Results 1 to 4 of 4

Thread: Sony BMG: Don't install that patch!

  1. #1
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004

    Sony BMG: Don't install that patch!

    Dec 8th, 2005

    Just one day after jointly announcing a patch to correct a security flaw in the SunnComm MediaMax copy protection included on 27 CDs, Sony BMG and the Electronic Frontier Foundation are urging users not to install it. The update includes a vulnerability similar to the one it attempted to fix.

    SunnComm's MediaMax version 5 software does not properly protect a directory it installs, opening the door for a privilege escalation attack. Thus, a restricted user account could replace the executables within the MediaMax directory with malicious code, which would then be executed by an administrator upon inserting a CD.

    Sony said it would notify customers of the SunnComm problem through an advertising banner within the MediaMax software, and via an online ad campaign. It also began distributing an update on the Sony BMG Web site and to security vendors.

    But despite claims that "independent software security firm NGS Software have determined that the security vulnerability is fully addressed by the update," Princeton researcher Alex Halderman has found otherwise.

    "It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch," Princeton professor Edward Felten explained. "The previously released MediaMax uninstaller is also insecure in the same way."

    Halderman and Felten also discovered that even if a user declines the MediaMax license agreement, the vulnerable software is still installed on their computer. However, those users will not see the advertising banner Sony is using to notify customers.

    "The consequences of this problem are just as bad as those of the XCP rootkit whose discovery by Mark Russinovich started SonyBMG's woes," added Felten. "This problem, like the rootkit, allows any program on the system to launch a serious security attack that would normally be available only to fully trusted programs."
    BetaNews | Oops -- New Sony DRM Patch Insecure

  2. #2
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    3rd Rock from Sun
    Already here
    I added it to your other thread here

    including rootkit detect / remove tool too
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  3. #3
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Hi foxyloxley,

    OPPS! Missed your post...

    You must spread your AntiPoints around before giving it to foxyloxley again.

  4. #4
    Senior Member genXer's Avatar
    Join Date
    Jun 2005

    Another article on it...

    Just in case everyone wants another slant on it... I offer the Registers POV on the topic - they're so cheeky!

    Link: http://www.theregister.co.uk/2005/12...amax_problems/

    SonyBMG backtracks on buggy bug fix
    Wearing out the rewind button

    By Team Register
    Published Friday 9th December 2005 11:14 GMT

    SonyBMG’s efforts to regain some credibility with PC users came unstuck again after it admitted that a patch for flawed content protection software included with some its CDs actually creates more problems for users.

    The academics who have uncovered the latest security hole say the only way Sony can dig itself out is to recall all the CDs that shipped with the flakey software.

    The hapless media giant snuggled up to the Electronic Frontier Foundation earlier in the week to admit that Sunncomm MediaMax content protection software on some of its CDs could leave users’ PCs open to hijacking by unauthorised users. It instructed users to download a patch from MediaMax.

    Now, academics at Princeton University have found that the patch itself suffers from the same bug, though in a slightly different way. They have advised users to not install the patch and indeed to not insert the affected disk in a PC under any circumstance, and the EFF and Sony have gotten behind them.

    Professor Ed Felten and Alex Halderman the problem is “just as bad” as the DRM rootkit carried on other CDs and which caused a furore last month.

    They go on to say that each CD sitting on a shelf is effectly a ticking timebomb, and the only way for Sony to really sort the problem is to recall all the affected disks.

    Only the very paranoid would suggest that advice to not insert an audio CD into a PC delivers exactly the level of "content protection" Sony and the other music giants have been gunning for all this time.®
    I have been wondering how the crisis meetings at Sony have been going for this debacle?
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts