Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole
Thursday November 17, 2005 by J. Alex Halderman
http://www.freedom-to-tinker.com/?p=931
I have good news and bad news about Sony¹s other CD DRM technology, the
SunnComm MediaMax system. (For those keeping score at home, Ed and I have
written a lot recently about Sony¹s XCP copy protection technology, but this
post is about a separate system that Sony ships on other CDs.)
I wrote last weekend about SunnComm¹s spyware-like behavior. Sony CDs
protected with their technology automatically install several megabytes of
files without any meaningful notice or consent, silently phone home every
time you play a protected album, and fail to include any uninstall option.
Here¹s the good news: As several readers have pointed out, SunnComm will
provide a tool to uninstall their software if users pester them enough.
Typically this requires at least two rounds of emails with the company¹s
support staff.
Now the bad news: It turns out that the web-based uninstaller SunnComm
provides opens up a major security hole very similar to the one created by
the web-based uninstaller for Sony¹s other DRM, XCP, that we announced a few
days ago. I have verified that it is possible for a malicious web site to
use the SunnComm hole to take control of PCs where the uninstaller has been
used. In fact, the the SunnComm problem is easier to exploit than the XCP
uninstaller flaw.
To be clear, the SunnComm security flaw does not apply to the software that
ships on CDs, but only to the uninstaller that SunnComm distributes
separately for removing the CD software. So if you haven¹t used the
uninstaller, you¹re not vulnerable to this flaw and you don¹t need to do
anything.
If you visit the SunnComm uninstaller web page, you are prompted to accept a
small software componentan ActiveX control called AxWebRemoveCtrl created
by SunnComm. This control has a design flaw that allows any web site to
cause it to download and execute code from an arbitrary URL. If you¹ve used
the SunnComm uninstaller, the vulnerable AxWebRemoveCtrl component is still
on your computer, and if you later visit an evil web site, the site can use
the flawed control to silently download, install, and run any software code
it likes on your computer. The evil site could use this ability to cause
severe damage, such as adding your PC to a botnet or erasing your hard disk.
You can tell whether the vulnerable control is installed on your computer by
using our AxWebRemoveCtrl detector.
We have created a tool that will disable the control and/or block it from
being installed. To apply our tool, download this file to a temporary
location, then double click on the file¹s icon in Windows. (Windows may ask
you to confirm that you wish to add the information in the file to the
system registrychoose ³Yes.²) After the tool has been applied, you may
delete the file you downloaded. The tool will take effect as soon as you
close and restart Internet Explorer. We recommend that anyone who has used
the SunnComm uninstaller run our tool as soon as possible.
Unfortunately, if you use our tool to block the control, you won¹t be able
to use SunnComm¹s current uninstaller to remove their software. It¹s up to
them to replace the flawed uninstaller with a safe one as soon as possible,
and to contact those who have already used the vulnerable uninstaller with
instructions for closing the hole.
UPDATE (Nov. 18): We are currently helping SunnComm test a new version of
the uninstaller.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
