Ready to get upset? New Sony MediaMax patch not secure
Posted on 08/12/05 23:29 by Dan Bell                             
Ready to get upset? New Sony MediaMax patch not secure

The last update for MediaMax software present on many Sony/BMG discs as a digital rights management "solution", mentioned earlier today in this story, is not a good one, it's flawed - don't use it. Just a day after telling everyone no sweat we got ya covered with this here patch, it seems that in fixing one security hole SunnComm dug another!

Sony and SunnComm may begin to wish they stayed out of the software business. After this news today from BetaNews, you would have to be a glutton for punishment to purchase any of these abortions from Sony/BMG that they are trying to peddle off as "music Cd's". Especially if you plan on putting them in a PC.

I don't buy Cd's any more thanks to the revolting RIAA "leave no child or senior citizen behind policy" in their legal Jihad against piracy. But Sony/BMG, MediaMax really take it to another level. I wont be affected by their malware as I do not purchase products with radical DRM applied, but this following item I just read, really gets my goat.  Another "feature" of this software they are loading without authorization, actually spawns ads on the infected PC! So not only are you saddled with crap that strips your legal rights to a backup, they went ahead and made a provision to pepper you with annoying ads as you TRY to listen to the product you just legally bought!

But, here is the final blow, get this, they have the audacity to leverage this ability to manipulate your property to warn you that they just hosed your computer....again!

SunnComm's MediaMax version 5 software does not properly protect a directory it installs, opening the door for a privilege escalation attack. Thus, a restricted user account could replace the executables within the MediaMax directory with malicious code, which would then be executed by an administrator upon inserting a CD.

Sony said it would notify customers of the SunnComm problem through an advertising banner within the MediaMax software, and via an online ad campaign. It also began distributing an update on the Sony BMG Web site and to security vendors.

But despite claims that "independent software security firm NGS Software have determined that the security vulnerability is fully addressed by the update," Princeton researcher Alex halderman has found otherwise.

"It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch," Princeton professor Edward Felten explained. "The previously released MediaMax uninstaller is also insecure in the same way."

OK, now are you ready to avoid these discs? No? Well then check this out!

Halderman and Felten also say that if you decline to accept the EULA from MediaMax, it still loads the malware. But that isn't the kicker. If you don't accept you don't get the warning from Sony as the ad wont run. Both these experts agree that this situation is every bit as bad as the "rootkit" fiasco and that it is time Sony pulled all such discs from the shelves. They are just sitting out there waiting for another victim!

Source: BetaNews

more cdfreaks.com news
3
Sony faces Blu-ray patent lawsuit
04:00
1
Panasonic chases European Blu-ray recorder market
08:22
4
Man arrested for music piracy
05:50
14
August Blu-ray movie sales drop
05:47
5
RIAA wins case after defendant deletes evidence
05:20
0
New low-price SSD's from Samsung
18:46
0
New Blu-ray media announced by Panasonic
17:30
Reactions
Discuss this article with your fellow community members! We appreciate your valuable input, but please keep the reaction policy in mind and make sure your reaction is constructive.
By shimman, Thursday 08 December 2005 23:32
not surprised; you should always disable auto-start & do not run any program from your dvds & cds
By Crabbyappleton, Thursday 08 December 2005 23:36
CrabbyappletonI think that MS may have to create a patch that does away with autoplay!
By Mordorr, Friday 09 December 2005 01:08
MordorrAfter format my PC: 1º XPAntispy autoplay OFF! 2º........ loveit
By jbailey8, Friday 09 December 2005 01:32
DOH!!! I'm sure not buying any of their cr*p!! puke
By heystoopid, Friday 09 December 2005 03:47
Say, if you really want a good laugh, or view a totally confused writer at the BBC News online dated 8th December 2005 title "Anti-piracy CD problems vex Sony" link=http://news.bbc.co.uk/2/hi/technology/4511042.stm Man this is one confused staff writer! Oh well, to read and be confused, at the same time over "XCP" and "Mediamax" !cool
By rla, Friday 09 December 2005 03:48
This entire fiasco is just sooooo representative of the attitude of the music industry. They seem to think the entire world is here at their pleasure. They seem to think all consumers do is go around dwelling on their products and no one can live without them. Now after years of the industry trying to bully the broadcasting industry and technology developers they seem to have decided that if you purchase a product they own your computer too...or at least have the rights to take over whatever part of it they wish without your permission. When it is in their interest to call consumers theives, hackers and pirates they act as if they have taken the high road. When it comes to hacking your computer an turning it into a collection pit for other vulnerabilities they play dumb claiming thay had no advance knowledge of the mess they were going to create. So what do they do? They make a cursory effort by collecting up some of the discs and then turn around and ship out another dose of the same faulty software. Did they check or have experts insure there were not going to be issues with the second round of "protection" software? I am am sure they did, but after already claiming ignorance they seem hell bent on proving that they really are ignorant. If little johnny hacker creates and releases a virus and gets caught he goes to jail. Sony apparently has license to dump this potentially damaging software on the market and then expect the public and experts to figure it all out. Since when is a multi billion dollar corporation excused from this activity? To make the scenerio worse they are charging people for product that does this. What in the world has happened to this company? It seems out of control. I think the federal government needs to take an active roll in protecting the public interest here. No corporation should be entitled to go this far at their own discretion. My God next thing you know they will be putting code in their CDs that causes your computer to generate a specific radio frequency. Then all they will have to do is drive little while vans up and down the street and collect data. Don't laugh! There are others already driving those little white vans.
By DcR125, Friday 09 December 2005 05:01
Could it be that SunnComm hate Sony as much as the rest of us? After the whole rootkit thing they may have just thought "Cool, now how can we completely f**k Sonys reputation". I mean, if you had that kind of opertunity can you honestly say you wouldn't have done the same thing?
By CORRSA, Friday 09 December 2005 10:36
its time to kill a corperate company and the easiest way is hit them hardest in the pocket no sales no company.
By ZenOfJazz, Friday 09 December 2005 22:44
I am totally fed up with the continuing stream of bovine fecal material that SONY is dumping on it's paying customers, all in the misguided attempt to stop piracy. Pirates don't buy CDs, Sony. http://www.cafepress.com/sonynodrm -Jazz
By rockincatdaddy, Saturday 10 December 2005 00:43
Yup it is time to vote with your wallet, from those blank discs that Sony makes to their wondeful music CD's and that new Plasma TV. I have just shut down all 5 of my XM radio subscriptions. Because I don't need a DJ to tell me any thing, I don't need a comercial telling me what channel I am on nor do I need a ad telling me that If I want to be a DJ for the day go to, get this "Rolling Rock .Com" Huh. Isn't that a commercial. Hey, I have over 800 leagally purchased CD's. I will be ok with out Sony or XM. To Other Corporation out there that thinks The public is Stupid. "We vote with our wallets". Havn't seen much of me lately huh Sam Walton. Thanks for this wonderful forum CD freaks!
Name: Email:



Your comment:

Receive notification on new comments?