3 September 2007
Electronics giant Sony has confirmed a recently discovered security flaw
in some of its products that could leave PCs vulnerable to attack by
The firm said that the fault, which affected software packaged with
memory sticks, was developed by a third-party.
Sony said it was conducting an internal investigation into the problem
and would offer a fix "by mid-September".
The vulnerability, found by security firm F-secure, was similar to one
found on CDs sold by Sony BMG in 2005.
That led to the discs being recalled and several lawsuits against the
A Sony spokesperson said of the latest vulnerability: "While relatively
small numbers of these models were sold, we are taking the matter
seriously and conducting an internal investigation. No customers have
reported problems related to situation to date."
The flaw affects three models of Sony's MicroVault USB sticks with
Although the spokesperson said that the models have now been
discontinued, they are still available to purchase through several
The flaw was in software that came bundled with the USB devices. The
program used virus-like techniques to create a hidden directory on a
computer's hard drive.
Researchers at F-secure said that a hacker could then infect a computer
as any files stored on the hidden directory would be invisible to the
user and also from some virus scanners and security software.
"The apparent intent was to cloak sensitive files related to the
fingerprint verification feature included on the USB drives," said
researchers at security firm McAfee, who also investigated the flaw.
"However, in this case the authors apparently did not keep the security
implications in mind."
Researchers at both F-secure and McAfee expressed surprise at the flaw,
as Sony has faced similar problems in the past.
In 2005, Sony BMG sold CDs bundled with XCP digital-rights management
(DRM) software, installed as an anti-piracy measure. It also left
machines open to exploit by malicious programmers and computer virus
In addition, researchers found vulnerabilities in another program, known
as MediaMax, used by the firm on other CDs. In all, millions of discs
sold in North America were thought to have been sold that used the
However, security researchers said that latest flaw was not as serious.
"In a nutshell, the USB case is not as bad as the XCP DRM case," said a
blog entry on the F-secure website.
As well as differences in how the software was installed and operated,
the researchers said there was a legitimate case for having the software
on the USB sticks
"Sony is attempting to protect the user's own data. In the DRM case,
Sony was attempting to restrict you - the user - from accessing the
music on the CD you bought.
"So their intent was more beneficial to the consumer in this case."
F-secure is assisting Sony with their investigation.
The Sony spokesperson said: "While the software at the issue was
developed by a third-party vendor in conjunction with our outsourced
device manufacturer, as a precaution and to alleviate any potential
concerns, we will be issuing a downloadable software to address the
situation by mid-September."
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!