Sony-BMG Entertainment has issued another mea culpa of sorts for its use of spyware-like technology on CD-Roms.
The company had been under fire from bloggers, who, while not gathering the same momentum as they did criticizing Extended Copy Protection (XCP) technology on Sony CDs, pointed out vulnerabilities created by the similar MediaMax application. The program could open up PCs to malicious code, bloggers have said.
The Electronic Frontier Foundation and Sony had released a joint statement last week announcing a software update for the SunnComm's MediaMax.
"We're pleased that Sony responded quickly and responsibly when we drew their attention to this security problem," said Kurt Opsahl, staff attorney for advocacy organization EFF. "Consumers should take immediate steps to protect their computers."
"We're grateful to EFF and iSEC Partners for bringing this to our attention," said Thomas Hesse, president of global digital business for Sony. "We believe that the availability of the update, coupled with our campaign to notify customers, will appropriately address the CDs with MediaMax version 5 in the market."
A statement on the recording industry giant's website said it "regrets" inconveniencing customers. An uninstall link for MediaMax is given as well.
A media uproar forced Sony to offer customers refunds for CDs containing XCP technology last month after Windows security expert Mark Russinovich first disclosed the spyware-like technology on his blog in late October. Within weeks, new trojans took advantage of the rootkit technology and bloggers disclosed that Sony's uninstall for the XCP also made PCs vulnerable to malicious code.
Secunia classified the MediaMax vulnerability as "less critical."
"The security issue is caused due to insecure default directory ACLs being set on the SunnComm Shared directory, which allows everyone full access to the directory. This can be exploited by non-administrative users to modify the installed files and potentially gain escalated privileges by replacing the MMX.exe program with a malicious program," the security site warned.
The EFF also warned that millions of CDs contain the MediaMax technology.
"There are over 20 million Sony CDs with some version of the SunnComm MediaMax software," the group warned. "Sony says that about six million have the MediaMax version 5 that is subject to this vulnerability, and has provided a list of affected titles."
Ed Felten, the Princeton University computer science professor who revealed vulnerabilities caused by the XCP uninstaller on his "Freedom to Tinker" blog, said the use of spyware-like technology is a natural evolution of trying to stop CD copying.
"Of course, you don't have to resort to these tactics. But if you don't, your software will have trouble getting onto users' computers and staying there," he said. "If your whole business model depends on installing unwanted software and preventing its uninstallation, you'll do what's necessary to make that model work. You'll resort to spyware tactics."