Sony-BMG Entertainment still hasn’t addressed the other half of its use of spyware-like technology on CD-Roms, one blogger familiar with the software pointed out this week.
MediaMax, a digital rights management system Sony has used on CDs in addition to the now-shelved XCP technology, automatically installs over 12 MB of software before an end user license agreement is displayed, J. Alex Halderman said Monday on the "Freedom to Tinker" blog.
Not a rootkit like XCP, MediaMax remains on Sony CDs after XCP was withdrawn, Halderman said. Estimates of how many CDs contain MediaMax have ranged as high as 20 million.
"Part of the software that MediaMax installs is a driver meant to interfere with ripping and copying from protected discs," said Halderman, whose blog disclosed vulnerabilities created by the XCP uninstaller program earlier this month. "I had believed that MediaMax didn't permanently activate this driver – set it to run whenever the computer starts – unless the user accepted the license agreement. As it turns out, this belief was wrong, and things are even worse than I had thought."
Sony, under fire after Windows expert Mark Russinovich revealed XCP "phone home" technology on his website last month, was sued by both the state of Texas and the Electronic Frontier Foundation last week.
EFF, an advocacy group, also chided Sony for not responding to MediaMax, which is made by Phoenix-based SunnComm.
"Sony-BMG is to be commended for its acknowledgement of the serious security problems caused by its XCP software, but it needs to go further to regain the public's trust," Corynne McSherry, EFF staff attorney, said last week. "It is unconscionable for Sony-BMG to refuse to respond to the privacy and other problems created by the over 20 million CDs containing the SunnComm software."
Sony offered exchanges to customers dissatisfied with CDs containing XCP this month. It had previously pulled discs containing the application from shelves.
As a media firestorm grew over the rootkit, a number of trojans began taking advantage of the application. It was later disclosed that the uninstaller offered by Sony created a vulnerability that hackers could use to download malicious code onto PCs.
Sony has not addressed MediaMax in statements on XCP. "This software was provided to us by a third-party vendor, First4Internet," Sony has said on its website.