Copy protection software causes controversy

Sony has recently promoted CD protection schemes, which most viewed as relatively benign technology—that is, until a security researcher recently discovered that the protection involves planting a rootkit on computers, which some are saying is equivalent to spyware. Get the details in this edition of the IT Locksmith, and get the best of the rest of recent security news.

Is SonyBMG spreading spyware? The revelation that the media giant's surreptitious inclusion of copy protection on CDs has stirred up quite a debate. Meanwhile, Redmond gets a rest this week as the spotlight shines on serious vulnerabilities that have surfaced for Cisco IOS, Macromedia Flash Player, and Apple's QuickTime.


Sony has recently promoted CD protection schemes that allow vendors to limit the number of times someone can play a CD. Until recently, most viewed this as a relatively benign technology.

However, security software author Mark Russinovich was recently testing some of his Sysinternals freeware programs and encountered some disturbing results. After considerable work, he discovered that the SonyBMG-produced CD he recently purchased on restricted access by planting a rootkit on his computer.

While cynics out there might be suspicious that Russinovich manufactured the story to promote his RootkitRevealer, SonyBMG has acknowledged that the rootkit code does exist. However, the company has published information on its Web page that explains how to remove what some people are referring to as spyware. Since you need to register with SonyBMG to view the page, I wasn't able to determine how readily available the fix is or how easy it is to remove.

Russinovich's blog contains reports from several people who—like myself—were unable to locate any clue in the end-user license agreement that playing the music CD would plant code on computers, which turns out to be extremely difficult to remove. Although the SonyBMG software is probably harmless, the mere fact of its presence is certain to spark more complaints about digital rights management tools and spur more P2P file sharing.

At the minimum, no security specialist wants any—any!—surprise rootkit code installed on servers or workstations he or she is responsible for. Even if it is completely harmless (and there's no way to know that for certain), its mere presence can trigger security warnings. In addition, it can take a lot of work to determine what is there, not to mention figuring out how to remove it without disabling your optical drive completely.

By the way, I am not recommending the Sysinternals freeware security tools simply because I am not sufficiently familiar with them. However, Russinovich has written for Microsoft, including an article about rootkits in the June issue of Windows IT Pro Magazine, so his software is legitimate and certainly worth checking out to see if you should add it to your arsenal.

New threats

FrSIRT has reported a critical vulnerability in the Cisco IOS that can allow either a remote or local attacker to compromise the system by executing arbitrary code or—at the minimum—trigger a denial of service event. Related to the infamous exploit disclosed at July's Black Hat security conference, this vulnerability affects Cisco IOS versions 12.0 through 12.4.

To protect against this vulnerability, update to the latest release of the appropriate version. For more information, see Cisco Security Advisory: IOS Heap-based Overflow Vulnerability in System Timers. Note that some of the updates won't be available until later this month.

In addition, eEye Digital Security has identified a critical vulnerability that involves a remotely exploitable arbitrary command execution threat in Macromedia Flash Player versions and earlier. Macromedia has confirmed the vulnerability. To close this hole, upgrade to the current version of Flash Player 8 (; if you want to stay with version 7, upgrade to or

Meanwhile, Apple QuickTime versions prior to 7.0.3 for both Windows and OS X platforms contain a critical remote code execution and denial of service threat due to two integer overflow vulnerabilities: A flaw in NULL pointer dereference code and a memory corruption error when dealing with compressed PICT image files. Apple recommends immediately upgrading to QuickTime version 7.0.3.

Final word

Only last week, I pointed out the difficulty of developing strict definitions for relatively new security terms, and I mentioned how this could negatively affect the creation of strong, enforceable laws related to high-tech threats. In those seven days, a real-world example has cropped up that further highlights my point.

London's Wimbledon Magistrates Court recently ruled that a teenager accused of sending five million e-mails to an ex-employer with the probable aim of crashing the company's e-mail server—which it did—had not violated the United Kingdom's 1990 Computer Misuse Act (CMA)—even if he actually did it and it was his intent. The defendant's attorney argued that, since the purpose of an e-mail server is to process e-mail, simply flooding it with an excessive number of messages doesn't constitute a crime.

While similar problems have arisen in the prosecution of other cases in other countries, this is a serious blow to British prosecutors and security specialists alike. That's because there was never any adjudication of whether the actual attack took place or caused any damage—the court ruled that an e-mail flood denial of service attack simply isn't illegal in the first place.

While the CMA explicitly outlaws unauthorized access or unauthorized modification of electronic data, it does not address some very common and easy to implement attacks. Of course, the problem is that much has changed since 1990.

In an attempt to avoid having to prove actual damages, many computer-related laws instead make specific activities illegal. However, that means you must update the legal language almost monthly to keep up with all the possible new attack vectors to keep the law current.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox