New York state Attorney General Elliot Spitzer has added his 2 cents to the Sony-BMG Entertainment rootkit controversy, scolding retailers who still have CD-Roms containing the application on their shelves.
Spitzer, a Democratic candidate for governor in 2006, launched an investigation into the matter last month, sending researchers from his office posing as customers to purchase affected CDs at six of his state's popular music chains. Researchers bought the CDs at the Virgin Megastore, FYE, Best Buy, Circuit City and Wal-Mart, Spitzer's officer said in a statement.
The infected copies are identifiable by a black and white table reading "compatible with" on the side, indicating the disc has copy protection. CDs with the rootkit have a URL at the bottom of the table ending with the cp.sonybmg.com/xcp, Spitzer warned consumers.
"It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on the shelves, during the busiest shopping days of the year," he said. "I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately and ship them back to Sony."
Sony said last month that it would exchange CDs containing the XCP technology after a blogger-fueled firestorm erupted over Microsoft security expert Mark Russinovich's revelation of the rootkit technology in late October.
In the following weeks, trojans aiming to exploit the cloaking technology appeared. It was later revealed that the uninstaller technology Sony offered also made PCs vulnerable to malicious code from websites.
The state of Texas and the Electronic Frontier Foundation sued Sony over the application last month.
The "Freedom to Tinker" blog revealed this week that Sony is also using the MediaMax technology from SunnComm that also "phones home" from PCs. That software, although not a rootkit, downloads software onto a PC before a user can agree to a license agreement. The EFF has estimated that the MediaMax technology is on 20 million CDs.
Sony has not yet mentioned the SunnComm technology in company statements. It has pointed out that the rootkit was made by U.K.-based First4Internet.
"We deeply regret any inconvenience this may cause our customers and we are committed to making this situation right," Sony said. "It is important to note that the issues regarding these discs exist only when they are played on computers, not on conventional, non-computer-based CD and/or DVD players."