Text Message From The Police: SLW DWN >>
<< TiVo Gets Its Wish: People Start Forgetting...
 tdicon 

(Mis)Uses of Technology

by Mike Masnick

Tue, Nov 15th 2005 10:12am





Details On The Sony BMG / First4Internet Uninstaller Problem

from the it-just-gets-better-and-better dept

It seems the folks over at First4Internet, who made the Sony rootkit in the first place, aren't the sharpest knives in the drawer when it comes to designing secure applications. After all, the rootkit left open the ability for other malware to hide behind it, and, as mentioned yesterday, the web-based uninstaller they provided has a huge security hole. Ed Felten and Alex Halderman have detailed the security problems with the uninstaller, and it's quite a security hole. Basically, they were using an ActiveX control to download and run the uninstaller, but the control stays on your machine and is open for any other website to use. So all a malicious coder needs to do is code some nasty malware that looks for that ActiveX control and if you visit that website, you're toast. As Felten and Halderman note, this is only the web-based uninstaller. Sony BMG and First4Internet also provide a downloadable uninstaller that doesn't appear to have similar issues (or, at least they haven't been found yet). Either way, every step of the way, this story just gets more and more ridiculous.

5 Comments | Leave a Comment

If you liked this post, you may also be interested in...

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    giafly, Nov 15th, 2005 @ 11:01am

    The UK company that supplied the DRM software

    Email: info@first4internet.co.uk sales@first4internet.co.uk webmaster@first4internet.co.uk
    Phone: Tel: +44 (0)1295 255777, Fax: +44 (0)1295 262682
    Post: 6 South Bar Street, Banbury, Oxfordshire, OX16 9AA, UK Google Map
    Management Team: Nick Bingham Chairman, Mathew Gilliat-Smith CEO, Tony Miles Operations & Technical Director, Peter Worrall Marketing & Research Director, Nick Drew ICA Business Development Manager (thanks, voidstar)
    There's nothing on the first4internet press page since August.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Sissy Pants, Nov 15th, 2005 @ 11:56am

    smooth move sony

    Sony must have at least 1 competant engineer that works for them. It's hard to believe the root kit was allowed to be put out in the first place. The fact that they did a half ass job at the uninstaller is rediculous...

    note to self; don't buy sony

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Nov 15th, 2005 @ 1:43pm

    Re: smooth move sony

    Ironically I was about to go buy a Sony digital camera this weekend.. but now I am worried about what might be included? Maybe their software will quietly call home and send back pictures of my naked girlfriend?

    The Canon Powershot now looks like a better deal..

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Bunch a' pricks..., Nov 15th, 2005 @ 8:12pm

    Re: smooth move sony

    Ditto for me. Sony just lost a bunch of money I was gonna spend too. I'm in the market for a new camcorder having not upgraded since 1999. Jvc hasn't seen a penny of my money since I discovered the famous eo error which will apparently eventually effect EVERY Jvc camcorder. Sony had improved the reputation of their camcorders and was high on my list. Now I won't buy a Sony camcorder, my son, who is a good kid won't get the PSP he despirately wants for Christmas and I won't buy the PS3 I've been looking forward to buying. As angry as I am over this whole rootkit thing I'm more insinsed by the fact that my son has to suffer because of these pricks. I really hope that someone starts an official Sony boycott. I'm taking part already, but I'd love to add my name to an official list posted for Sony to see.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Bunch a' pricks..., Nov 15th, 2005 @ 8:16pm

    Re: smooth move sony

    Engadget actually adressed a similar yet less ominous issue more than a year ago... http://features.engadget.com/entry/3239236478279892/

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Text Message From The Police: SLW DWN >>
<< TiVo Gets Its Wish: People Start Forgetting...
 tdicon 
Follow Techdirt
Flattr rss rss
A word from our Sponsors...
Sponsored Resource
Essential Reading
Techdirt Reading List
Techdirt Insider Chat

A word from our Sponsors...
Recent Stories

Wednesday

3:26pm: Eric Schmidt Still A Fan Of Figuring Out A Way To Erase The Past (0)
2:24pm: Chinese Hacks Of Google Database Of Surveillance Targets Highlight How Dumb Technology Backdoors Are (5)
1:20pm: Released Video From Silva Beating Shows His Last Moments; Video Of Actual Beating Still Missing (24)
12:17pm: AT&T Says You Can Use Any Video Streaming App You Want... Just As Soon As It Can Get The Meter Running (15)
11:14am: Reporters Find Exposed Personal Data Via Google, Threatened With CFAA Charges (45)
10:07am: New York Times Tells Startup It Can't Even Mention The NY Times (40)
9:12am: So It's Come To This: Seven High School Students Arrested For Throwing... Water Balloons (124)
7:50am: First Hand Account Of Judicial Smackdown Of Prenda In Minnesota (93)
5:51am: Quack Professor Releases Dumbest Violent Video Game Theory Ever (45)
3:46am: How Low Can Drones Go? (64)
More arrow
A word from our Sponsors...

Close

Email This