From the Spyware Weekly Newsletter:


You know, it really is a good thing that technology was so primitive when they made the first VCRs. If today's technology were available back then, the VCR never would have taken off. We would have had no way to watch movies once they left the theaters, except perhaps if a heavily-edited version was shown on television.

The movie and television studios feared that a device such as the VCR would mean the death of their industry. They gathered together and plotted the death of the VCR. They tried their best to kill it.

They failed, which is as fortunate for them as it is for us. The amount of money made from the sales of many movies on VHS and DVD makes a mockery of the amount they generate while in the theaters. If nothing else, it guarantees sales for a movie for decades after it has left the theaters.

They tried to sue the VCR out of existence. The company they chose to sue - and the company which beat them - was Sony.

Times sure have changed. The people at Sony appear to have turned their back on consumers and consumer choice. The Sony of today is one of the loudest voices in the clamor to stifle any new technology allowing consumers to enjoy entertainment in new ways. Now, it seems, they are skirting the line of what is legal in order to do that.

While testing an update to RootkitRevealer, Mark Russinovich, co-founder of the company that created it, discovered an unknown rootkit on his own computer. As you can imagine, that was quite a shock.

A rootkit is software which alters the way the operating system works. The purpose of this is to hide files, folders and processes while they are running on the system. They were used in the old days, long before Windows was created, to take over UNIX computers. With a good rootkit, you can hide any piece of software from all but the most determined search. Today, they are used frequently by trojans, spyware and viruses.

After a very thorough investigation, half of which went way over my head, Russinovich tracked it down to a copy protection program installed when he put a Sony music CD into his computer. Two CD-burner device drivers and an NT system service were installed, then promptly hidden from sight by a rootkit.

When this CD is put into a Windows computer, a license agreement pops up declaring that a small program will be installed. The license agreement claims that the software will be used to play the music files and to allow you to make a limited number of copies of the music. It also claims that you cannot play the music files without installing the program.

The agreement contains significant omissions. The fact that a rootkit is installed is not disclosed. The fact that device drivers are installed is not disclosed. That these device driver will disable the CD burner if someone attempts to copy the CD is not disclosed. The NT service is not disclosed and in fact, is given a deceptive name: "Plug and Play Device Manager".

Having tracked down the source of the rootkit conclusively, Russinovich went about deleting this unwanted software. This rootkit put up a better fight than any piece of malware I ever have had the misfortune to run across. Russinovich has very detailed knowledge of how Windows operates and access to some pretty sophisticated tools. He had to put that knowledge and those tools to use in order to scrub this software off of his hard drive.

I have to be honest. From the description he gives in his blog, I don't believe I would have been able to remove this software, at least not without damaging my computer. A regular Windows user never would be able to remove this thing. Most people probably would not notice that it was there in the first place.

Multiple hidden device drivers. A piece of software that can disable a hardware device at will. Deceptively named NT services. All of it hidden from sight by a rootkit. Removing this software breaks the computer, unless you know EXACTLY what you are doing. And none of it is disclosed in the license agreement. All of these things happen just because a person wants to listen to the music they have purchased from Sony.

And the RIAA wonders why people prefer to download music for free?

These are the methods used by illegal malware to do illegal things. Why does Sony use these same methods? Some of these activities are illegal in some countries. It soon may be illegal here in the USA.

Even if this all is perfectly legal, now and in the future, I never would expose my computer to such a thing. I guess I will not be buying music from Sony anymore, at least not on CD.




Even More About Sony's Rootkit

News certainly happens fast sometimes. In between the time I first heard of this Sony rootkit and the time I finished writing about it, the story exploded around the web. Sony appears to have been caught flat-footed by the sudden, highly-negative publicity.

One aspect of this rootkit, which I didn't mention in my first article, is that it allows someone to hide any file or memory process on the system. All you have to do is add a certain word to the beginning of the file's name and you'll never see it again (without a rootkit detector anyway). Some people speculated that this situation could be put to nefarious use.

I did not mention this in the earlier piece because it was unlikely to be of much danger. A malware creator would be relying on dumb luck to protect his software. What I didn't consider was a person buying a Sony CD with the intention of using the rootkit for his own, less-than-honorable intentions.

Well, that is exactly what has happened. In another part of this same newsletter, I mention the controversy surrounding World of Warcraft's Warden anti-cheat program. That is a program which searches a computer's memory for evidence of a program used to cheat at the game. After word of Sony's rootkit made the news, some of these cheating programs were altered to take advantage of it.

The method couldn't be simpler. If you want to circumvent the program looking for a cheat, you simply go out and purchase a Sony music CD. You put the CD into your computer and let it install the rootkit. Then all you have to do is rename your cheating program so that the rootkit will hide it. WoW's Warden program will never know it is there.

Great work Sony. I'm sure World of Warcraft players will be thanking you after their favorite servers are overwhelmed by cheaters.

Realizing that they have done something wrong and that they have been caught doing it, the geniuses at Sony have decided to provide an uninstaller for their rootkit. It won't remove the copy protection software but it will stop hiding it.

For more news of this

http://www.digitoday.fi/showPage.php?page_id=14&news_id=49861
It did not work in 64 bit Windows Xp

http://www.europe.f-secure.com/v-descs/xcp_drm.shtml

It will cause instability in Windows Vista
Removing without sony help, windows will lose DVD or CD drive.

But this will tell that is installing some software your computer, even It wont tell what kind software excatly. Some other Music CD install copyprotection without telling or asking.

According to F-Secure in Digitoday two different company Rootkit protection will crash system. Windows cant handle two different driverlevel working rootkit.
http://www.digitoday.fi/showPage.php?page_id=14&news_id=49861 Finnish Article
http://www.f-secure.com/weblog/#00000696 English Blog from F-secure

http://www.amazon.com/gp/product/customer-reviews/B00092ZM02/ref=cm_cr_dp_2_1/103-0652833-3812611?%5Fencoding=UTF8&s=music Complains on Amazon com

Maybe EMI and Universal use samekind system

However it may be that the issue is spread wider than Sony. Hyppönen mentioned 'some DRM systems' when reporting the issue in the F-Secure blog. 'We're hearing rumours from Sony that Universal is using the same system on some of their audio CDs,' he said. There have also been reports that EMI use technology. Sony has been the only publisher to date to use the DRM code commercially, while with the other labels it may be limited to pre-release material, which at least limits the scale of the problem.


http://www.pcpro.co.uk/news/79474/sony-rootkit-drm-to-spark-copycat-viruses.html

Why earth those copy-protection temper drivelevel things. Anybody remeber these types protection in Games. Many peoples complain that certain copyprotection prevent USB devices to working or affect IDE and RAID drivers.

So Is Dual Disc safe to buy. Does it have same kind malicious softwares. Do I have to watch closely what CD's to buy and what not :huh: . After those Game protections I stopped to buying certain copyprotected games :shocked: .

...this is why I disabled Auto-Run.

It's simple. If Sony lowered the price of games to like £10, there would be much less piracy.

If there was less piracy they wouldn't need to put these stupid things on the CD.

If there was less piracy they wouldn't need to put these stupid things on the CD.
Do you really think that those stupid things will prevent piracy. Actually those are only stopped peoples buying orginal Audio-CD's. Those make listening Audio-cd's difficult and danger computers. They need only one copy without copyprotection in Peer To Peer network and that's it. Usually those copies are PROMOS which don't have any kind protection.

Many Audio-CD's that broke Audio-CD standard (Audio-CD standard wont allow any kind copyprotection) will not play in PC, Consoles, DVD-players, portable CD players, car stereos etc...

I have buyed hundreds and hundreds audio-cd's and I don't like make copies to make those work every players I have. Usually buying Cd which says Copyprotection means that I have to by empty cd-r too. then I make copy without copyprotection (It take about 5 minutes). Nowdays it is illegal to do that. Now I have two choices buy it from some other country that won't allow copyprotection or buy DVD-audio(Which wont play portable or car stereo)/Dual Disc (May have same copyprotection in Cd side and DVD side have same problems than DVD-audio).

Is there really any copyprotection that work, This Sony's new Rootkit DRM cause problems and wont prevent ripping music to MP3's.

Sometimes I wonder do music companies want to kill CD-standard or are they shooting their own leg.

All they would need to do is lower the price of a cd, and considerably many would prefer to buy a real cd than download. Everyone would be happy, but instead we have these ridiculous problems.

All they would need to do is lower the price of a cd, and considerably many would prefer to buy a real cd than download. Everyone would be happy, but instead we have these ridiculous problems.

Yup, well said.

All they would need to do is lower the price of a cd, and considerably many would prefer to buy a real cd than download. Everyone would be happy, but instead we have these ridiculous problems.

I fear that there is always some peoples that want everything as free. But i think many willa buy their music.

There is already advices in some forums how hide your cheats with sonys rootkit from anticheats softwares. Many peoples in Europe try buy those Sony CD with rootkit to use cheats online games. Thanks SONY, we can now forget online games for a while.
Source Spiegel Online and DigiToday (Fin) (http://www.digitoday.fi/showPage.php?page_id=14&news_id=49885)

http://mikropc.net/uutiset/index.jsp#w200511062320528565

It seems that coder have no experiece from coding windows drivers

According to Winternals Software's Mark Russinovich. Sony's new updated version of copyprotection has programming error that could crash Windows.

http://mikropc.net/uutiset/index.jsp#w200511062320528565

It seems that coder have no experiece from coding windows drivers

According to Winternals Software's Mark Russinovich. Sony's new updated version of copyprotection has programming error that could crash Windows.

That is interesting.

Some Finnish tested and made rootkit that prevent you stopping song. If you push play button only way stop it, is powerbutton off.

I found text that tell how use Sony rootkit in World Of Warcraft hacking/Cheating. Anyone want link

There are now reported cases in Blue Screen Of Death caused by rootkit system.

Funniest thing Rootkit/Drm have call home system :( But is that a new. I know several Screen Savers from music companies that are caught by my Firewall. Why on earth Screen Savers try to go internet to music company IP' number,.

More to come
Finnish magazine Tietokone
http://www.tietokone.fi/uutta/uutinen.asp?news_id=25211

According to Computer Associates
Sony's nice little rootkit will
- Add random noises to ALL mp3 files (Not only illegal but legal files too)
- Send information like user IP and all played cd's to internet
- Make itself as Default player

DRM have two list of programs (Maybe blacklists) Matti Nikki found those in files that rootkit has created.
http://hack.fi/~muzzy/sony-drm-magic-list-2.txt
http://hack.fi/~muzzy/sony-drm-magic-list.txt

There is new Virus that uses SonyBMG rookit system
http://www.f-secure.com/v-descs/breplibot_b.shtml

Blog From F-secure
http://www.f-secure.com/weblog/

Thursday, November 10, 2005
Bot trying to hide under Sony DRM Posted by Mika @ 14:02 GMT

--------------------------------------------------------------------------------



We wouldn't like to say "we told you so" but unfortunately this is one of those times you just have to do it.

We have just analyzed the first malware (Breplibot.b) that is trying to hide on machines that have Sony DRM software installed.

Luckily, however, the bot has a design flaw. If the Sony DRM software is in the system before the infection, the bot will not run at all. Moreover, the bot cannot survive a reboot because of a programming error. In any case, this is a very good example of why software should not use rootkit techniques.



More Information from Mark's Sysinternals Blog
http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html


Should I stop buying SonyBMG cd's (After Shakiras new offcourse). This is not what I want when I BUY my cd's LEGALLY. If you buy CD you get htese problems. If you Steal music from internet, you are safe. Is that what SonyBMG want.

Sony BMG suspends copy-protection software
By Paul Taylor in New York
Published: November 11 2005 20:31 | Last updated: November 11 2005 20:31

Sony BMG, the joint venture record label, was on Friday forced into an embarrassing climbdown over its use of copy-protection technology on music CDs that exposed some PC users to hackers.

The company said it would “temporarily suspend” use of the controversial software and apologised to PC users for “possible inconvenience” it may have caused.

The turnaround came after several PC security firms identified a “Trojan“ e-mail virus designed to exploit software that some of Sony BMG's music CDs install on their owners' computers when played.

The copy protection software dubbed “XCP“ developed by UK-based First4Internet, limits the number of copies that can be made from the original CD. It is designed to deter “casual piracy“ - typically, friends copying each other's music CDs.

Sony BMG, whose recording stars include Celine Dion, Mariah Carey and Destiny's Child, is believed to have installed XCP on millions of CDs since it began using the software earlier this year.

On Friday, Sony BMG, which faces a number of lawsuits in the US related to the use of the software, acknowledged for the first time that it could render PC users vulnerable to attack.

“We are aware that a computer virus is circulating that may affect computers with XCP content protection software,” the company said, adding that the software has been included on a limited number of Sony BMG titles, but emphasising, “This potential problem has no effect on the use of these discs in conventional, non-computer-based, CD and DVD players.”

In response to the virus attacks, the company said it had provided a software “patch“ to all major anti-virus companies and to the general public. The patch protects PC users against the virus, identified by Kaspersky, the Russian PC security firm and by UK-based Sophos.

“We deeply regret any possible inconvenience this may cause,” Sony BMG said, adding that it stood by its content-protection technology as “an important tool to protect our intellectual property rights and those of our artists“. The company said: “Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use.”

Sony BMG has still not identified which of its music CDs contain the software. Earlier this week, however, the Electronic Frontier Foundation, a US-based consumer advocacy group, identified at least 19 Sony BMG music CDs that the group claims install the software when played on a PC.

Critics, including the EFF, claim the software also slows down PCs and makes them more susceptible to crashes and third-party attacks. “Since the program is designed to hide itself, users may have trouble diagnosing the problem,” the EFF said.

http://news.ft.com/cms/s/018223e4-52f0-11da-8d05-0000779e2340.html

They have no choice because that rootkit is only working on Microsoft windows and Microsoft are removing SonyBMG Rootkit
http://www.theinquirer.net/?article=27649

There according to First 4 internet are about 30 albums that uses XCP
http://www.digitoday.fi/tekijanoikeus/
They used to google Cache to get read that article
http://www.google.fi/search?hl=fi&q=sterile+burning+technology+has+been+used+on+over +30+&meta=

Sony Music have sunk even lower now..:rolleyes: :scowl:

I'm sure glad I didn't buy Celine's album from the US just yet (there's only 'copy-protection' on the US version of her CD, not on the European..fortunately)..:smirk:

Hope it will be dealt with soon.

Now read this....

Now the Legalese Rootkit: Sony-BMG's EULA (http://www.eff.org/deeplinks/archives/004145.php)

Now this

Sony have SunnComm Technolog MediaMax protection

Which isntall 12 MB stuff to you computer before You Accept or decline that License of Agreement. There are Kernel Level Driver among those files.

http://www.freedom-to-tinker.com/?p=925

If this Article is true (Please, Tell me It is not true) SonyBMG have make all mistakes than can make. Removal tool is BIG security hole

http://blogs.washingtonpost.com/securityfix/2005/11/sony_uninstall_.html

The Sony Web page where users can download the removal patch installs a program that remains on the user's PC even after removal tool has done its job, Felten said. And because of the way the tool is configured, he said, it allows any Web page that the user subsequently visits to download, install and run any code that it likes.

I was speechless when I read this news, and had roughly the same thoughts as Felten expressed in his blog: "That’s about as serious as a security flaw can get."

From tgdaily

Sony BMG issues recall order for XCP-endowed CDs

Los Angeles (CA) - Late yesterday, music publisher Sony BMG issued a statement saying it has launched a customer exchange initiative, which effectively recalls all of its CDs that include the XCP copy protection system

http://www.tgdaily.com/2005/11/16/sony_bmg_issues_xcp_recall/index.html

From F-secure

The Sony DRM case seems to be getting more and more twisted. Our readers might be wondering what the actual risks are at this point and what they should be doing about them. Here's a short recap.

If you have the Sony DRM with the rootkit (aries.sys) still active, you should consider getting the update to remove the rootkit. Do this by using the standalone executable available here. There are already several malware variants that try to hide with the help of the Sony DRM cloaking.

After this you're left with the rest of the Sony DRM software, which might be vulnerable to local privilege escalation attacks reported by ISS X-Force. To remove the DRM software entirely, you will have to wait for Sony to fix their uninstaller and carefully consider using the new version once it's released.

If you have already used the ActiveX uninstaller that was available until Sony stopped distributing it, you are vulnerable to a remote code execution attack. You should remove the vulnerable ActiveX component. If you want, set a kill-bit for it (the CLSID is {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}) just to be sure.


http://www.f-secure.com/weblog/

That is great news.

Yep

No need to fear any more. Only fear that they try it again. I Just check most of those Cd's/DVD's I have buyed this year is SonyBMG or some division of SonyBMG. I didn't stop buying when I read those articles from Rootkit. I just ordered several Cd's from CDon and all but one those belongs to Sony. I know several peoples that start boycott Sony.

I don't put artist pay what music companies do. I think that most of artist won't even realize what this Rootkit was or what it did. They should be Computer geeks to understand those this. Offcourse artist are worried about illegal copying, so am I. More peoples do illegal copying, more we who buy must pay in prices of CD, DVD etc.

Many peoples won't realise that PC or console is coming for home-entariment center. If disc won't work in device, why to buy disc. If disc need additonal softare to played it is worhtless. Nobody want additonal player-programs or progress to memory to use memory and CPU time (Or causing instability).

Now we wait will Sony continue using Mediamax, Cactus Data Shield or Key2CD and what do Universal.

These were posted on the cdfreaks forum.

On closer inspection of Sony's Audio XCP rootkit it has been found that it infringes copyright. From the inspection it has been found that the LAME Encoder code has been used in the XCP rootkit which is licenced under the Lesser General Public Licence (LGPL). The LGPL licence means that those that change or add things to the code MUST publish some of the code they write so that other people can see the changes made.

Sony has definetly not done this, and this constitutes a breach of the LGPL licence. Sony likes to tell consumers and the media alike that they need to protect their work from infringers and copyright theives. When it comes to other peoples work that is done for free it doesnt really matter as it seems the XCP rootkit has clearly violated LAME's licence.

Close examination of the rootkit that Sony's audio CDs attack their customers PCs with has revealed that their malicious software is built on code that infringes on copyright. Indications are that Sony has included the LAME music encoder, which is licensed under the Lesser General Public License (LGPL), which requires that those who use it attribute the original software and publish some of the code they write to use the library.

Sony has done none of this. The evidence against Sony is compelling, and this further reveals the hypocrisy of Sony's actions. Sony claims that it needs to install dangerous, malicious, underhanded software on its customers computers to protect its copyrights, but in order to write this malware, it has no compunction about infringing on the copyrights of public-spirited software authors who make their works available under free software licenses like the GPL.

From that Sony can blame First4Internet. Sony buy product from F4I.That company made that software and all copyright issues that code contains.

They say that there is even code from VCL project too

Texas sues Sony BMG over anti-piracy software
Music company also faces lawsuit from Calif.-based digital rights group

AUSTIN, Texas - Sony BMG Music Entertainment’s troubles over anti-piracy technology on music CDs deepened Monday as Texas’ attorney general and a California-based digital rights group said they were suing the music company under new state anti-spyware laws.

The Texas lawsuit said the so-called XCP technology that Sony BMG had quietly included on more than 50 CD titles leaves computers vulnerable to hackers. Sony BMG had added the technology to restrict to three the number of times a single disc could be copied, but agreed to recall the discs last week after a storm of criticism.

The Electronic Frontier Foundation said Sony BMG needs to further publicize the recall and compensate consumers for costs associated with removing the software, an onerous process. It filed its suit Monday evening in California Superior Court in Los Angeles.

When XCP-enabled discs are loaded into a computer — a necessary step for transferring music to Apple Computer Inc.’s iPods and other portable music players — the CD installs a program that restricts copying and makes it extremely inconvenient to transfer songs into the format used by iPods. Critics say consumers aren’t adequately told what the program actually does.

Security researchers say XCP is spyware because it secretly transmits details about what music the PC is playing. Manual attempts to remove the software, which works only on Windows PCs, can disable the PC’s optical drive.

Texas Attorney General Greg Abbott accused Sony BMG of surreptitiously installing spyware because XCP masks files that it installs. This “cloaking” component can leave computers vulnerable to viruses and other security problems, Abbott said, echoing the findings of computer security researchers.

“People buy these CDs to listen to music,” Abbott said. “What they don’t bargain for is the computer invasion that is unleashed by Sony BMG.”

Sony executives have rejected the description of their technology as spyware. Officials for the New York-based label would not comment Monday, saying the company does not discuss pending litigation.

The Texas spyware law allows the state to recover damages of up to $100,000 in damages for each violation. Abbott said there were thousands of violations, and that any money would go to the state.

The California law under which the EFF sued bans collecting personally identifiable information through deceptive means and lets consumers can sue for damages.
The EFF also invoked state laws on consumer protection and unfair business practices.
Cindy Cohn, the EFF’s legal director, said Sony BMG should announce the recall using the same marketing tactics they had used to sell CDs, including advertising and radio promotions.

“Just putting a little something up on their Web site I don’t think is sufficient,” she said.

The EFF complaint also covered another anti-piracy technology that Sony BMG has used, MediaMax from SunnComm Technologies Inc., which was introduced first in markets outside the United States. SunnComm was not named in the lawsuit.

The EFF said it also would seek better disclosure about both technologies used by Sony BMG and an end to what it considered “outrageous, anti-consumer” licensing terms over which CD buyers have little choice.

Sony BMG’s Web site offers information on the XCP technology, the CDs that use it and ways consumers can mail them back, postage-free, for a replacement.

Sony BMG initially rejected the uproar over XCP as technobabble. But after security experts discovered that XCP opened gaping security holes in users’ computers — as did the method Sony BMG offered for removing XCP — Sony BMG agreed last week to recall the discs.
Some 4.7 million had been made and 2.1 million sold. CDs that had XCP included releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion.

© 2005 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

http://msnbc.msn.com/id/10141840/

Oh no

Peoples smell money. I seriously hope there is no need to SonyBMG pay so much like 100,000 for every violation (About 2 million selled CD's, how many in Texas).

Sony is big corporation. There are many employees who have nothing to do with RootKit. There is coming not so happy Christmas in many families. If Sony have to pay much money, they will fire many employees and that is not good.

Seriously, I don't know which is worst
Sony's Rootkit or peoples who try make money for it (or try justify P2P downloads for rootkit).

*Going back listen Shakira's Fijication Oral Vol 1 DualDisc.*
And Heaven is LaPared - Version Aqoustica :D

Funniest thing

Now there is technigue to defeat XCP. All you need is opaque tape and PC will read XCP CD like normal audio CD.

Note there should no to be any XCP cd's in stores. So this advice won't help anybody.

When they learn, there is no Copy Protectiong that will prevent copying.

New Sony CD security risk found
Sony BMG Music Entertainment and the Electronic Frontier Foundation digital rights group jointly announced Tuesday that they had found, and fixed, a new computer security risk associated with some of the record label's CDs.
The danger is associated with copy-protection software included on some Sony discs created by a company called SunnComm Technologies. The vulnerability could allow malicious programmers to gain control of computers that have run the software, which is typically installed automatically when a disc is put in a computer's CD drive.


The issue affects a different set of CDs than the ones involved in the copy-protection gaffe that led Sony to recall 4.7 million CDs last month, and which has triggered several lawsuits against the record label.

"We're pleased that Sony BMG responded quickly and responsibly when we drew their attention to this security problem," EFF staff attorney Kurt Opsahl said in a statement. "Consumers should take immediate steps to protect their computers."

The announcement is the latest result of the detailed scrutiny applied by the technical community to Sony's copy-protected discs, after a string of serious security issues were found to be associated with the label's antipiracy efforts.

The record label's copy-protected discs have been on the market for more than eight months. But in late October, blogger Mark Russinovich discovered that they surreptitiously installed a "rootkit" programming tool. Rootkit tools are typically used by hackers to hide viruses on hard drives, so Sony's move opened up a potentially serious security hole.

The controversy escalated as other researchers discovered new security flaws associated with the copy-protected CDs, which used technology from British company First 4 Internet. Virus writers began distributing malicious code that took advantage of the holes. The label recalled all the discs with the First 4 Internet technology installed, offering an exchange program for consumers who had purchased any of the 52 CDs affected.

Following those revelations, the EFF asked computer security company iSec Partners to study the SunnComm copy protection technology, which Sony said has been distributed with 27 of its CDs in the United States. iSec found the hole announced Tuesday and notified Sony, but news of the risk was not released until SunnComm had created a patch.

Sony said another security company, NGS Software, has tested the patch and certified that it addresses the vulnerability.

The patch can be downloaded from Sony's site. A list of the CDs affected in the United States, and a slightly different list in Canada, is also posted on the site.

Sony said it will notify customers though a banner advertisement directly in the SunnComm software, as well as through an Internet advertising campaign.
http://news.com.com/New+Sony+CD+security+risk+found/2100-1002_3-5984764.html