Extended Copy Protection - Sony's Response

Sony's Response

On a National Public Radio program, Thomas Hesse, President of Sony BMG's global digital business division asked, "Most people, I think, don't even know what a rootkit is, so why should they care about it?" He explained that "The software is designed to protect our CDs from unauthorized copying and ripping and Rootkit technology is one of the best ways to do just that."

Sony also contends that the "component is not malicious and does not compromise security," but "to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove the rootkit component from their computers."

An uninstaller for XCP-Aurora is available from the Sony-BMG web site.

The original uninstaller was different. An analysis of this uninstaller has been published by Mark Russinovich — who initially uncovered XCP — titled "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home". Obtaining the original uninstaller requires one to use a specific browser (Microsoft Internet Explorer) and to fill out an online form with their email address, receive an email, install the patch, fill out a second online form, and then they will receive a link to the uninstaller. The link is personalized, and will not work for multiple uninstalls. Furthermore, Sony's Privacy Policy states that this address can be used for promotions, or given to affiliates or "reputable third-parties who may contact you directly".

It has also been reported that the original uninstaller might have security problems which would allow remote code execution. Sony's uninstall page would attempt to install an ActiveX control when it is displayed in Internet Explorer. This ActiveX control was marked "Safe for scripting," which means that any web page can utilize the control and its methods. Some of the methods provided by this control were dangerous, as they may have allowed an attacker to upload and execute arbitrary code.

On 11 November 2005, Sony announced they would suspend manufacturing CDs using the XCP system:

"As a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology," it said in a statement.

"We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," Sony BMG added.

This followed comments by Stewart Baker, the Department of Homeland Security's assistant secretary for policy, in which he took DRM manufacturers to task, as reported in the Washington Post:

In a remark clearly aimed directly at Sony and other labels, Stewart continued: "It's very important to remember that it's your intellectual property — it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

According to the New York Times, Sony BMG said "about 4.7 million CDs containing the software had been shipped, and about 2.1 million had been sold." 52 albums were distributed by Sony-BMG that contained XCP.

On 14 November 2005, Sony announced it was recalling the affected CDs and plans to offer exchanges to consumers who purchased the discs.