The security risk created by Sony BMG Music Entertainment Inc.'s rootkit-based copy protection software may be nothing compared to a flaw that appears when someone tries to use the tool Sony made available to uninstall it.
Researchers at Princeton University said they've taken a "detailed" look at the Web-based uninstaller software and confirmed claims from a Finnish researcher that malicious Web sites could exploit a flaw in the software to install and run code on victims' computers.
"Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the Web-based uninstaller that Sony offers to users who want to remove the First4 Internet XCP copy protection software," Ed Felten, a professor of computer science and public affairs at Princeton University, wrote in his Freedom to Tinker blog along with Alex Halderman, a Ph.D student at the university. "We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit."
According to Felten and Halderman, a "serious" design flaw in the uninstaller puts users at risk under the following circumstances:
- When the user fills out Sony's form to request a copy of the uninstaller, the request form downloads and installs an ActiveX control called CodeSupport, created by Sony's British technology partner, First4 Internet.
- CodeSupport remains on the user's system after they leave Sony's Web site, and it is marked as safe for scripting, "so any Web page can ask CodeSupport to do things," the researchers said
- Among other things, CodeSupport can be told to download and install code from Web sites. "Unfortunately, CodeSupport doesn't verify that the downloaded code actually came from Sony or First4 Internet," the researchers said. "This means any Web page can make CodeSupport download and install code from any URL without asking the user's permission."
In other words, Felten and Halderman said, "The consequences of the flaw are severe. It allows any Web page you visit to download, install, and run any code it likes on your computer… That's about as serious as a security flaw can get."
They recommended users take the following protective measures:
- Don't accept the installation of any software delivered over the Internet from First4 Internet. That will keep CodeSupport off the user's machine, if it's not already there.
- Users can check their machines to see if CodeSupport is installed by trying Muzzy's reboot demonstration link. "If CodeSupport isn't on your machine, the link will do nothing, beyond displaying a message in your browser window. But if you have CodeSupport and are therefore vulnerable, then the link will reboot your machine," the researchers said. They warned, however, that Muzzy's demo "might sometimes make things worse" and that "We'll develop a safer variant and post it [on the Freedom to Tinker blog]."
- If the machine is vulnerable, delete the CodeSupport component. From the start menu, choose "Run." In the box that pops up, type (on a single line) cmd /k del "%windir%downloaded program filescodesupport.*
"This is not an ideal solution -- depending on your security settings, it may not prevent the software from installing again -- but it's better than nothing," Felten and Halderman said. "We'll have to wait for First4 Internet to develop a complete patch."
Security experts have roundly criticized Sony since researcher Mark Russinovich, chief software architect and co-founder of Winternals Software in Austin, Texas, found the company's rootkit on his own machine and wrote an analysis of it on his blog at Sysinternals.com, setting off the controversy.
Experts said Sony was playing with fire by using a rootkit-based digital rights management (DRM) system to prevent CD copying and that the company's move could trigger a variety of dangerous exploits.