The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony's suggested method for removing the program widened the security hole the original software created, researchers say.
Sony has moved to recall the discs in question. But music fans who have listened to them on their computers or tried to remove the dangerous software they deposited could still be vulnerable.
"This is a surprisingly bad design from a security standpoint," said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. "It endangers users in several ways."
The "XCP" copy-protection program was included on at least 20 CDs, including releases by Van Zant, The Bad Plus, Neil Diamond, and Celine Dion. Sony BMG said 4.7 million were shipped, with 2.1 million sold.
When the discs were put into a PC — a necessary step for transferring music to iPods and other portable music players — the CD automatically installed a program that restricted how many times the discs' tracks could be copied, and made it extremely inconvenient to transfer songs into the format used by iPods.
That antipiracy software — which works only on Windows PCs — came with a cloaking feature that allowed it to hide files on users' computers. Security researchers classified the program as "spyware," saying it secretly transmits details about what music the PC is playing. Manual attempts to remove the software can disable the PC's CD drive.
The program also gave virus writers an easy tool for hiding their malicious software. Last week, "Trojan horse" programs emerged that took advantage of the cloaking feature to enter computers undetected, antivirus companies said. Trojans are typically used to steal personal information, launch attacks on other computers and send spam.
Stung by the controversy, Sony BMG and the company that developed the antipiracy software, First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that uninstalls XCP.
But the uninstaller created a new set of problems.
To get the uninstall program, users were asked to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet.
According to security experts, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet.
"The consequences of the flaw are severe," Felten and Halderman wrote in a blog posting Tuesday after being tipped by a Finnish researcher, Matti Nikki. "It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get."
On Tuesday evening, Sony BMG was preparing to release a safe new method for removing XCP. It was unclear when it might be available.
Other programs that knock out the original software are likely to emerge. Microsoft Corp. says the next version of its tool for removing malicious software, which is automatically sent to PCs via Windows Update each month, will yank the cloaking feature in XCP.
A Sony BMG statement Tuesday said the company would pull unsold CDs with the software from store shelves and let consumers exchange already purchased ones. On Friday the company had said it would halt production of CDs with the technology and "re-examine all aspects of our content protection initiative."
"We share the concerns of consumers regarding discs with XCP content-protected software," Tuesday's statement said.
First 4 Internet was not making any comment, according to Lynette Riley, the office manager who answered the company's phone Tuesday evening in England.