Is Sony BMG spreading malware?

John McCormick Tech Republic

Published: 09 Nov 2005 14:55 GMT

Sony has recently promoted CD restriction schemes that allow vendors to limit the number of times someone can play a CD. Until recently, most viewed this as a relatively benign technology.

However, security software author Mark Russinovich was recently testing some of his Sysinternals freeware programs and encountered some disturbing results. After considerable work, he discovered that the SonyBMG-produced CD he recently purchased on Amazon.com restricted access by planting a rootkit on his computer.

While cynics out there might be suspicious that Russinovich manufactured the story to promote his RootkitRevealer, SonyBMG has acknowledged that the rootkit code does exist. However, the company has published information on its Web site that explains how to remove what some people are referring to as spyware. Since you need to register with SonyBMG to view the page, I wasn't able to determine how readily available the fix is or how easy it is to remove.

Russinovich's blog contains reports from several people who — like myself — were unable to locate any clue in the end-user licence agreement that playing the music CD would plant code on computers, which turns out to be extremely difficult to remove. Although the SonyBMG software is probably harmless, the mere fact of its presence is certain to spark more complaints about digital rights management tools and spur more P2P file sharing.

At the minimum, no security specialist wants any surprise rootkit code installed on servers or workstations he or she is responsible for. Even if it is completely harmless (and there's no way to know that for certain), its mere presence can trigger security warnings. In addition, it can take a lot of work to determine what is there, not to mention figuring out how to remove it without disabling your optical drive completely.

I am not recommending the Sysinternals freeware security tools simply because I am not sufficiently familiar with them. However, Russinovich has written for Microsoft, including an article about rootkits in the June issue of Windows IT Pro Magazine, so his software is legitimate and certainly worth checking out to see if you should add it to your arsenal.

New threats
FrSIRT has reported a critical vulnerability in the Cisco IOS that can allow either a remote or local attacker to compromise the system by executing arbitrary code or — at the minimum — trigger a denial of service event. Related to the infamous exploit disclosed at July's Black Hat security conference, this vulnerability affects Cisco IOS versions 12.0 through 12.4.

To protect against this vulnerability, update to the latest release of the appropriate version. For more information, see Cisco Security Advisory: IOS Heap-based Overflow Vulnerability in System Timers. Note that some of the updates won't be available until later this month.

In addition, eEye Digital Security has identified a critical vulnerability that involves a remotely exploitable arbitrary command...

For more, click here...