Sony, DRM and Rootkit

I am late to blog about that issue.

The news of Sony Digital Right Management system which acted like spyware and cause a great security leakage in Operating system is ubiquitous on Internet. Blogging community brought it to the attetion of media. The first blogger who found out about rootkit was Mark Russinovich. You can find out how he detected that malicious intent of Sony CDs in the post of his Sysinternals Blog.

Sony had put in XCP, the copyright protection software in their latest copy-protected CDs. When users run those CDs in their computer, Sony forced the users to install Sony music player to play their CDs. Apart from installing music player, they installed other software called rootkit without the knowledge of users.

When the rootkit was running on the computer, it would take root privileges from the system and took hidden space in computer. It would monitor user activities such as copying and playing music. It will cause security hole in operating system and vulnerable from hackers' attack. The users who found out about rootkit felt very unhappy because that software tried to contact Sony from their computers without their knowledge.

After the complaints from users, Sony released another patch to remove the rootkit. Before users could download the patch, they needed to provide personal information like name and e-mail address to Sony. Still worse, the ActiveX control in their patch caused another security hole in system. The hackers who know about their ActiveX could take control of computer when the users are visiting their malicious websites and even have the privileges to delete entire harddisk.

Now, Microsoft Anti-Spyware team released the patch to remove all the software installed by Sony DRM. Securities companies also treated Sony DRM software as Malicious software and tried to release patches to completely remove them from system. Sony also released uninstaller to remove their software to soothe the angry users. They recalled around 2 millions CDs from the shelves. But they never publicly apologize for their action.

First4Internet was the company that developed those malware for Sony. Some software researchers claimed that First4Internet copied some part of source code from LAME to develop music player for Sony. LAME is and OpenSource MP3 player released under LGPL.

Though they want to control their properties, they have no right to do in that way. Now some people files law suit against Sony in US court. That event is really a debacle for Sony.