While I have had my fill of Sony DRM and all the screaming that has gone on around it (though it still gives me a chuckle when I see a breathless story in some second-tier MSM newspaper about “Copy Protection on Sony CDs” that is both outdated and inaccurate) there was actually a new wrinkle going on in the last week.
Remember the MediaMax DRM that didnt get as much attention as the other XCP DRM used by Sony during the first wave of screaming and yelling? Well, it seems SunnComms little child has a problem when dealing with Windows.
There are insecure default directory ACLs being set on the “SunnComm Shared” directory, which allow any local user full and total access to the directory. “So what?” you ask. Well, non-administrative users can modify the installed files in the directory because of this. If they are of a mind to do so, these users can potentially gain escalated privileges by (for example) replacing the MMX.exe program with a malicious (and privilege-escalating) program. The MMX.exe program will be automatically executed when another user inserts a MediaMax protected CD.
Changing the directory ACL manually is reportedly non-effective. The reason is that the insecure permissions will be restored the next time a MediaMax-protected CD is played.
The security issue has been reported in version 5.0.21.0, and prior versions may also be affected. Sony has a program that they say will fix the damage done to your machine. You may wish to document any further damage that this new program does to your machine for inclusion in your future lawsuit.
Hardened-PHP finds more stuff
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Stefan Esser of the Hardened-PHP project found a huge problem with it, though. In their advisory, Esser noted, “phpMyAdmin comes with a register_globals emulation layer within grab_globals.php, to ensure compatibility with hosts where this feature is turned off. This layer was heavily modified for the release of phpMyAdmin 2.7.0. One of the major changes is that the blacklist of variables that may not be overwritten by the emulation layer is now stored in a global variable.”