Posted on 11/17/2005 7:14:41 PM PST by dickmc
Sony’s other CD DRM technology, the SunnComm MediaMax system, automatically installs several megabytes of files without any meaningful notice or consent, silently phones home, and fails to include any uninstall option. SunnComm will provide a tool to uninstall their software if users pester them enough but it opens up a major security hole like the one created by the web-based uninstaller for Sony’s other DRM, XCP. In fact, the the SunnComm problem is easier to exploit than the XCP uninstaller flaw.
(Excerpt) Read more at freedom-to-tinker.com ...
"I have good news and bad news about Sony’s other CD DRM technology, the SunnComm MediaMax system. (For those keeping score at home, Ed and I have written a lot recently about Sony’s XCP copy protection technology, but this post is about a separate system that Sony ships on other CDs.)
I wrote last weekend about SunnComm’s spyware-like behavior. Sony CDs protected with their technology automatically install several megabytes of files without any meaningful notice or consent, silently phone home every time you play a protected album, and fail to include any uninstall option.
Here’s the good news: As several readers have pointed out, SunnComm will provide a tool to uninstall their software if users pester them enough. Typically this requires at least two rounds of emails with the company’s support staff.
Now the bad news: It turns out that the web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony’s other DRM, XCP, that we announced a few days ago. I have verified that it is possible for a malicious web site to use the SunnComm hole to take control of PCs where the uninstaller has been used. In fact, the the SunnComm problem is easier to exploit than the XCP uninstaller flaw. To be clear, the SunnComm security flaw does not apply to the software that ships on CDs, but only to the uninstaller that SunnComm distributes separately for removing the CD software. So if you haven’t used the uninstaller, you’re not vulnerable to this flaw and you don’t need to do anything.
If you visit the SunnComm uninstaller web page, you are prompted to accept a small software component—an ActiveX control called AxWebRemoveCtrl created by SunnComm. This control has a design flaw that allows any web site to cause it to download and execute code from an arbitrary URL. If you’ve used the SunnComm uninstaller, the vulnerable AxWebRemoveCtrl component is still on your computer, and if you later visit an evil web site, the site can use the flawed control to silently download, install, and run any software code it likes on your computer. The evil site could use this ability to cause severe damage, such as adding your PC to a botnet or erasing your hard disk.
You can tell whether the vulnerable control is installed on your computer by using our AxWebRemoveCtrl detector.
We have created a tool that will disable the control and/or block it from being installed. To apply our tool, download this file to a temporary location, then double click on the file’s icon in Windows. (Windows may ask you to confirm that you wish to add the information in the file to the system registry–choose “Yes.”) After the tool has been applied, you may delete the file you downloaded. The tool will take effect as soon as you close and restart Internet Explorer. We recommend that anyone who has used the SunnComm uninstaller run our tool as soon as possible.
Unfortunately, if you use our tool to block the control, you won’t be able to use SunnComm’s current uninstaller to remove their software. It’s up to them to replace the flawed uninstaller with a safe one as soon as possible, and to contact those who have already used the vulnerable uninstaller with instructions for closing the hole."
*******************************************************************
.
As if that is not bad enough, SunnComm installs softwaare BEFORE you accept their EULA:
From USA Today's Sony: The rootkit of all evil?
"None of this is doing Sony much good. The blinding light of publicity has brought other things to the forefront.
For example, XCP isn't the only copy protection the company uses. Other CDs from the company are "protected" with SunnComm's MediaMax software, which installs things on your computer whether or not you accept the license agreement. It, too, sends information about your activities, this time to SunnComm.
.
Our office is warning both about the Sony CDs and Sony's so-called patch, noting it you try to play the CDs you are asked to install software which puts in spyware and makes security holes, and the so-called Sony patch installs even worse bad things and security holes. They indicate that this afflicts Sony CDs made over the last several months.
(thanks to others for the list of known problem titles)
Damn.
If this is true, then whatever Microsoft's maximum capacity for manufacturing the Xbox 360 is, it won't be near enough to cover the demand.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.