By John Borland
Staff Writer, CNET News.com
December 8, 2005
Sony BMG is replacing a patch for its CD copy protection software
after Princeton University researchers found a security flaw in the
Sony announced on Tuesday that a new risk had been found with a batch
of 27 of its compact discs, which automatically install antipiracy
software on hard drives when put into a computer's disc drive. Along
with the Electronic Frontier Foundation, a digital rights group, the
record label released a patch aimed at fixing that flaw.
However, Princeton computer science professor Ed Felten wrote in his
blog on Wednesday that the patch itself could open computers to attack
Sony executives said Thursday that they are working as closely as
possible with security professionals to address the issues identified
by Felten, and would have a new patch available by midday that day.
"The security space is a dynamic one, as we have learned," said Thomas
Hesse, president of Sony's global digital businesses. "Our goal is to
be diligent and swift, and we have gone to experts to handle this
Sony's ongoing troubles with copy protection software highlight the
delicate line that record labels and other content companies are
walking in trying to protect their products from widespread
On the one hand, labels have watched their revenues decrease over the
past several years, as more people swap songs online and burn CDs for
friends and acquaintances.
However, the labels' technological attempts to create a copy-protected
CD that retains compatibility with millions of old CD players have
opened them up to the unfamiliar hazards of software development.
Several of Sony's attempts to patch security holes in its antipiracy
software over the past weeks have turned out to raise their own new
problems, instead of quelling concerns.
The current security flaw in Sony's discs is related to software
produced by SunnComm Technologies and affects 27 titles that remain on
It's separate from an earlier vulnerability that affected 52 other
titles and that related to antipiracy software written by another
company, First 4 Internet. Those titles have been recalled from store
The flaw found by Felten could allow Sony's original patch to trigger
malicious software on a computer, if that software was already in
place when the patch was installed.
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.