RSS
Twitter
Details On The Sony BMG / First4Internet Uninstaller Problem
from the it-just-gets-better-and-better dept
It seems the folks over at First4Internet, who made the Sony rootkit in the first place, aren't the sharpest knives in the drawer when it comes to designing secure applications. After all, the rootkit left open the ability for other malware to hide behind it, and, as mentioned yesterday, the web-based uninstaller they provided has a huge security hole. Ed Felten and Alex Halderman have detailed the security problems with the uninstaller, and it's quite a security hole. Basically, they were using an ActiveX control to download and run the uninstaller, but the control stays on your machine and is open for any other website to use. So all a malicious coder needs to do is code some nasty malware that looks for that ActiveX control and if you visit that website, you're toast. As Felten and Halderman note, this is only the web-based uninstaller. Sony BMG and First4Internet also provide a downloadable uninstaller that doesn't appear to have similar issues (or, at least they haven't been found yet). Either way, every step of the way, this story just gets more and more ridiculous.
Reader Comments
(Flattened / Threaded)
The UK company that supplied the DRM software
Email: info@first4internet.co.uk sales@first4internet.co.uk webmaster@first4internet.co.uk
Phone: Tel: +44 (0)1295 255777, Fax: +44 (0)1295 262682
Post: 6 South Bar Street, Banbury, Oxfordshire, OX16 9AA, UK Google Map
Management Team: Nick Bingham Chairman, Mathew Gilliat-Smith CEO, Tony Miles Operations & Technical Director, Peter Worrall Marketing & Research Director, Nick Drew ICA Business Development Manager (thanks, voidstar)
There's nothing on the first4internet press page since August.
(reply to this comment) (link to this comment)
smooth move sony
Sony must have at least 1 competant engineer that works for them. It's hard to believe the root kit was allowed to be put out in the first place. The fact that they did a half ass job at the uninstaller is rediculous...
note to self; don't buy sony
(reply to this comment) (link to this comment)
Re: smooth move sony
Ironically I was about to go buy a Sony digital camera this weekend.. but now I am worried about what might be included? Maybe their software will quietly call home and send back pictures of my naked girlfriend?
The Canon Powershot now looks like a better deal..
(reply to this comment) (link to this comment)
Re: smooth move sony
Ditto for me. Sony just lost a bunch of money I was gonna spend too. I'm in the market for a new camcorder having not upgraded since 1999. Jvc hasn't seen a penny of my money since I discovered the famous eo error which will apparently eventually effect EVERY Jvc camcorder. Sony had improved the reputation of their camcorders and was high on my list. Now I won't buy a Sony camcorder, my son, who is a good kid won't get the PSP he despirately wants for Christmas and I won't buy the PS3 I've been looking forward to buying. As angry as I am over this whole rootkit thing I'm more insinsed by the fact that my son has to suffer because of these pricks. I really hope that someone starts an official Sony boycott. I'm taking part already, but I'd love to add my name to an official list posted for Sony to see.
(reply to this comment) (link to this comment)
Re: smooth move sony
Engadget actually adressed a similar yet less ominous issue more than a year ago... http://features.engadget.com/entry/3239236478279892/
(reply to this comment) (link to this comment)
Add Your Comment