Critical Infrastructure Security

Sony BMG settles with 39 states over CD rootkits


Sony BMG Music Entertainment has agreed to pay $4.25 million in a settlement with 39 states over malicious digital rights management software the music giant surreptitiously installed on CDs last year.

Under the settlement announced Thursday, Sony BMG will compensate end users whose PCs were damaged when trying to uninstall the rootkit-like technology that was designed to prevent piracy, published reports said. In addition, Sony said it will no longer distribute CDs containing copyright protection that is difficult for users to locate or remove.

"Not only did [the rootkit-like software] allow Sony's code to hide, it also created space for other malicious software to hide," Edward Felten, a Princeton University professor of computer science and public affairs, told SC Magazine for its December issue.

He and a graduate student specifically studied the two rootkit uninstallers Sony offered as a solution.

"They both installed an ActiveX control that could be invoked by a webpage," Felten said. "It could be told by any page on the web to download code. Any webpage could install whatever software. It was about as serious as a vulnerability could be."

Representatives from BMG Music could not be reached for comment today.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.