New MediaMax vulnerability disclosed, patched

Sony BMG issued a joint announcement with the EFF yesterday that a new security vulnerability had been identified in Sony BMG’s other DRM software, MediaMax, and that a patch was available. The vulnerability has been known for a while but not publicly disclosed until SunnComm was able to create the patch, which can be downloaded from Sony’s site. If you have played any of the CDs listed on Sony’s site, you should probably download the patch. Users who play the CDs will get prompted through a banner displayed in the MediaMax software to download an upgrade.

For those of you just joining us, this is not the DRM package containing the rootkit and all the code stolen without attribution from various open source projects; it’s the other one. Just wanted to set that straight.

Thanks to Mike for pointing out this latest development in the comments last night. There’s a pretty active discussion thread on Slashdot around it right now too.

For the record: I’m certainly glad that Sony BMG is getting more on top of this, with quite a lot of prodding from the EFF. But the EFF shouldn’t have to prod. Sony BMG shouldn’t be getting any praise for doing what they are supposed to be doing as a responsible company.

Update: And maybe they don’t deserve any praise at all: see Freedom to Tinker for a report that the patch installation is also vulnerable to exploits. Thanks to Dave in the comments for the link.

15 Responses to “New MediaMax vulnerability disclosed, patched”

  1. Dave Says:

    Not so fast: http://www.freedom-to-tinker.com/?p=942

  2. the13th’ Bloggy Thingy » The never ending story or: Says:

    […] Via: Sony Boycott Blog and Tinker Technorati Tags: Sony, vulnerability, MediaMax, MediaMax, security risk […]

  3. Down we go Says:

    Weekly CD sales plummet Vs. 2004

    The top 10 albums sold in excess of 100,000, but that news offers little comfort and joy to music retailers, whose sales were down nearly 13 percent compared with the same week last year. Holdovers in the top 10 saw sales declines of 17 percent-68 percent from last week, which marked the beginning of the Christmas sales season.

    http://music.monstersandcritics.com/news/article_1067770.php/Weekly_CD_sales_plummet_Vs._2004

  4. Mark Sweat Says:

    I’ve said this before on other sites, but here it is again.

    Sony, if you’re reading this (and I know you are), the artists here have been screwed by your practices. Their livelyhood has been hurt. Their image has been hurt. And you said you did this for them?

    Prove it. Pay them every dime your company makes from these CD, in perpetuity, for as long as these CDs are sold. Not just the XCP ones. The clean ones. Because we are not the only ones who are owed an “I’m sorry”.

    If you can’t do this. If you can’t (won’t) aggressively fix all the problems caused by the XCP fiasco, I will join with a number of other consumers when the following things happen:

    1) Multi-million dollar judgements are awarded against you
    2) The Sony BMG joint venture files for bankruptcy protection
    3) Dozens of artists who are now very well know are freed from their contracts with Sony BMG
    4) These same artists are able to distribute their work via a non RIAA company.
    5) The RIAA, faced with the demise of one of its largest members, realizes that their own practices (and not MP3 downloads) are what is hurting sales.

    So, the ball is in your court now, Sony. But, I’m certain you’re gonna drop it.

    In fact, from your behavior so far, you don’t even know you’re playing the game.

  5. Mark Sweat Says:

    Has anyone else gotten their link to their MP3 download from the exchange program? Am I the only one feeling like Sony might have just stolen my CD and will be wanting me to re-buy it if I want to listen to it again.

    Since, by the terms of their EULA, I was supposed to delete the DRM version of the songs when I sent the CD to them.

  6. Mike Says:

    Sony BMG claims to be rethinking its DRM policy:

    http://news.bbc.co.uk/1/hi/technology/4514678.stm

    But then, they being such a radically dishonest organization (as has been proved now beyond a shadow of doubt), who can say they really are? Maybe they merely think that it is politic right now to say they are.

  7. Geemodo Says:

    Sony DRM ROOTKIT, Suncomm, EFF new removal tool, yet the consumer problems don’t go away.

    After all the court cases, theories of breaking IPOD and Itunes, Sony problems still linger. Now their patches are requiring patches. These products should not have been there in the first place and now consumers have to go on patching their computers,…

  8. Michel Says:

    Boycott is the thing to do, considering the fact money is the only word some companies understand. Sony was first dishonest, now they’re becoming ridiculous. “Sony the saga” :) ))

  9. no spam Says:

    Sony sucks cos:
    Sony illlegally hijacks your pc. They install malicious software using Trojan horses. Root kit and whatever crap. Ask Thomas Hesse for more. He seems to think that you give a damn about it.

  10. Attempting a rational thought Says:

    Have posted this on Freedom to Tinker, thought it might be worth repeating here.

    Posted this on another entry, thought it might be worth repeating here:

    1) Saying that including a DRM scheme that installs without consumer consent on CDs is perfectly okay because game companies include DRM programs in their software is a faulty argument. Usually, the games include an EULA that notifies you that the DRM components are being installed, give you the option to decline installation (if you do so, the game fails to install), and generally do not install the DRM components if you decline the EULA. Arguing that because game companies do so is like saying that because a group of drag racers regularly race through my neighborhood without getting caught by police, it’s perfectly legal to drag race anywhere, anytime, and not just drag race, but drive recklessly, drive while intoxicated, and generally break the law while driving, because others have done it. Never mind that these activites can kill and are illegal, others are doing it, so why shouldn’t we?
    Faulty programming aside, Sony BMG’s main sin has been in the way XCP and MediaMax make it onto a user’s system. Undetectable programs, incomplete EULAs, and programs that automatically install BEFORE an EULA can be read generally are considered to be legal infractions, and spyware or adware that installs under these conditions is considered illegal and the companies providing such malware can be — and are being — prosecuted. The difference between games and Sony BMG’s offerings are that the game EULAs inform the user and offer a chance to decline installation, while Sony BMG hides its software, misleads the user as to what is being installed, and installs its software REGARDLESS of what the consumer decides. At the very least this is incompetence and malfeasance, at the worst this is intentionally done and illegal. You can’t use the example of game companies to excuse Sony BMG’s errors, they’re two different examples that do not coincide.

    2) To Anonymous Company Stooge who is Reading these Blogs:
    Unlike others, I do sympathise with you. You’ve been hired by Sony BMG, Sony’s legal arm, MediaMax, or perhaps an outside legal firm or PR firm contrated by Sony and/or MediaMax, to spread their views, and you have to do this job. You may even secretly agree with those of us who have pointed out Sony BMG’s programming and legal flaws, but because of your job, you can’t voice that allegiance.
    Given your specious arguments, needless repetiton, and condescending tone of voice, however, I suspect you are firmnly in the pocket of Sony, to the point where you are ignoring customers’ complaints. And this has been, and remains, Sony’s MAJOR Achilles’ heel throughout the XCP and MediaMax fiascos. As I’m sure you or your superiors learned in your introductory marketing class, to be successful, a company must seek out consumer input and reactions, and act on that information. Products are tailored to markets on the basis of consumer preferences and feedback, improvments in services are made based on consumer feedback, sales of a particular product can increase based on positive consumer word-of-mouth. There are even examples where, after a company has done something incredibly stupid, its willingness to LISTEN to customers and fix things BASED ON CONSUMER FEEDBACK has improved the guilty company’s standing and public image. Even just seeming to listen to customers withought actually doing so can improve a company’s image in the short-term.
    Setting aside all legal issues and Sony’s questionably legal installation practices, Sony BMG’s main failing is that it is not listening to its customers. There is emerging evidence that at least a month before sysinternals.com publised its study of XCP, a computer repairman contacted Sony BMG about XCP. Sony and First4Internet’s responses were basically to deny any problems and bury the situation. Once XCP became public, Sony and First4Internet’s responses basically turned into “Tough luck, we’re not going to do anything to fix the problem, if there even is a problem. You can complain and provide proof and threaten us with lawsuits as much as you want, we’re not doing anything.” Even the recent release of an uninstaller and pulling affected CDs from market isn’t doing much to respond to the customer, since Sony has openly stated that it will stop using XCP TEMPORARILY, and is working with First4Internet on new solutions to the problem of piracy — in other words, an improved (and perhaps similarly undetectable) version of XCP, or an even more draconian new DRM scheme.
    Sony BMG is taking the same attitude towards the MediaMax mess as it has to the XCP mess, down to continuing to produce CDs with the faulty encryption and the developing a newer version of MediaMax that will be hard to detect and therefore uninstall. Instead of listening to its customers, Sony is ignoring them. I know some out there are going to scream “It’s because of Sony’s Japanese corparate culture!”, but it’s not. Westerners now hold positions of importance within Sony, and even pure Japanese corporate culture encourages innovation and responsiveness to customer needs — it’s the same culture that gave us JIT delivery schemes, which are a perfect example of manufacturing and stocking responding to customer wants and needs by maufacturing and stocking only as much product as the consumer will buy at the moment it is needed or wanted. No, Sony BMG’s attitude is simply that of the bully who rules the school playground: It can do whatever it wants and to heck with those who complain. It’s this attitude of doing whatever it wants, even if that involves illegal means and the desturuction of a consumer’s operating system, that is digging Sony its grave.
    So Anonymous Corporate Scrooge, start actually LISTENING and READING what Sony customers are saying and writing instead of IGNORNING it and repeating the company line. And convince your superiors that Sony needs to do the same, otherwise you’ll find that no matter what you do to rectify the DRM mess, it won’t improve Sony’s public image. Bullies inspire fear and hatred, not love, and Sony will just inspire fervent dislike, boycotts, a perhas permanent drop in sales, lawuits, and a negative public image if it continues with its current attitudes and legal practices. So unless you and your bosses are willing to listen and act on its comsumers’ problems and suggestions, Anonymous Corporate Scrooge, shut up and spare us the official line.

  11. FingSEW Says:

    It would appear the industry is now trying to ban song lyrics from the internet. Warner/Chappel has issued a ‘cease & decist order’ against walter [at] peralworks dot com for his software application ‘pearLyrics’ that displayed the song lyrics for the current song playing in iTunes on a Macintosh. The lyrics were aggregated from many of the websites that have song lyrics on them….

    So if you ever though that some of those lyrics were a little strange and you wanted to check the correct words you may no longer be able to do that now unless you have a ‘license’ to do such a thing….

    You can see Walter’s notes on his web site.
    http://www.pearworks.com/pages/software.htm
    http://www.pearworks.com/pages/pearLyrics.html

    To Sony for the XCP/MediaMAX, EMI for Copy Control & Warner/Chappel for banning song lyrics. I can honestly say you can all go and take a big flying jump you pack of corporate scumbags…

  12. Mike Says:

    There’s more on the crackdown on Song sites on the BBC.

    I guess it is slightly OT for this site, but it is certainly revealing of attitudes in the music industry.

    Mr Keiser [MPA president] said he did not just want to shut websites and impose fines, saying if authorities can ‘throw in some jail time I think we’ll be a little more effective’.

    One can see that new technology poses problems for people publishing sheet music just as it does for people publishing audio material, and one would sympathize as a first reaction. But would the average kid who might at some point view the lyrics of a song have bought sheet music just to get them if they were not easily available free anyway? Every lyric viewed does not equate to a lost sale. And the ferocity of the industry’s response to their problem tends to kill any remaining sympathy. Prison sentences are not for propping up people’s failed business models.

    http://news.bbc.co.uk/1/hi/entertainment/4508158.stm

  13. Steve U.K. Says:

    This is really getting stupid!….I suppose next we’ll hear that if you buy a paintbrush everything that you paint with it will become the sole property of the paintbrush manufacturer, I don’t know why they don’t just shut the internet down altogether & scrap computers because the way things are going they’ll soon be so restricted that they won’t be worth having!..Alternatively just execute all the corporate lawyers!…lol

  14. Mike Says:

    I finally got around to listening to the new “Triangulation” podcast from Leo Laporte and John C. Dvorak. They were talking to Lawrence Lessig. Very interesting, and I’d heartily recommend it:

    http://thisweekintech.com/tri1

    The consensus was that copyright law has got totally out of hand and stands to damage social, and even scientific and economic, life in the US and Europe.

    It seems quite clear to me that the dogs in the manger, like Sony BMG, see the changes wrought by technology as not a reason to explore new ways of interacting with the public but as a chance to claim special privileges of ownership no one has ever enjoyed, or even thought to claim, before in the whole history of mankind simply because they think it may be possible with copyright law and IT to make it stick.

    Lawrence Lessig made the point that even since copyright law has been around (which is relatively recently) it has not been a principle that every time value is made on an item a copyright owner gets a cut. There are second-hand bookshops; there are libraries; there are book reviews, etc., etc.

    Sure the music industry can insult anyone who disagrees with them by throwing out the label “communist”, but who are the real revolutionaries here? They are the ones who want to change the balance of things: they are demanding rights which are quite unprecendented. And legislators have given them all too much of a hearing. They need to be cut down to size.

  15. AdSense Money Maker Says:

    AdSense Money Maker

    Do you know how to make money from AdSense automatically? You don’t!? I’ll teach you how!

Leave a Reply

You must be logged in to post a comment.