SunnComm Dangerous DRM patch
p2p news / p2pnet: Sony BMG was caught red-handed trying to plant secret DRM spyware on customers’ computers. It wriggled and writhed but was eventually forced to withdraw a number of CDs which had been poisoned by the application.
DRM can never work. Anything which can be seen or heard can be copied by one means or another. But this doesn’t mean the companies and entertainment and software cartels will stop trying and Sony BMG’s answer to was try to sneak a DRM application made by Britain’s First 4 Internet onto peoples’ computers via CDs holding not only music, but also hidden rootkit spyware .
Then it came to light that additional, and dangerous, MediaMax “copy protection” software made by America’s SunnComm was also present on some discs.
A file folder installed on users’ computers by MediaMax , “could allow malicious third parties who have localized, lower-privilege access to gain control over a consumer’s computer running the Windows operating system,” said the EFF.
That was a while back. Nonetheless, “In accordance with standard information security practices, EFF and iSEC delayed public disclosure of the details of the exploit to provide SunnComm the opportunity to develop an update,” said the foundation.
Now, “The Electronic Frontier Foundation (EFF) and SONY BMG Music Entertainment (SONY BMG) said today [December 6] that SunnComm is making available a software update to address a security vulnerability with its MediaMax Version 5 content protection software on certain SONY BMG compact discs (CDs),” says the EFF, going on:
“SONY BMG will notify consumers about this vulnerability and the update through the banner functionality included on the player, as well as through an internet-based advertising campaign. The update is also being provided to major software and Internet security companies. EFF and SONY BMG urge all consumers who receive notice to download and install the patch immediately.”
It’s all so bland, isn’t it? - almost as if Sony BMG had teamed up with the EFF in an honest effort to look after customer interests. Adding to this appearance, “We’re pleased that SONY BMG responded quickly and responsibly when we drew their attention to this security problem,” EFF staff attorney Kurt Opsahl is quoted as saying in the EFF statement.
Quickly and responsibly?
The press release adds, “The security vulnerability on SunnComm MediaMax Version 5 software differs from that reported in early November on First4Internet XCP software contained on certain SONY BMG CDs.”
Go here for the SunnComm patch, and here for Sony BMG’s.
How will you know if your CD is one of those carrying the dangerous SunnComm MediaMax Version 5 DRM software? You can find out by “looking at the back of the CD packaging,” says SunnComm in a FAQ. “If you see a black and white table (see top right) with ‘Compatible With’ on the side, your disc contains some form of content protection software. If the URL at the bottom of table says www.sunncomm.com/support/sonybmg, then the disc contains SunnComm MediaMax Version 5 software. One CD, ‘Defined’ by Amici Forever contains SunnComm MediaMax Version 5 and the URL but does not have the black and white table noted.”
Alternatively, below is a list of CDs poisoned by the SunnComm software..
———————————————————————————————————————————–
United States
| ARTIST | TITLE | SELECTION # | |
|---|---|---|---|
| 1 | Alicia Keys | Unplugged | 82876674242 |
| 82876731662 | |||
| 2 | Amici Forever | Defined | 82876688832 |
| 3 | Babyface | Grown & Sexy | 82876705682 |
| 4 | Black Rebel Motorcycle Club | Howl | 8287671601 |
| 5 | Britney Spears | Hitme - Remix | 82876740622 |
| 6 | Cassidy | I’m A Hustla | 82876687072 |
| 82876680732 | |||
| 7 | Chris Brown |
Chris Brown |
82876733222 |
| 8 | Cook, Dixon & Young | Volume One | 82876673342 |
| 9 | David Gray | Life In Slow Motion | 82876710682 |
| 10 | Dido | Dido Live | 82876658099 |
| 11 | Faithless | Forever Faithless/ENH | 82876710142 |
| 12 | Imogen Heap | Speak For Yourself | 82876725322 |
| 13 | Judd & Maggie | Subjects | 82876692492 |
| 14 | Leo Kottke/Mike Gordon | Sixty Six Steps | 82876689092 |
| 15 | Maroon 5 | Live | 82876709742 |
| 82876699522 | |||
| 16 | My Morning Jacket | Z | 82876710672 |
| 17 | Raheem Devaughn | The Love Experience | 82876537232 |
| 18 | Santana | All That I Am | 82876597732 |
| 19 | Sarah McLachlan | Bloom (Remix Album) | 82876697982 |
| 20 | Stellastarr* | Harmonies for the Haunted | 82876688812 |
| 21 | Syleena Johnson | Chapter 3: The Flesh | 82876610932 |
| 22 | T-Pain | Rappa Ternt Sanga | 82876734472 |
| 82876732002 | |||
| 23 | Various | So Amazing: An All Star Tribute To Luther Vandross | 82876624722 |
| 24 | Various | Songs Brown Hotel | 82876714112 |
| 25 | Wakefield | Which Side Are You On? | 82876685072 |
| 82876681352 | |||
| 26 | Charlie Wilson | Charlie, Last Name Wilson | 82876694292 |
| 27 | YoungBloodZ | Everybody Know Me | 82876733402 |
| 82876731752 |
Canada
| ARTIST | TITLE | SELECTION # | |
|---|---|---|---|
| 1 | Alicia Keys | Unplugged | 82876674242 |
| 82876731662 | |||
| 2 | Amici Forever | Defined | 82876688832 |
| 3 | Babyface | Grown & Sexy | 82876705682 |
| 4 | Britney Spears | Hitme - Remix | 82876740622 |
| 5 | Cassidy | I’m A Hustla | 82876680732 |
| 6 | Charlie Wilson | Charlie, Last Name Wilson | 82876694292 |
| 7 | Chris Brown | Chris Brown | 82876733222 |
| 8 | David Gray | Life In Slow Motion | 82876710682 |
| 9 | Imogen Heap | Speak For Yourself | 82876725322 |
| 10 | Judd & Maggie | Subjects | 82876692492 |
| 11 | Leo Kottke/Mike Gordon | Sixty Six Steps | 82876689092 |
| 12 | Maroon 5 | Live Friday the 13th | 82876709742 |
| 13 | Melissa O’Neil | Melissa O’Neil | 82876751572 |
| 14 | My Morning Jacket | Z | 82876710672 |
| 15 | Our Lady Peace | Healthy In Paranoid Times | CK94777 |
| 16 | Santana | All That I Am | 82876597732 |
| 17 | Say Anything | …Is A Real Boy | 82876716682 |
| 18 | Stellastarr* | Harmonies for the Haunted | 82876688812 |
| 19 | Syleena Johnson | Chapter 3: The Flesh | 82876610932 |
| 20 | The Trews | Den of Thieves | 82876711162 |
| 21 | T-Pain | Rappa Ternt Sanga | 82876732002 |
| 22 | Various | Canadian Idol High Notes | 82876711202 |
| 23 | Various | Tribute To Luther | 82876624722 |
December 7th, 2005 at 3:26 pm
But this is a real worry from EFF’s FAQ on the problem:
http://www.eff.org/IP/DRM/Sony-BMG/mediamaxfaq.php
Are there any more security issues with SunnComm’s MediaMax software?
We don’t know. We have identified one security issue, but there may be others. Even before this vulnerability came to light, security researcher Ed Felten noted “the MediaMax software will still erode security, for reasons stemming from the basic design of the software.” See Freedom to Tinker for more. We urge Sony BMG to undertake rigorous security testing on all of its software, and we will continue to look into this issue.
Does the patch resolve all the issues with CDs with SunnComm MediaMax software?
No. There are other severe problems with MediaMax discs, including: undisclosed communications with servers Sony controls whenever a consumer plays a MediaMax CD; undisclosed installation of over 18 MB of software regardless of whether the user agrees to the End User License Agreement; and failure to include an uninstaller with the CD. EFF will continue to raise these issues with Sony BMG.
December 7th, 2005 at 3:32 pm
This all sounds great, but MediaMax V5 has been released on CDs from labels other than Sony-BMG too. Sony-BMG are alerting purchasers of their CDs, but no one is alerting the others.
It is significant that the announcement of the patch came from Sony-BMG and the EFF. SunnComm have remained mute.
Instead of alerting the non-Sony CD purchasers, SunnComm would prefer to say nothing in the hope no one will notice. That is not good enough. They were quick to issue PRs on the spoof piece on the Apple DRM and PRs on suing Halderman, but they are silent now when they should be out helping the CD purchaser fix the problem that SunnComm created.
December 7th, 2005 at 3:46 pm
IMO SunnComm are outside the loop because Sony-BMG have had their fill of them. They embarrassed Sony-BMG severely with the bugs found in the uninstaller, because they were the same as those found by First4Internet two weeks before. SunnComm should have checked that they didn’t have the same problem, but instead did nothing. It then blew up into a huge scandal when the problem was discovered by others.
Its the same here. This security exposure is a common issue with novice programmers and no company worth its salt should have left it happen. Yet, it was an outside company that found the exposure and not SunnComm itself. It should not have got by even the most primitive of testing methodologies, yet SunnComm missed it.
You can read Sony-BMG’s frustration with SunnComm by the way they had to get NGS Software to help SunnComm develop the fix and then help them test it. It must be utter humiliation for SunnComm when your customer doesn’t trust you to get it right yourself and forces you to work with outsiders.
The reason SunnComm are mute on this is because it is just too embarrassing for them.
December 7th, 2005 at 7:32 pm
“…undisclosed installation of over 18 MB of software regardless of whether the user agrees to the End User License Agreement;”
Isn’t this bit plainly against the law in the US?
December 7th, 2005 at 8:55 pm
I sort of agree with the poster that mentioned that SunnComm is now outside the loop of Sony. Sony’s been stung twice now and they are wanting a first time fix that doesn’t have to be repeated.
I wouldn’t trust Sony not to put more junk into their cds or their patches. As far as I can tell, the very best thing is not to buy cartel products and if you play one the only answer maybe to junk the product (either by trashing it or saving it on a shelf and downloading it from p2p) and formatting your pc. Now that’s what I call making it difficult for your customers!
In all of this Sony has been most quite on the spyware/phone home aspect. They have been anything but forthcoming on the abilities of the software installed with these cds. No where in all this does Sony say in the EULA that this sort of software will be installed. However Sony has rewritten their corporate EULA to be seen on their home website. Not only rewritten it but it looks like a childs attempt at getting a report right before turning it in to the teacher. It’s been rewritten over and over. Insertions being put in here and there trying their darnest to either make it go away or to cover their butts with legalise.
Nothing in the responces of Sony give me any indication that Sony is sorry for anything other than they got caught. Every move Sony has taken, it has been made to take. Even there, no such animal as lets jump out and get it done.
All this does is demonstrate to me that Sony and the rest of the cartel are not to be trusted. They won’t do anything not in their own best interests. Rarely will their best interests and the customers come together.
These sort of actions do more for the idea that buying product is rapidly being an antagonistic experience for the customer. Who in their right minds wants something like this?
December 8th, 2005 at 12:16 am
Of course it is! For an individual at least. Bigbiz with lots of money on the other hand might get a fine worth a fraction of one percent of their monthly revenue.
Which i’m sure they’d declare as an expense for tax purposes anyway.
December 8th, 2005 at 11:53 am
Will the 18MB of software install if one is logged in as a non-administrator on a Win2K or WinXP system? In general, Windows should not allow installation of any software that would impact ‘All Users’ on the target system when performed by a non-administrator. the installer should not be allowed to make changes in the Global Registry Keys area of the Windows registry either, only the HKEY_Current_User.
Is there a click-through license agreement for this software?
What if your 15 year old child tries to play one of these CDs on the computer? If these clickable licensing agreements are considered binding contracts, a minor is legally incapable of entering into a binding contract without explicit parental consent in the USA. The arguement that the parent let them use the computer and thereby implicitly consented will hold absolutely no water. That’s like saying the parents didn’t lock up all of the matches and therefore consented to a child playing with matches and burning down the neighborhood.
–TurboGeek
December 9th, 2005 at 1:47 pm
It amazes me to no end what these huge companies with money can get away with. In the end they will probably request a bail out of some sort to cover their butts money wise. Personally I think a huge company such as this or the airlines should not be allowed bailout funds from the governments, but we will see…