funsec mailing list archives
Re: Sony to patch copy-protected,
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 03 Nov 2005 13:20:05 +1300
Rob Thompson wrote:
Can you say "backpeddle" ?
Indeed! I "enjoyed" the following: http://cp.sonybmg.com/xcp/english/updates.html SOFTWARE UPDATES/ PLUG-INS November 2, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers. http://updates.xcp-aurora.com/ ...particularly "This component is not malicious and does not compromise security". I guess the first claim is debatable, as it depends on your definition of "malicious" and this typically hinges on both subjective notions of "sufficiently bad" and the difficult/impossible to prove intentions of the designer/implementor/distributor/installer of the software. I'm prepared to accept that First4Internet/Sony really had no overtly malicious intentions in the design and use of the "cloaking technology" in this software, however, I won't give them that they were not incompetent, and I certainly do not want incompetetntly designed and implemented software on my machine, _especially_ when it patches itself into device driver/filter chains at Ring 0 AND sets itself up as "necessary" so as to be run in Safe Mode...
Sad part is the patch that they are pushing out via their website attempts to install itself via ActiveX. As far as I know, doing it that way, doesn't that mean that they are taking away our ability to see what exactly they are doing to our machine when they "patch" it?
Yes, this is rather concerning...
As there isn't an actual executable that can be taken apart and analyzed?
Well, you can always RE this process. The installation package has to be downloaded from the web somewhere, which you can get from RE'ing their web pages or simply from sniffing the network traffic of a suitably prepared goat system. You can then manually unpack, disassemble, etc the installation package and its contents, od you can simply "black box" it by preparing a suitable goat and then let it install the "remover", very carefully and thoroughly monitoring the before and after state (noting you have to do this in a transparent-to- rootkit tricks way) and, during the process also monitoring whatever real-time file system, registry, network, etc access you think may be relevant.
Even worse than that, to get the removal tool, you have to apply for it with Sony. And then they will decide if you can have it? What's up with that.
In my limited tests of this kind of thing (haven't tried for the F4I "rootkit" yet though), Sony (and other music publishers) have been quite forthcoming with instructions on how to work around possible problems caused by their various DRM warez included on various forms of "copy protected" CDs. They usually want to know a little information, such as what title and where you bought it -- just tell them Amazon and then it doesn't matter that you may not be in the US where (supposedly) most of these DRM/copy-protected discs have been released.
Too little, too late.
Yep -- it was absolutely downright stupid of them to think that such actions would be acceptable, or to think that they may be able to plant such warez on people's machines without its presence being detected and the kind of uproar we're seeing not ensuing. They may be big and they may be rich, but they're clearly farking stupid and worse, are too stupid to get _good_ advice before embarking on something that anyone with two functioning brain cells would rightly tell them would lead to big trouble. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Sony to patch copy-protected, Fergie (Nov 02)
- Re: Sony to patch copy-protected, Rob Thompson (Nov 02)
- Re: Sony to patch copy-protected, Blue Boar (Nov 02)
- Re: Sony to patch copy-protected, Nick FitzGerald (Nov 02)
- Re: Sony to patch copy-protected, Rob Thompson (Nov 02)
- Re: Sony to patch copy-protected, Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 02)
- Re: Sony to patch copy-protected, Rob Thompson (Nov 02)
- Re[2]: Sony to patch copy-protected, Pierre Vandevenne (Nov 02)
- Message not available
- Re: Re[2]: Sony to patch copy-protected, Dude VanWinkle (Nov 02)
- Re: Re[2]: Sony to patch copy-protected, Nick FitzGerald (Nov 02)
- Re[4]: Sony to patch copy-protected, Pierre Vandevenne (Nov 03)
- Re: Sony to patch copy-protected, Rob Thompson (Nov 02)