Halderman, J. Alex, and Ed Felten. “Sony's Web-based uninstaller opens a big security hole; Sony to recall disks.” Freedom to Tinker, November 15, 2005.

Summary: This is one in a long series of entries in Felten's blog, beginning with “CD DRM makes computers less secure,” by Halderman (Freedom to Tinker, November 1, 2005), which reported the discovery that playing certain Sony/BMG compact disks on one's computer under Windows operating systems has the side effect of installing software for digital restrictions management (DRM), and the additional side effect of installing additional software that attempts to conceal the existence of the DRM software from the user, even a user with Administration privileges. The concealment software uses techniques borrowed from the operations of system crackers, such as the replacement of some of the functions in the Windows kernel's table of functions implementing system calls. Many anti-virus programs treat this technique as an indication of a malicious intrusion. And, indeed, once the DRM-concealing replacement functions are in place, malicious intruders can use them to conceal their own breakins and subsequent exploits.

On November 10, Felten reported (in “SonyBMG ‘protection’ is spyware”) that malware exploiting the security hole opened by the DRM-concealing software has already been detected “in the wild” and that Sony's DRM software has another obnoxious side effect: It transmits information about the user's interactions with the DRM-restricted CDs to Sony.

On November 12, Halderman reported (in “Sony shipping spyware from SunnComm, too”) that Sony CDs also install another obnoxious spyware program, MediaMAX, which transmits information about the user's interactions with infected CDs to SunnComm, which sells MediaMAX.

Sony reacted to the exposure of their invasive DRM software by releasing a program that (according to Sony) removes the concealment software from a system infected with it. The current article, co-written by Halderman and Felten, reports that downloading this uninstaller opens up an even larger security hole than the one introduced by the original DRM-concealing software. Here's how it works:

If you fill out the form at Sony's Web site for requesting the uninstaller, Sony will send you an e-mail with a URL in it. When you visit that URL, it automatically downloads a program (an ActiveX control) called CodeSupport. Sony then sends you another e-mail with another URL in it; when you visit the second URL, CodeSupport finds the actual uninstaller and downloads and runs it for you.

Unfortunately, CodeSupport does not delete itself when it has done its job of downloading and running the uninstaller for the DRM-concealing software. You, all unsuspecting, may then subsequently use Internet Explorer to browse the Web. As you do so, you may happen to visit other sites at which CodeSupport can detect downloadable, executable programs. CodeSupport will happily download and execute them. If the author of such Web page is a system cracker, he can drop fifty shortcuts to porn sites on your desktop, delete the contents of My Documents, My Music, and My Pictures, send voluminous spam that traces back to your machine, etc., etc. -- whatever program he has written, CodeSupport will cheerfully download and run it, without any further assistance or intervention from you.

Gee, thanks, Sony! And thanks to software developer First4Internet, who actually wrote the both the DRM software and the uninstaller for Sony!

Update: Sony has now replaced the on-line form for requesting the uninstaller with the following message:

UNINSTALL REQUESTS

November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.

No news yet on a program to uninstall CodeSupport.