The debacle surrounding Sony’s controversial copy-protection initiative was taken to yet another level today when it was announced that a major secuity flaw was discovered in the software supplied by the company to uninstall the DRM embed.
“According to the report, when a user fills out the Web-based form to request the download, an ActiveX file called CodeSupport is loaded onto the computer. However, after the user leaves Sony’s site, the file is still marked as “safe” for scripting.”
Essentially, this would allow any site to call the CodeSupport file and force it to perform functions – like downloading and installing malicious code. “It opens the door for anyone to take advantage of an affected system. ”
“If you visit that Web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically,” Ed Felten wrote Tuesday on the Freedom to Tinker Web log. “Your goose will be cooked.”
Sony has replaced the code with a version that appears to be safe, but the damage may have already been done.
You can read more about Sony’s DRM here.
Posted by Sean