Sony offers new CDs, MP3s for recalled discs

TalkBack 16 of 32:: Next »; « Previous

Thread View
Flat View

Just Disable Auto Play: Folow the advice from CERT;

http://www.cert.org/

" First 4 Internet XCP (Sony DRM) Vulnerabilities
added November 15, 2005 | updated November 18, 2005

US-CERT is aware of several vulnerabilities regarding the XCP Digital Rights Management (DRM) software by First 4 Internet, which is distributed by some Sony BMG audio CDs. The XCP copy protection software uses "rootkit" technology to hide certain files from the user. This technique can pose a security threat, as malware can take advantage of the ability to hide files. We are aware of malware that is currently using this technique to hide.

One of the uninstallation options provided by Sony also introduces vulnerabilities to a system. Upon submitting a request to uninstall the DRM software, the user will receive via email a link to a Sony BMG web page. This page will attempt to install an ActiveX control when it is displayed in Internet Explorer. This ActiveX control is marked "Safe for scripting," which means that any web page can utilize the control and its methods. Some of the methods provided by this control are dangerous, as they may allow an attacker to download and execute arbitrary code.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

* VU#312073 - First 4 Internet XCP "Software Updater Control" ActiveX control incorrectly marked "safe for scripting"

US-CERT recommends the following ways to help prevent the installation of this type of rootkit:

* Do not run your system with administrative privileges. Without administrative privileges, the XCP DRM software will not install.
* Use caution when installing software. Do not install software from sources that you do not expect to contain software, such as an audio CD.
* Read the EULA (End User License Agreement) if you do decide to install software. This document can contain information about what the software may do.
* Disable automatically running CD-ROMs by editing the registry to change the Autorun value to 0 (zero) as described in Microsoft Article 155217."

The MS Tech link is here;

http://support.microsoft.com/kb/q155217

MS should be flogged anyhow for shipping autoplay enabled in the first place and making the defualt user (If a user account isn't set up) administrator (Root).; Posted by: Edward Meyers Posted on: 11/19/05 You are currently: a Guest | Members login | Terms of Use

Reply to Story Reply to Message

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

Not good enough tic swayback | 11/18/05

Not to mention techboy_z | 11/18/05

Sony is paying for the postage tic swayback | 11/18/05

Who would want to send them back? too_much green_tea | 11/18/05

Because of flaws in the rootkit? No, BECAUSE of the rootkit PB_z | 11/18/05

I agree dragosani | 11/18/05

Yes, but also because the rootkit violates the LGPL. Zogg | 11/19/05

rootkit CDs are becoming collector's item too_much green_tea | 11/18/05

I can 99.9% guarantee that... dragosani | 11/18/05

Nah ... black hats don't need them too_much green_tea | 11/18/05

Ok dragosani | 11/18/05

I'd be asking SONY for a NEW PC Feldwebel Wolfenstool | 11/18/05

Mac OS X as well symphoniq | 11/18/05

Wrong Scheme Edward Meyers | 11/19/05

Screws up ANY future used CD purchase studio7onthesunsetstrip | 11/18/05

Just Disable Auto Play Edward Meyers | 11/19/05

MS should be flogged on the Boot_Agnostic | 11/20/05

School Yard Pirates cyber-shoplifter | 11/19/05

Plenty of other brands around... Twong_SNG | 11/19/05

never buy Sony or BMG jacksonthecat | 11/19/05

RE: never buy Sony or BMG by jacksonthecat btljooz | 11/19/05

First 4 should be arrested jacksonthecat | 11/19/05

Ironic CD Title mcqdew | 11/19/05

Why no No-Ax? Seenidog | 11/19/05

Sony CD Protection nightmare jgcarney | 11/19/05

You _could_ sign up for the class action, but... BitTwiddler | 11/19/05

I'm returning all my SONY CDs IT-sys | 11/19/05

Magnatune is great - you are right but treatise | 11/20/05

Alas, Sony still doesn't get it... BitTwiddler | 11/19/05

Offence List debater | 11/20/05

Important warning here tic swayback | 11/21/05

The REALLY SORRY thing is that Update victim | 11/21/05

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now
Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

IT Solutions for 2010

Get cost-effective strategies and roadmaps on the most important issues facing IT leaders in 2010! Learn how to easily cut costs and deliver greater efficiency starting with your database, IT compliance management and data center. Visit the IT Leaders Dashboard. Visit the IT Leaders Dashboard.
Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline

Read the original story

Sony offers new CDs, MP3s for recalled discs

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

IT Solutions for 2010

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads