Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole Thursday November 17, 2005 by J. Alex Halderman http://www.freedom-to-tinker.com/?p=931
I have good news and bad news about Sony¹s other CD DRM technology, the SunnComm MediaMax system. (For those keeping score at home, Ed and I have written a lot recently about Sony¹s XCP copy protection technology, but this post is about a separate system that Sony ships on other CDs.) I wrote last weekend about SunnComm¹s spyware-like behavior. Sony CDs protected with their technology automatically install several megabytes of files without any meaningful notice or consent, silently phone home every time you play a protected album, and fail to include any uninstall option. Here¹s the good news: As several readers have pointed out, SunnComm will provide a tool to uninstall their software if users pester them enough. Typically this requires at least two rounds of emails with the company¹s support staff. Now the bad news: It turns out that the web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony¹s other DRM, XCP, that we announced a few days ago. I have verified that it is possible for a malicious web site to use the SunnComm hole to take control of PCs where the uninstaller has been used. In fact, the the SunnComm problem is easier to exploit than the XCP uninstaller flaw. To be clear, the SunnComm security flaw does not apply to the software that ships on CDs, but only to the uninstaller that SunnComm distributes separately for removing the CD software. So if you haven¹t used the uninstaller, you¹re not vulnerable to this flaw and you don¹t need to do anything. If you visit the SunnComm uninstaller web page, you are prompted to accept a small software componentan ActiveX control called AxWebRemoveCtrl created by SunnComm. This control has a design flaw that allows any web site to cause it to download and execute code from an arbitrary URL. If you¹ve used the SunnComm uninstaller, the vulnerable AxWebRemoveCtrl component is still on your computer, and if you later visit an evil web site, the site can use the flawed control to silently download, install, and run any software code it likes on your computer. The evil site could use this ability to cause severe damage, such as adding your PC to a botnet or erasing your hard disk. You can tell whether the vulnerable control is installed on your computer by using our AxWebRemoveCtrl detector. We have created a tool that will disable the control and/or block it from being installed. To apply our tool, download this file to a temporary location, then double click on the file¹s icon in Windows. (Windows may ask you to confirm that you wish to add the information in the file to the system registrychoose ³Yes.²) After the tool has been applied, you may delete the file you downloaded. The tool will take effect as soon as you close and restart Internet Explorer. We recommend that anyone who has used the SunnComm uninstaller run our tool as soon as possible. Unfortunately, if you use our tool to block the control, you won¹t be able to use SunnComm¹s current uninstaller to remove their software. It¹s up to them to replace the flawed uninstaller with a safe one as soon as possible, and to contact those who have already used the vulnerable uninstaller with instructions for closing the hole. UPDATE (Nov. 18): We are currently helping SunnComm test a new version of the uninstaller. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
