Sony's Fix for CDs Has Security Problems of Its Own

Ricky Martin's
Ricky Martin's "Life" is one of the CDs with problematic software. (Sony - Sony)
By Brian Krebs
Special to The Washington Post
Thursday, November 17, 2005

Consumers who used computers to listen to Sony BMG music CDs containing flawed software were still exposed to potentially crippling security breaches yesterday, experts said, as the company continued to try to fix the problem.

Sony BMG Music Entertainment released a software patch earlier in the week, but experts warned that the fix created as many security problems as the original program, and as of yesterday the company had not come up with a new approach.

Sony BMG has recalled nearly 5 million CDs equipped with the flawed anti-piracy software shipped to retailers over the past eight months -- including titles by singers Neil Diamond, Celine Dion and Ricky Martin. Roughly two weeks ago, security experts showed that the software automatically installed a program that hid all of its files from users and damaged or crashed computers of customers who tried to remove it.

When played on a home computer running Microsoft Windows, the CDs require users to install a special media player and click "agree" on 3,000-word license agreement. But the agreement makes scant mention of what the software, which is designed to prevent people from making unauthorized copies of the music, will do once installed.

For example, experts showed that the anti-piracy software "phones home" to Sony BMG and to the company that created the software, First 4 Internet Ltd., with details of user's music-listening habits. It also interferes with more than 250 programs that could allow copying of the CD contents to a portable media player or backup disc.

Detailed examination of the license agreement reveals no mention of such activity.

Further testing proved that hackers could use the program's file-hiding capabilities to silently embed computer viruses on PCs, prompting Sony BMG to issue a software update that removes that feature. Days later, unknown attackers sent millions of junk e-mails containing a virus crafted to exploit the flaws and seize control of vulnerable computers.

After the virus outbreaks, Sony BMG -- a joint venture of Sony Corp. and Bertelsmann AG -- said it would suspend production of new CDs featuring the copy-protection technology. But after nearly two weeks of relentless consumer backlash, Sony BMG said Tuesday that it would recall all CDs equipped with the anti-piracy software and that roughly 2 million customers who have already bought the discs would be able to exchange them.

Sony BMG spokesman John McKay declined to comment beyond the company's written statement, which apologized to customers for any inconvenience caused by the software and promised additional details about the CD exchange program in coming days.

Hours after Sony BMG announced its buyback, researchers at Princeton University found that even the patch the company released to remove the anti-piracy software contains security problems. The patch leaves behind coding that allows any Web page the user visits to download, install and run programs on the computer. Other research, released Tuesday by Atlanta-based Internet Security Systems, showed that the underlying program itself contained security holes that hackers could use to attack Windows computers running the software.

Sony BMG's latest moves have not erased its legal and public relations troubles. Last week, an attorney in California filed a lawsuit seeking damages for residents who bought the defective CDs, and on Monday, a lawyer in New York filed a nationwide class-action case against the company.

Mark Russinovich, chief software architect at Sysinternals, the security expert whose initial research into the anti-piracy program sparked the controversy, welcomed the class-action suits, saying withdrawal of the software wasn't enough.

"What I'm most concerned about is: If nothing serious happens to Sony that's visible to other companies, then we run the risk of this kind of thing becoming standard corporate behavior," Russinovich said.

The incident raises new questions about how far the music industry can go to defend its works from piracy. The industry loses roughly $4.2 billion worldwide to piracy each year, according to the Recording Industry Association of America. The software was the latest effort by entertainment companies to rely on controversial "digital rights management" (DRM) technologies to reverse a steady drop in sales that the industry attributes in large part to piracy facilitated by online music and movie file-sharing networks such as Kazaa and LimeWire.

Microsoft Corp. also waded into the fracas last week when it labeled Sony BMG's software a threat, saying it would let users remove the program through its anti-spyware program. Starting in December, Microsoft said, it will automate the removal of the software through its "malicious software removal tool," a program designed to help users clean up their computers after virus infections.

Krebs is a staff writer for

© 2005 The Washington Post Company