Did the BugBlog help you? Donate via PayPal to say thanks.

Even better, subscribe to the BugBlog Plus for even more coverage of bugs and their fixes.

Order books and more at Amazon.com

Order Windows 2000 Secrets from Amazon.com

BugBlog Bug of the Month

Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

The Bug of the Day for December, 2005 was written on November 2. It belongs to Sony (like that's a surprise)

It appears that as part of a stringent DRM (digital rights management scheme), Sony is shipping new music CDs that install a root kit on your PC. If you manage to discover this and try to delete it normally, you may screw up your CD. This was discovered by Windows expert Mark Russinovich, who knows more about Windows than everybody outside of Microsoft (and probably inside too.) Sony's lame attempt to help is http://cp.sonybmg.com/xcp/english/faq.html#uninstall -- you will need to contact them to get the uninstall procedure. You can see Russinovich's meticulous research at http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html. The workaround is simple -- don't buy stuff from Sony.

Of course, this wasn't the end of the story. Follow along as the story played out almost daily in The BugBlog or the BugBlog Plus. On November 6:

Hackers are using the Sony DRM (digital rights management) root-kit as a way to hide their cheating in an online game. Blizzard Entertainment uses a program, called the Warden, to protect against cheaters in the World of Warcraft online game. But since the Sony program hides any program that starts with the prefix $sys$, the cheaters can buy and install the Sony music CD, and then use it as protection against being caught. Cheating in an online game is fairly trivial, but it is important because it shows how bad guys can use the Sony root-kit to hide their malware on your computer. If you've played a DRM-enabled Sony CD, you could be a target. Read the details at http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/.

The BugBlog Plus on November 7 had

Want to see the kind of reviews a company doesn't want to see? Check out the reader comments in one of the Sony CDs that installs the DRM root kit on your computer. I'm sure Van Zant, the group that was probably the unwitting guinea pig for this software, isn't very happy either.

Then on November 9:

An update on the Sony rootkit issue from Mark Russinovich, who initially discovered the intrusive software installed by some Sony music CDs. First he highlights the extremely convoluted procedure you need to go through to get the software that uninstalls the rootkit. He then shows that the uninstaller isn't put together in a safe manner, and could cause your computer to crash. He also shows that the software does contact Sony, although at this point it seems to be for a fairly benign reason. Read the details at
http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html. To avoid trouble, avoid using Sony's copy-protected CDs on your computer. It's up to you to determine how much business you want to send Sony's way after this.

And on November 14:

Microsoft will be labeling Sony's DRM (digital rights management) rootkit as spyware, and will be updating their Windows AntiSpyware application so that it can detect and remove the rootkit. This will take place during the regular updating of the antispyware's signatures. Microsoft's Anti-Malware Technology Team talk about this on their blog at http://blogs.technet.com/antimalware/archive/2005/11/12/414299.aspx. Note to Sony: when even Microsoft says that you've gone too far, you need to do some serious re-thinking.

The next day:

Romanian security researchers at BitDefender have found the first Trojan horse program that exploits the Sony DRM root-kit as a way to hide. If you haven't been following along, the Sony software will hide any software whose name starts with $sys$. That means the Sony music CDs install software that will then conveniently hide the bad guy's software. (Remember that next time you are shopping for consumer electronics.) You can read BitDefender's report at http://news.bitdefender.com/NW193-en--First-Trojan-Using-Sony-DRM-Detected.html.

The 16th saw Sony's surrender:

Sony says it will recall all of the CDs with the DRM rootkit. They say they have shipped 4.7 million of them, and sold 2.1 million. They are also recalling the uninstall program that they originally posted after they were caught, after it was revealed that the uninstall program is buggy, too. If you want to see the list of CDs with the bad software, see the Electronic Frontier Foundation at http://www.eff.org/deeplinks/archives/004144.php.

That just meant that it was time for more people to line up and take a shot. On the 17th:

Now it is the Department of Homeland Security's turn to smack around Sony. They have issued a National Cyber-alert about the uninstall script that Sony and First4Internet have issued to remove the rootkit that comes with certain Sony music CDs. The uninstall program installs an ActiveX control that has been marked Safe for Scripting, which means that just about any hacker or script kiddie could use it to download hostile content onto your computer. You would have to visit a malicious website with Microsoft Internet Explorer for this to happen. The alert, which has links to more technical details, is at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-3650.

Nothing more till the 23rd:

There are reports that the badly-flawed Sony DRM tool, which has caused a massive product recall by Sony, may have actually included open source code within the proprietary software. So Sony actually violated someone else's copyright in their zeal to install their rootkit on your computer. Here's one view of the situation at http://blogs.zdnet.com/BTL/?p=2177&tag=nl.e539.

The last item was in the BugBlog Plus on November 30:

According to a story in Business Week, the computer security company F-Secure also discovered the root-kit fiasco about a month before the story was made public. Apparently, Sony tried to downplay the significance of F-Secure's findings, although in retrospect they probably realize they should have paid more attention. Read the whole thing at http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm.

The story isn't done. The EFF and the Texas Attorney General have already filed suit against Sony, and New York Attorney General Eliot Spitzer will probably be next. Also, Sony has posted a longer list of titles that have the rootkit. This list is at http://cp.sonybmg.com/xcp/english/titles.html

Previous Bugs of the Month

November 2005: Four Separate Bugs Leave Windows Open to Takeover

October 2005: Acrobat Screws Up MS Word

September 2005: Apple Security Update Breaks 64-bit Apps

August 2005: Cisco IOS Vulnerable to IPv6 bug

July 2005: RealNetworks Fixes Four Bugs in Their Media Player

June 2005: Flawed Rollout for Netscape 8

May 2005: TCP/IP Fix for Windows

April 2005: Denial of Service against Symantec Norton AntiVirus

March 2005: IDN Spoofing Bug

February 2005: Windows Animated Cursor Bug

January 2005: Windows Firewall Problems with Dial-up connections

The Bug of the Month is also posted at Blogcritics.org