Vince said:
A P2P filesharing program is a security vulnerability, as is MS Outlook. Where do you want to draw the line is the question? Any program which enables external data to move into the system is a potential security vulnerability, this is nothing new.
There is a difference between software that has a unintended bug, and software that has both serious bugs and is also obviously attempting to subvert the OS in a manner that no trustworthy software should.
Speaking personally, and from Mark Russinovich's detailed analysis, Sony's DRM driver:
1. Has several serious bugs in it that can cause both an unrecoverable system and damage Windows itself.
- The driver fails to perform basic parameter validation. This renders the OS vulnerable to crashes from user mode bugs as simple as forgetting to null terminate a string passed down from a user mode API.
- The driver has several race conditions and patches the OS's service dispatch table in an unsafe manner that can result in system crashes when the driver is unloaded.
- The driver registers itself in a manner that prevents Safe Mode from working correctly should there be a bug in the driver itself which prevents the OS from booting.
- The software consumes significant processor time even when the DRM protected material is not being played.
2. The rootkit modifes the operating system in an throughly undocumented and unsafe manner that no legitimate software (that is not used for debugging and software development) would need.
- The installed software masks any file or registry key prefixed with $sys$ from the user. It does not bother to check who's files it is masking, so anyone can use the filter to fool the OS and bypass any firewall, antivirus, or antispyware protection software present on the system.
- The installed software patches the operating system's service dispatch table, which allows it to hijack kernel interfaces with its own versions. There is NO legitimate reason (other than software development or debugging) to do this, and this is a highly unsupported and dangerous technique. Microsoft has discouraged this in the past and x64 Windows ships with protection to deter this technique.
3. It does this without providing any uninstall facility.
- Sony has offered an unmasking utility which removes the filter driver, and recently, finally offered a complete uninstaller after considerable public pressure.
- But users must jump through hoops to obtain the unninstaller:
a. it requires the installation of an ActiveX control into IE, which is in of itself a security risk. A flawed ActiveX control can easily introduce further security holes into IE.
b. disclosure of personal information to Sony (which is then subject to further use via the standard privacy disclosure terms on the web site).
c. it only works on the machine where the user requested the uninstaller.
d. expires after 10 days.
4. The EULA is unclear as to the extent of the modifications to your system. It also implies the software is uninstallable, which it was not.
Sony EULA said:
As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.
It also promises not to collect any personal information.
Sony EULA said:
However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.
Analysis of the software's network traffic reveals that it does in fact phone home each time the CD is played, and does not ask for permission first, nor does it offer the user a way to turn this behavior off.
5. Sony's behavior since the rootkit software was discovered is nothing short of disgusting.
http://www.npr.org/templates/story/story.php?storyId=4989260
Thomas Hesse said:
"Most people I think don't even know what a rootkit is, so why should they care about it?"
-- Thomas Hesse, President, Sony BMG Global Digital Business Division
"No information ever gets gathered about the user's behavior. No information ever gets communicated back."
-- Thomas Hesse, President, Sony BMG Global Digital Business Division
Vince said:
It's stated in the EULA and you can protect yourself, don't use it. You're turning what is a position applicable to a broad spectrum of programs and applications into some Orwellian scheme to control and undermine users security.
It absolutely is Orwellian, and it absolutely does undermine the security of your system.
Any kernel mode software which allows any other software to hide files from the OS and the user is a serious security hole.
Any kernel mode software which does not perform basic parameter validation potentially allows buffer overflows and denial of service attacks into the kernel. This is a serious security hole.
Vince said:
It's not like Sony was selling this with malicious intent, just like many of Microsoft's products which are infamous conduits for exploits and identity theft... they shouldn't be to blame for other's abuse.
Regardless of intent, it is Sony's responsibilty to make a good faith attempt to vet what they are shipping to their customers.
It is clear to me that not only did Sony not make any serious attempt to verify that what First4Internet was selling to them was an ethical and trustworthy piece of software, but they actively support what First4Internet is doing.
Sony is a reputable company, and it is their reputation which is going to be damaged because of things like this.