Sony BMG Music Entertainment said Tuesday some 5.7 million of its CDs were shipped with anti-piracy technology that requires a new software patch to plug a potential security breach in computers used to play the CDs.
The security vulnerability was discovered by the online civil-liberties group the Electronic Frontier Foundation and brought to the attention of Sony BMG, which has been under fire in recent weeks over security issues with an unrelated CD copy-protection plan.
The company said Tuesday it brought the issue up with the MediaMax software maker, SunnComm Technologies Inc., which has developed a software patch to fix the problem.
"It's a security vulnerability and therefore needs to be dealt with," said Thomas Hesse, president of Global Digital Business for Sony BMG.
The MediaMax Version 5 software was loaded on 27 Sony BMG titles, including Alicia Keys' "Unplugged," and Cassidy's "I'm A Hustla."
CD copy-protection software is generally designed to restrict how many times computer users can make duplicate versions of a CD in an effort to stem piracy.
A computer security firm working with EFF discovered the security issue with the MediaMax Version 5 CDs and how it affects computers running Microsoft Corp.'s Windows operating system.
Windows allows for different levels of access to a computer. The copy-protection software installs a file folder in the computer that could allow a guest user to gain unauthorized access to the computer.
"It's a privileged escalation attack," said Kurt Opsahl, an EFF staff attorney. "On Windows you can have users with different privileges, and because of security weakness in the permissions of a folder, it allows a low-ranked user to act as a high-ranked user."
The problem is commonly found on many computer programs, said Robert Horton, director of NGS Software, which tested SunnComm's software fix for the record company.
The MediaMax problem differs from the security hole discovered last month with the so-called XCP technology by First 4 Internet Ltd. of Banbury, England, that Sony BMG placed on more than 50 other CD titles. That copy-protection effort was found to leave computers vulnerable to hackers.
"The main distinction is, with XCP, it was hiding itself so you wouldn't know that it was there," Opsahl said.
This one is not hidden, he said, but the average user wouldn't know to look for it unless it was brought to their attention.
Sony BMG recalled the discs with XCP last month and released a way to remove the software from users' computers.
Opsahl said the MediaMax patch addresses the problem, but the EFF, which has a lawsuit pending in California against Sony BMG over its use of copy-protection technology, is continuing to investigate.
"We can't say that the software is now secure," Opsahl said. "We're going to continue to raise these issues with Sony."
Hesse said the company plans to alert consumers to the patch on artist Web sites and via e-mail, among other measures.
"We have learned that we are in the software business to some extent and we should behave like someone in the software business does ... to make sure the users of our product are safe at all times," he said.
Sony BMG is a joint venture of Sony Corp. and Bertelsmann AG.