Princeton's Ed Felten and Alex Halderman have published new research into a grave security vulnerability opened up if you run the "uninstaller" that Sony supplies to rid your PC of its malicious rootkit software, which it installs when you insert an audio CD into your PC, as a means of restricting your use of the music on the CD.
The new vulnerability is as grave as a security vulnerability can be. If you run the uninstaller, your computer can be utterly compromised by an attacker who can reach it via the Web. Your computer can be made to run any code and surrender your data. It can be enlisted to act as a "zombie" for sending spam or attacking sites that are being shaken down in protection rackets.
Ed and Alex have written a demo to show that this danger is real. They've also supplied instructions for removing this dangerous software from your PC.
The music industry often warns against the use of P2P systems because they claim that P2P software can contain sneaky, malicious software that compromises your PC. Well, it appears that legitimately purchased CDs are deliberately corrupted with the same dangerous software.
If you buy CDs, you risk your PC, you risk having your personal information stolen by crooks, and you risk having your equipment used to break the law.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get.
The root of the problem is a serious design flaw in Sony's web-based uninstaller. When you first fill out Sony's form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony's site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn't verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user's permission.
Link,
