Sony BMG at Work on Yet Another Patch

Sony BMG is replacing a patch for its MediaMax CD copy protection software after a security flaw is discovered.

In a tale that has more twists and turns than a Hardy Boys mystery, Sony BMG found itself in the spotlight again this week for introducing security holes on customers computers through faulty copy protection software.

Sony, along with the EFF (Electronic Frontier Foundation) and iSEC Partners, a security firm, issued a joint release saying that the MediaMax Version 5 copy protection software from SunnComm, which ships with some Sony BMG CDs, contains a flaw that could allow a low-level user on Windows systems to gain administrative access to the computer, the companies said.

A software patch from SunnComm to fix the hole was later found to introduce security vulnerability on systems that installed it, prompting EFF to disavow the patch.

Sony has since issued a new patch and it is being evaluated by independent security experts, said Rebecca Jeschke, spokesperson for EFF, based in San Francisco.

Sony/BMG customers who have already installed the MediaMax software are advised to "hang tight" for now and not do anything, Jeschke said.

/zimages/2/28571.gifWhere are rootkits coming from? Click here to read more.

Customers who bought a CD with the MediaMax software on it, but have not put it in their PCs CD drive, are advised not to do so, she said.

The MediaMax software became a focus of attention after the EFF filed a class action lawsuit on behalf of consumers who bought Sony BMG CDs with the XCP and MediaMax software installed.

EFF alleged that SunnComm software violates the law by installing the MediaMax software before Sony/BMG customers even see or agree to the end user license agreement (EULA) for the program.

SunnComm then violates its own EULA by "phoning home" information about the CD, the operating system and Web browser the listener is using.

Writing on his Web log freedom-to-tinker on Nov. 22, Ed Felten, a professor of computer science at Princeton University, labeled the MediaMax software "spyware" because it does not disclose those communications, and makes it difficult for users to remove the software once it is installed.

The software also introduces serious security risks to Windows users by creating a shared directory that even low-level users can access.

Malicious hackers could use the MediaMax directory to drop malicious programs that could then be run in administrator mode, according to an analysis by Information Security Partners, LLC, a security consulting firm that was hired by EFF to analyze the MediaMax software.

The patch issued this week, as well as a MediaMax uninstall program from SunnComm, are insecure in the same way, and could be used by a malicious hacker to booby-trap files so that hostile code is run on the users machine, Felton wrote.

Following that analysis, EFF backed away from its joint statement that promoted the MediaMax patch and adopted Feltons recommendation not to use either the MediaMax patch or the uninstall program, and to avoid putting a CD that uses the MediaMax software into your PC.

Sony BMG CDs by artists including Alicia Keys, Babyface, Britney Spears, Sarah McLachlan, Santana and Black Rebel Motorcycle Club ship with the MediaMax Version 5 software, according to a list on Sonys Web site.

However, MediaMax is not just used on Sony BMG CDs. According to SunnComm, MediaMax ships on over 140 titles by different titles from different companies.

The imbroglio over MediaMax is just the latest development in a two months-old controversy over Sonys use of copy protection software with many of its CDs.

The company has been under intense scrutiny since October 31, when Windows expert Mark Russinovich discovered the XCP software from Sony partner First4Internet on his own computer and published a detailed analysis of it on his blog at

/zimages/2/28571.gifClick here to read more about Sonys rootkit scandal.

XCP attracted attention and criticism because it was almost totally invisible to Windows users, employing techniques akin to malicious "rootkit" programs to hide files with a name that began with the characters $sys$.

Malicious code writers took up the idea, spamming out Trojan Horse programs and releasing viruses that used the $sys$ naming convention.

Lawsuits followed in Texas, where the states attorney general accused Sony BMG of violating state anti-spyware laws. New Yorks Attorney General, Eliot Spitzer, also criticized Sony for not doing more to get XCP CDs off store shelves.

The MediaMax software does not have the controversial "rootkit" features of XCP, but poses some of the same security risks, experts said.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.