to install an ActiveX control which is generally considered a security problem. The process purporting to remove the XCP applications requires users to reveal their identity, their e-mail address, the albums and artists purchased and the place of purchase, and requires use of an ActiveX Control which sends out unknown data to First4Internet, the maker of rootkit and spyware products for Sony.
Sony, however, does not send the user or give the user access to an uninstaller.
CA's research team asked for an uninstaller three days ago, and has not yet received one.
The security company also noted that many users bring their CDs to work, which this means that a corporate PC could be hosting a Sony's rootkit and users playing music could be infecting the corporate network, leaving it vulnerable to malicious attacks.
CA says that users can disable the auto-run feature on the CD-ROM (instructions at ca.com/securityadvisor). The site will also include information on how to run CA's eTrust PestPatrol on-line scanner, which will include detection for this problem, beginning Saturday. Current eTrust PestPatrol customers will need to update their anti-spyware files with an update currently available.
http://www.theglobeandmail.com/servlet/story/RTGAM.20051111.gtsony1111/BNStory/Technology/
(if it tells you to register when you try to read, just clear your cookies in IE.)
Computer Associates, maker of eTrust PestPatrol anti-spyware software, says that the technological protection measure (TPM) uninstall routine itself can be classified as spyware.
Sony BMG equipped some of its music CDs with a "rootkit" that did not explicitly say it was being installed on a computer. Rootkits are tools used by hackers to hide their tracks when they take over an innocent user's machine.
Sony's TPM went further, CA says. The media player that Sony ships with those CDs sends the IP address of the computer and the user's listening habits back to Sony and perhaps all its partners, without notice, consent or choice.
And that, CA says, is a classic definition of spyware.
But to uninstall the rootkit, Sony's website says that before you can download the uninstaller, you must give your identity, CD name, e-mail address, and other data back to First4Internet, the Sony-related company that makes the rootkit. And no uninstaller is made available after this disclosure. There is no way for the user to disable or modify this "phone home" technology.
After detailed testing, Computer Associate researchers found that the following all qualifies as spyware:
— The Sony XCP Application, which installs a rootkit on a PC when a CD is placed in a CD drive, failed CA's eTrust PestPatrol Spyware Scorecard, a behaviour-based list of criteria that defines what eTrust PestPatrol AntiSpyware products will detect, on eight out of 22 individual points.
— Sony issued a "patch," a 3MB download that contains a large amount of new software. That patch removes the rootkit, but also installs itself without notice to the user and without user permission. Moreover it cannot be removed either.
— The uninstall routine is so poorly made that the act of removing the rootkit can cause Windows to crash.
CA says it is investigating Sony's process, which requires users to dig several levels down on its website to receive an uninstaller.
The Sony website attempts to install an ActiveX control which is generally considered a security problem. The process purporting to remove the XCP applications requires users to reveal their identity, their e-mail address, the albums and artists purchased and the place of purchase, and requires use of an ActiveX Control which sends out unknown data to First4Internet, the maker of rootkit and spyware products for Sony.
Sony, however, does not send the user or give the user access to an uninstaller.
CA's research team asked for an uninstaller three days ago, and has not yet received one.
The security company also noted that many users bring their CDs to work, which this means that a corporate PC could be hosting a Sony's rootkit and users playing music could be infecting the corporate network, leaving it vulnerable to malicious attacks.
CA says that users can disable the auto-run feature on the CD-ROM (instructions at ca.com/securityadvisor). The site will also include information on how to run CA's eTrust PestPatrol on-line scanner, which will include detection for this problem, beginning Saturday. Current eTrust PestPatrol customers will need to update their anti-spyware files with an update currently available.
http://www.theglobeandmail.com/servlet/story/RTGAM.20051111.gtsony1111/BNStory/Technology/
(if it tells you to register when you try to read, just clear your cookies in IE.)