Sony's rootkit uninstaller... - Tech Support Forums

Theophylact · November 16th, 2005, 10:40 AM

Quote:

Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked. ...

And here's an update.

(Tip o' the hat to Bruce Schneier.)

johnnyis42 · November 18th, 2005, 05:46 PM

this has to be the biggest fiasco ever, and we will probably see this being exploited in literally thousands, if not millions, of pc's around the world for years to come because of the complete lack of coverage this problem has recieved.

since these cd's have been out there since 2004 and no antivirus product began detecting it until the last week, and no product actually patches the vulnerability, this should ring in a new era of plentiful zombie pc's.

add tot hat the number of folks who are still newly infecting their machines by putting these cd's in their pc completely unaware of the consequence (they own the new "old" versions of the music cd's and put them int heir computer for the first time) and it's easy to see this is not going to end any time soon.

SeanC · November 22nd, 2005, 01:18 PM

That's why Microsoft said they were going to add functionality to MS Antispyware to remove the rootkit. That's if you run the MS Antispyware. I assume other antispyware manufacturers will be updating their software as well eventually.

Sean

johnnyis42 · November 22nd, 2005, 05:17 PM

yeah... funny thing is, it is incapeable of totally eliminating the vulnerability. from what i'm to understand all the security folks who are deeply intimate with the problem know that the easiest way for the majority of folks to fix the problem completely is to rinstall windows and never put one of those CD's int heir machine again.

everywhere i read, the patch removes the cloaking, but the rootkit remains with all it's escalated privleges. correct me if i'm wrong, maybe i'm not looking in the right places or subscribed to the right newsletters, but i haven't found a site yet that has the all out eliminating fix for the thing (ie, like the way AV companies put out step by step removal instructions or removal utilities)

SeanC · November 22nd, 2005, 05:32 PM

That's the problem with rootkits, unless software is written specifically to look for them you could never know it's there. Since rootkits have access to everything, they can be written to defend themselves against removal tools.

So yeah, formatting the hard drive and reinstalling is the best way to take care of it.

That's why if you want to record the tracks off of a CD to make a personal MP3 collection, you should plug in a CD player to the Line In on your soundcard. That way no software runs on your computer and you can still record the CDs. If the record industries start trying to get tricky, see how quickly cables that go from the headphone port to the linein on soundcards will be for sale (if they aren't already).

Sean

johnnyis42 · November 22nd, 2005, 05:41 PM

well, it's just as easy to simply disable the "autoplay" feature, particularly since if you want a good MP3 recording you'll want digital exctraction. the line in is analog, and definitely an audiophile no-no.

SPD-IF connectors could work really well for that, which most quality sound cards have but you'll need a fairly nice CD player for that setup as well.

with this rootkit you are prompted to begin the install, but not told you're installing the rootkit. so, it's possible if you know what you're doing to bypass.... but that would violate the EULA. then again, if you don't install the software you're not agreeing to the EULA anyway, so hmm, that sounds like a sound legal loophole that would hold up in any court provided you could afford the fees to battle the sony machine... ah, but i digress...

that has to be one of the most reprehensable actions towards customers a media company has taken in the information age, and i'd go so far as to say this even beats microsoft's antitrust problems. at least they told you what they were doing.

SeanC · November 22nd, 2005, 05:44 PM

I would assume the EULA is written so that if you don't install the software, you're violating the EULA by playing the CD on your computer.

EULAs are full of such annoying clauses.

johnnyis42 · November 22nd, 2005, 05:48 PM

heh, but like i said, you didn't agree to it in that case! and since you didn't autorun the software, you never saw it. you can't violate it if you didn't agree to it since it only applies to the installation of the software, regardless if the EULA mentions how you use the CD itself.

of course bypassing the software to use the CD in a computer probably qualifies as a violation of the DCMA, and probably qualifies you as a terrorist in the Patriot Act somewhere as well...

SeanC · November 22nd, 2005, 05:56 PM

True. But if they get like the software vendors and put a disclaimer on the package like:

"By opening this product you agree to the enclosed EULA"

Then there's nothing you can do. It would come down to, which lawyer is more pursuasive: yours or the manufacturers.

In my opinion, the way those should be phrased is:

"We're taking away your rights by making you blindly agree to a EULA that you can't read until after you've opened the package which means you accepted the enclosed EULA and there's nothing you can do about it because we put this little disclaimer on the package."

Almost every retail software package has that type of disclaimer on it. Something I find distasteful on the manufacturers part, to say the least.

johnnyis42 · November 22nd, 2005, 06:19 PM

yeah, that seems to be why the EFF is the last hope consumers have before we become property ourselves. like "by seeing this movie your memories of this movie are only to be used for your own personal gratification, and connot be retransmitted by voice, text rendering...."