The weblog that warned PC users about the danger posed by an uninstaller for Sony-BMG Entertainment's spyware-like CD-Rom technology said Thursday that a similar program for another digital rights management program creates the same vulnerabilities.
Sony has used another DRM program, SunnComm's MediaMax, which will install several megabytes of files without user notification and silently phone home every time a CD with the device is played, J. Alex Halderman of the blog "Freedom to Tinker" said Thursday.
While the application does not come with an uninstaller, Phoenix-based SunnComm will provide one after emails are sent to the company, Halderman said.
"Now the bad news: It turns out that the web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony's other DRM, XCP, that we announced a few days ago," he said on the blog. "I have verified that it is possible for a malicious website to use the SunnComm hole to take control of PCs where the uninstaller has been used. In fact, the SunnComm problem is easier to exploit than the XCP uninstaller flaw."
On the uninstaller's website, users are prompted to accept an ActiveX control called AxWebRemoveCtrl, which, Halderman says, has a design flaw that allows websites to install and run code on PCs.
Halderman's colleague Ed Felten, a computer science professor at Princeton University, warned earlier this week of flaws in the XCP's installer. Their blog is offering an AxWebRemoveCtrl detector.
Media Max isn't as well known as First4Internet's XCP technology, Halderman said. "Though MediaMax doesn't resort to concealing itself with a rootkit, it does behave in several ways that are characteristic of spyware."
In what bloggers considered a victory for themselves and consumers, Sony announced Wednesday that it would pull 2.6 million CDs containing XCP technology from shelves.
"We will shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer," the company said on its website this week.
After Microsoft systems expert Mark Russinovich revealed in late October that Sony was using a rootkit to install spyware-like technology onto PCs, a media firestorm forced Sony to withdraw the technology earlier this week.
Virus authors also took advantage of the cloaking technology, and within days of the announcement, trojans were compromising PCs using the rootkit.