According to Edward Felten and Alex Halderman, it's dangerous:
Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit.
We are working furiously to nail down the details and will report our results here as soon as we can.
Update:
According to USA Today, Sony, which now says it "deeply regrets any inconvenience" people may have suffered, has decided to recall the infected CDs and will offer exchanges. Ed and Alex
hope the plan includes doing what Sony
ought to have done long ago: providing people with an easy-to-get clean-up tool that doesn't further damage their computers.
Update #2: EFF's open letter to Sony-BMG, which lists eight ways the company ought to make amends to its customers by Friday morning at 9:00 a.m. -- after which, presumably, the suggestions will become more than that.
Update #3: Security Fix: Researcher: Sony DRM on Half a Million Networks: "'It's funny, because the last time we saw these kinds of infection rates, they were because of bugs in [Microsoft] Windows that were later patched,' [security researcher Dan Kaminsky] said. 'But Sony's patch actually deploys new flaws.'"
Update #4: Wired: Sony Numbers Add Up to Trouble: "The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of one third of the 9 million DNS servers Kaminsky estimates are on the net.
The damage spans 165 countries, with the top five countries being Spain, the Netherlands, Great Britain, the United States and Japan, which, with over 217,000 DNS servers reporting knowledge of Sony-related addresses, takes the top spot."
Update #5: Sony-BMG: "We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding."
1. Nancy Prager on November 15, 2005 5:17 PM writes...
Make sure to check out Dan's visual rendering of affected networks and computers. I am sad to say that my little ol' computer has the nasty little bug. I am waiting until the cure is not as bad as the disease to remove the bug. In the meantime, I am only using a secure connection to the Internet and have my wireless turned off.
Sony may face criminal prosecution for releasing the Rootkit because there is evidence that it has been found on government and secure networks. It is generally hard to prosecute corporations for criminal activities not just computer crimes. However, the abuse in this case may warrant (no pun intended) criminal accountability.
JMHO...
Permalink to Comment2. Scott Schrader on November 15, 2005 7:03 PM writes...
I surely think that if DHS wants the world to believe that they are serious about computer security, they are going to have to get after Sony. Not only is this one of the most egregious exploits, but we've got everything we need to make a case, including statements against interest by Sony, and statements indicating they intend to put this back on sometime in the future (suspending the XCP "... for now.")
If DHS doesn't get after them, nobody will ever believe them again.
Permalink to Comment