EFF and Sony Disclose New DRM Security Hole

Dotnaught writes "The Electronic Frontier Foundation (EFF) and SONY BMG Music Entertainment said on Tuesday that SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs. Security firm iSEC Partners discovered the hole following a request by the EFF to examine the SunnComm software. The vulnerability involves a directory installed on users' computers by the MediaMax software that could allow a third party to gain control over the affected Windows PC. The EFF and iSEC delayed disclosing the problem until SunnComm could develop a fix."

Useful indeed

[Renegade Lisp]

And to think that only yesterday, there was a slashdot story [slashdot.org] wondering whether the EFF had outlived its usefulness... So there's your answer, I guess.

Thank you Sony!

[Suzumushi]

Sony has done more damage to the DMCA and set back DRM farther than the combined efforts of the EFF and like-minded people around the world. We should all thank them.

Sorry to be rude

[FidelCatsro]

But first you install stealthy and quite possibly illegal software with one hand , and on the other you install DRM with a Security hole that hardly anyone will patch because they will likely not hear about it.
Way to go Sony , you truly are a bunch of arse-holes .
Well at least if this gets major press coverage it may cause an even large headache to ever encroaching wave DRM

No more money for Sony

[pedestrian crossing]

Great, now not only do I have to make sure all my users' applications are patched, but I have to track patches on every frigging DRM implementation out there as well.

Well, payback is a bitch.

I have already steered a friend away from a Sony stereo to another brand, making it clear that Sony is not a good "citizen" and they would do well to stay clear of any Sony products.

Yes, I am only one puny person, but I've already cost them a couple of hundred bucks, and will continue do so at every opportunity.

Re:Build it into the OS

[/ASCII]

It's obvious that you are joking, but the problem is that this is exactly the solution that will be proposed, and in politics it is the preferred type of solution.

Re:Build it into the OS

[eggoeater]

It is clear that DRM software is going to be as open to bugs as any other software...

Actually...much more so.
DRM software has to do more than regular software to prevent users from circumventing it, with the latest craze being OS hooks.
Insecure software + OS hooks = HUGE security risks.
If you ever want to release a worm that takes advantage of a DRM security hole, just put it on a web site that tells you how to disable that particular DRM. People will google for a way to disable their DRM, go to your site, and WHAM.

Perhaps not (Was Re:Useful indeed)

[Billosaur]

From EFF: "We're pleased that SONY BMG responded quickly and responsibly when we drew their attention to this security problem," said EFF staff attorney Kurt Opsahl. "Consumers should take immediate steps to protect their computers."

As if Sony, which already has a boatload of negative publicity, could do anything else. I think even the stuffed shirts there must now realize that they can't let anything else fall through the cracks or their music business might collapse. Don't be surprised in Sony divests itself of BMG music at some point in the future, to keep from losing customers for its home electronics business.

Onion article

[BushCheney08]

RIAA Bans Telling Friends About Songs [theonion.com]

Re:Thank you Sony!

[VitaminB52]

Yes, but the one thing they haven't been successful in is pointing out the danger of DRM to Joe Sixpack.

Antivirus software reporting the Sony DRM software as a virus should take care of that.
Oh yes, and popular DJ's on national radio should warn their audience about the Sony DRM shit^H^H^Hoftware.

Now lets see

[Ilex]

I could drive into town and spend £12/$12 on a DRM'd malware infected CD which may or may not play in my cars CD player / Ipod

Or

Sit here and rip the whole thing off the net for free and burn it to CD and copy it to my IPod.

<sarcasm>

Yeah DRM is a great way to stop piracy.

</sarcasm>

Maybe they should try offering value for money instead.

The only real fix ...

[WidescreenFreak]

Sony is really setting DRM and copy-protection back by several years. And with each annoucement, they are making more and more people dislike DRM. That's not a bad thing, I suppose, but they're making it painfully obvious that the only fix for this is the complete removal of the software for people's systems with instructions on how to prevent the software from being loaded again in the future. (Sadly, a huge number of people don't know about the Shift key as an autorun disabler.)

Frankly, I want to see a major mea culpa from Sony on just about every TV and radio station that targets the audience from all of those DRMed audio CDs complete with previous said instructions and a promise (that will be kept) that such DRM techniques will never be used in the future.

Considering that even artists themselves are starting to fight back against DRM stating that it does nothing but hurt the fans, which is true, it's about time for the heads of these companies to realize that Sony has crossed the line and that DRM for audio CDs is not only useless but can have dire consequences. I'm not going to use that silly "information wants to be free" dogma that is used too often on /. but it's become clear that negative reactions like DRM are not what keep CD sales going.

Maybe they should - gasp! - try adding value that the customer wants and cannot get over the Internet through downloading rather than trying to add chains to a product that we want to legally buy. For example:
* Buy the CD and get the concert DVD for 1/2 price
* Buy the CD and get a discount on concert tickets and merchandise
* Buy the CD and accumulate points that can be redeemed for other items

Tactics like these, where items that cannot be downloaded are offered as incentive, is a much better alternative to increase sales than pissing off the customer base by nefarious methods such as DRM. This is particularly true because DRM can be defeated by one simple method: CD line out --> PC line in.

In short, make it worth my while to buy the CD and not download it. DRM, particularly the kind that Sony implemented, does the opposite.

Re:Quick Question...

[jc42]

Who in their right mind would voluntarily install something from SunComm or SonyBMG given their track record?

Most of the victims have no idea that they're installing software on their computer. They're just playing a CD that they bought.

We geeks and nerds on /. understand the issue. 99% of the population don't even know what "installing software" means, have never done it (intentionally), and aren't to blame for being victims of such things.

Blame the criminals, not their victims.

The patch is flawed

[Ch*mp]

The patch prevents you from 'innocultating' your PC against the risk of future 'infection'.

The gist of this press release is that I now have to keep a list of all the titles that might be affected just in case I, or anyone in my family decides to buy a MediaMax protected CD (or are given one as a gift) - Yes you can still buy a flawed CD. Even if Sony issues a recall on ALL affected CDs that does not give me 100% protection from this mess.

I now have to keep monitoring my PC forever more in case someone obtains an 'original' CD with the flawed DRM.

How exactly is this announcement and patch supposed to help me?

- All they've done is made my home admin tasks more complicated by heaping another problem onto me and they haven't given me an adequate solution.

Doubly Screwed

[Anonymous Coward]

The most interesting part about the whole Sony BMG rootkit fiasco, and now this, is that it seems as if Sony is doubly screwed from now on, because whenever they put out a new product, it's going to be hacked from all sides, to find little holes like this. I'm sure there are plenty of other products out there that behave similarly or have holes in them, that are from other companies, and aren't getting exposed because they didn't piss off the internet community.

It's this kind of backlash now that is bustin Sony, because anything they put out from now on better be bullet-proof, or else it will wind up being counterproductive

Re:Quick Question...

[geminidomino]

Well, reliance on binaries without source is blind faith too.

Reliance on binaries WITH source is blind faith, too, if you can't read hundreds of thousands of lines of source yourself, since taking someone else's word for it is just as much "blind" faith.

That's the answer! Only unemployed programmers should use computers!

Re:Perhaps not (Was Re:Useful indeed)

[CaptainZapp]

Most surprising is the change of Tune of Mr. Hesse, from:

"Users don't know what a rootkit is so why should they care"

to

"We are taking the concerns of our customers very seriously, blahblahblah"

Could it be that Mr. Hesse is full of shit?

Re:Sony Software

[Ankou]

Good call, that may work for network trasmisions, but there are other possible scenarios to take into consideration. For instance, how do I know if when I create a training video and burn it with their software, I dont propagate their root kit on that CD/DVD. The software does come with all kinds of protection options, so it isn't crazy to think of that kind of scenario. You are right 400 dollars isn't something to write off so fast. Imagine though being sued later by a client who's computer got infected with one of those videos. This is all hypothetical, just something to consider.

Re:Quick Question...

[jc42]

It just doesnt make sense. Would you hire the burglar that broke into your home to install your security system?

Ah, but the great majority of victims of the first Sony rootkit still have it installed. They haven't heard about the problem, or head and didn't understand at all. If you take a look at the removal instructions, you'll see that there isn't a chance that your typical Joe Sixpack could ever follow them. If he tried, the result would probably be a machine that didn't boot.

But most of the victims haven't tried to remove it, because they don't have any idea it's there.

You might well hire the burglar if you had no clues that he was the burglar, and if friends and the BBB recommended him. This is an old sort of scam.

Re:Quick Question...

[Anonymous Coward]

IIRC, the SunnComm software installs regardless of whether or not you accept the EULA. http://www.freedom-to-tinker.com/?p=936 [freedom-to-tinker.com]

Re:Quick Question...

[wo1verin3]

No but if you insert a mod chip it will sprout legs and walk back to Sony corp headquarters.

In Japan.

Across the water.

Yes really.

The Hits Just Keep On Coming

[Nom du Keyboard]

SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs.

I am still waiting to see how you patch a CD -- short of replacing it entirely, that is.

For now, I wouldn't trust Sony to patch my Tinkertoys properly, let alone my computer.

Re:Perhaps not (Was Re:Useful indeed)

[IAmTheDave]

Don't be surprised in Sony divests itself of BMG music at some point in the future, to keep from losing customers for its home electronics business.

Why, because Sony's other electronics shops won't be including any DRM built in, like DRM on HDMI and new high def TVs, DRM in new Blu-Ray DVD players, DRM in game machines and on game discs, DRM on Blu-Ray discs... I can almost guarentee that some of this DRM will prevent users from using the content they purchase the way they want to use it. Sony needs not to divest itself of BMG as a solution, because the problem exists at a much higher level - the perception that DRM is a "Good Thing." Until they resolve THAT issue, Sony is in for some hurt.

Re:Apple/iTunes - "the Safe way to buy music" LESS

[Nom du Keyboard]

finding a way to enable users to buy the entire album all at once instead of individual songs, for the same price as the typical retail physical CD.

I think I should be paying less than in-store retail when I download my CD album. After all, in addition to the content I'm paying for my bandwidth to download it, my time in downloading, my hard drive space to store it on, any cover art or inserts that I have to print myself, as well as the blank CD I burn to play it outside of my computer and the jewel case I need to buy to store it in.

The record company selling me this album does not have pressing, materials, distribution, or record retailer profits to pay in the process.

So stop encouraging record companies to think they can sell me less for the same price! They're already doing that well enough on their own.

Seems to be some confusion here...

[Kozar_The_Malignant]

This is not the "rootkit" DRM software that were talking about here. This is the other DRM crapware that Sony/BMG has on its discs. I buy a moderate amount of music on CDs, then rip them to MP3s to play on my Rio and car stereo. I was planning to buy Carlos Santana's new disc when this whole flap came up. I checked, saw that Santana wasn't on the rootkit list, and briefly considered buying it, although I have avoided all DRMed music to this point. No worries, I'll rip it on my Linux box anyway.

I changed my mind, and I'm glad I did. One less bit of malware in the stream of commerce. I did go to Carlos' website and told them I had decided not to buy the disc and why. From the notes there, it seems they have been getting a lot of that. This may be the most effective way to deal with this issue. Tell the artists that you will not buy their art, if it comes packaged with such crap.

Re:yes we all know

[cloudkiller]

let me see. I have a crappy OS (Windows) that I have to patch once a month. I have many crappy browsers that also need to be patched from time to time. I have a software firewall that needs patching plus antivirus, anti-spyware, office apps, email clients, photo programs, games... And now I also have to patch my CD's. Great! Hey, I have a better idea, why not just sell us an upgraded music CD that has a patched DRM? As long as it's at least $5 more than the first one I bought I'll have the assurance of spending the most money possible while also having 16 copies of Jessica Simpson's new CD.

Re:No way that article was serious

[budgenator]

in other news from the register [theregister.co.uk]

• Celine Dion fights mutant rats on Xbox 360 [theregister.co.uk]
• Mutant rats menace Belfast [theregister.co.uk]
• Killer squirrel pack guts dog [theregister.co.uk]
• Youths strap hamster to rocket [theregister.co.uk]
• Al-Qaeda probes enemy on Google Earth [theregister.co.uk]
• Japan triumphs with MP3 toilet seat [theregister.co.uk]
• Entire porn outfit for sale on eBay [theregister.co.uk]
  
• Slashdot practises safe sex [theregister.co.uk]

Re:the paranoid ac

[SillySlashdotName]

Something else I noticed: Before seeing this article on slashdot, I'd just been reading the coverage of the story on news.google.com, and I was a bit bemused by the fact that I couldn't find mention of the kinds of computers that were vulnerable to this exploit. Now, call me paranoid too, but I'll make the wild surmise that they were running Microsoft Windows.

I have posted this before - almost always it isn't an INTERNET worm, it is a MICROSOFT I.E. worm, it isn't an EMAIL virus, it is a MICROSOFT OUTLOOK email virus, it isn't a trojan, it is a MICROSOFT WINDOWS exploit...

I really think the MICROSOFT name NEEDS to be presented when an exploit THAT ONLY RUNS ON MICROSOFT software is found.