Shop RadioShack for Great Gifts
Spyware, viruses, & security : Uninstalling Sony's ROOTKIT creates more security holes
- 11/15/05 1:01 AM
Uninstalling Sony's ROOTKIT creates more security holes
by R. Proffitt - 11/15/05 1:01 AM
You may have heard it but uninstalling SONY'S ROOTKIT creates even more security holes in the OS.
-> The rootkit was botched and now we read the uninstaller is doubly botched.
http://blogs.washingtonpost.com/securityfix/2005/11/multiple_securi.html
Bob
Read also here.......
by Marianna Schmudlach - 11/15/05 7:40 AM
In reply to: Uninstalling Sony's ROOTKIT creates more security holes by R. Proffitt
"Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit. "
http://www.freedom-to-tinker.com/?p=926
Yikes - first word missing in the link
by Marianna Schmudlach - 11/15/05 7:42 AM
In reply to: Read also here....... by Marianna Schmudlach
missing is: Freedom-
Updated November 15, 2005
by Marianna Schmudlach - 11/15/05 7:46 AM
In reply to: Yikes - first word missing in the link by Marianna Schmudlach
Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs
Tuesday November 15, 2005 by Ed Felten
[This post was co-written by J. Alex Halderman and Ed Felten.]
Over the weekend a Finish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.
The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.
A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.
We have constructed a demonstration code package and web page that exploits this design flaw to install unwanted files on a target computer. The exploit does not actually harm the computer, but it demonstrates that hostile code can be run on a target computer, and that the hostile code can perform operations that should be forbidden. At present we are not releasing the demonstration exploit to the public.
CodeSupport was also installed as part of the original web-based updater that Sony released to remove First4Internet’s rootkit. Sony has since replaced the web-based version of the updater with a downloadable EXE or ZIP file; these are safe to use as far as we know. If you didn’t use the original web-based updater, and you haven’t requested the full uninstaller from Sony, then you are safe from this particular vulnerability, as far as we know.
How can you protect yourself against this vulnerability? First, for now don’t accept the installation of any software delivered over the net from First4Internet. (Eventually First4Internet may deliver a fix over the net. That may be worth installing.) That will keep CodeSupport off you machine, if it’s not already there.
You can tell whether your machine is vulnerable by trying Muzzy’s reboot demonstration link. If CodeSupport isn’t on your machine, the link will do nothing, beyond displaying a message in your browser window. But if you have CodeSupport and are therefore vulnerable, then the link will reboot your machine. You’ve been warned! [UPDATE (9:35 AM): Mark notes in the comments that Muzzy’s demo might sometimes make things worse. We’ll develop a safer variant and post it here.]
If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)
cmd /k del “%windir%\downloaded program files\codesupport.*
This is not an ideal solution – depending on your security settings, it may not prevent the software from installing again - but it’s better than nothing. We’ll have to wait for First4Internet to develop a complete patch.
UPDATE: USA Today reports that Sony will recall the affected CDs. Discs in the supply chain will not be sold, and customers who have already bought discs will be able to exchange them. Sony will announce details of the recall plan later in the week. We hope the plan will include distribution of cleanup tools to customers who still have potentially dangerous XCP software on their machines.
freedom-to-tinker
http://www.freedom-to-tinker.com/?p=927
Sony rootkit DRM: how many infected titles?
by Marianna Schmudlach - 11/15/05 8:03 AM
In reply to: Uninstalling Sony's ROOTKIT creates more security holes by R. Proffitt
Sony says that only 20 titles, which it refuses to name, contain the XCP virus - software which attacks music piracy by attacking your PC. But is it being economic with the actualité?
http://www.theregister.co.uk/2005/11/15/sony_bmg_bodycount/
Another Catch-22
by kennlee - 11/16/05 4:38 AM In reply to: Sony rootkit DRM: how many infected titles? by Marianna Schmudlach
First, Sony and First4Internet downloads spyware just so you can listen to a CD you just purchased. Then they announced that you can get instructions to fix their problem. Now I find out that to uninstall their spyware, you have to download more software from First4Internet just to get rid of their previous software. Do they really believe that people are going to trust any software from this company?
Sony's newest PATENT (PS2/3 related and more)
by R. Proffitt - 11/15/05 10:42 AM
In reply to: Uninstalling Sony's ROOTKIT creates more security holes by R. Proffitt
'' Sony just got a patent on a method of restricting game software to one copy on one particular machine. They seem to think that this kind of lockdown will be tolerated by its customers. Someone sell these guys a clue. ''
http://www.security.ithub.com/article/Sonys+DRM+It+Just+Keeps+Getting+Worse/165201_1.aspx?kc=ewnws111505dtx1k0000599
While readers of the CNet forums are in the know, will anyone know what Sony had planned for games? That is, what happens when your PS3 game is locked to your PS3?
I'm asking one question here:
What was in that koolaid at the Sony offices?
Bob
Sony to pull controversial CDs, offer swap
by Marianna Schmudlach - 11/15/05 4:57 PM
In reply to: Uninstalling Sony's ROOTKIT creates more security holes by R. Proffitt
LOS ANGELES — Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs. (Related item: Firestorm rages over lockdown on digital music)
Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.
http://www.usatoday.com/money/industries/technology/2005-11-14-sony-cds_x.htm
Sony numbers add up to trouble
by Aotearoa - 11/15/05 6:34 PM In reply to: Uninstalling Sony's ROOTKIT creates more security holes by R. Proffitt
Sony Numbers Add Up to Trouble By Quinn Norton
Story location: http://www.wired.com/news/privacy/0,1848,69573,00.html
08:38 AM Nov. 15, 2005 PT
More than half a million networks, including military and government sites, were likely infected by copy-restriction software distributed by Sony on a handful of its CDs, according to a statistical analysis of domain servers conducted by a well-respected security researcher and confirmed by independent experts Tuesday.
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
