Content

Now what about the other spyware?

Sony-BMG Entertainment still hasn’t addressed the other half of its use of spyware-like technology on CD-Roms, one blogger familiar with the software pointed out this week.

MediaMax, a digital rights management system Sony has used on CDs in addition to the now-shelved XCP technology, automatically installs over 12 MB of software before an end user license agreement is displayed, J. Alex Halderman said Monday on the "Freedom to Tinker" blog.

Not a rootkit like XCP, MediaMax remains on Sony CDs after XCP was withdrawn, Halderman said. Estimates of how many CDs contain MediaMax have ranged as high as 20 million.

"Part of the software that MediaMax installs is a driver meant to interfere with ripping and copying from protected discs," said Halderman, whose blog disclosed vulnerabilities created by the XCP uninstaller program earlier this month. "I had believed that MediaMax didn't permanently activate this driver – set it to run whenever the computer starts – unless the user accepted the license agreement. As it turns out, this belief was wrong, and things are even worse than I had thought."

Sony, under fire after Windows expert Mark Russinovich revealed XCP "phone home" technology on his website last month, was sued by both the state of Texas and the Electronic Frontier Foundation last week.

EFF, an advocacy group, also chided Sony for not responding to MediaMax, which is made by Phoenix-based SunnComm.

"Sony-BMG is to be commended for its acknowledgement of the serious security problems caused by its XCP software, but it needs to go further to regain the public's trust," Corynne McSherry, EFF staff attorney, said last week. "It is unconscionable for Sony-BMG to refuse to respond to the privacy and other problems created by the over 20 million CDs containing the SunnComm software."

Sony offered exchanges to customers dissatisfied with CDs containing XCP this month. It had previously pulled discs containing the application from shelves.

As a media firestorm grew over the rootkit, a number of trojans began taking advantage of the application. It was later disclosed that the uninstaller offered by Sony created a vulnerability that hackers could use to download malicious code onto PCs.

Sony has not addressed MediaMax in statements on XCP. "This software was provided to us by a third-party vendor, First4Internet," Sony has said on its website.

www.sunncomm.com
www.freedom-to-tinker.com
www.bmg.com
www.sysinternals.com

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.