Is SonyBMG spreading spyware? The revelation that the media
giant’s surreptitious inclusion of copy protection on CDs has stirred up quite
a debate. Meanwhile, Redmond gets a rest this week as the spotlight shines on
serious vulnerabilities that have surfaced for Cisco IOS, Macromedia Flash
Player, and Apple’s QuickTime.

Details

Sony has recently promoted CD protection schemes that allow
vendors to limit the number of times someone can play a CD. Until recently, most
viewed this as a relatively benign technology.

However, security software author Mark Russinovich was
recently testing some of his Sysinternals freeware programs and encountered some
disturbing results
. After considerable work, he discovered that the
SonyBMG-produced CD he recently purchased on Amazon.com restricted access by
planting a rootkit on his computer
.

While cynics out there might be suspicious that Russinovich
manufactured the story to promote his RootkitRevealer,
SonyBMG has acknowledged that the rootkit code does exist. However, the company
has published information on its Web page that explains how to remove what some people
are referring to as spyware
. Since you need to register with SonyBMG to view
the page
, I wasn’t able to determine how readily available the fix is or
how easy it is to remove.

Russinovich’s
blog
contains reports from several people who—like myself—were unable to
locate any clue in the end-user license agreement that playing the music CD
would plant code on computers, which turns out to be extremely difficult to
remove. Although the SonyBMG software is probably harmless, the mere fact of
its presence is certain to spark more complaints about digital rights
management tools and spur more P2P file sharing.

At the minimum, no security specialist wants any—any!—surprise rootkit code installed on
servers or workstations he or she is responsible for. Even if it is completely
harmless (and there’s no way to know that for certain), its mere presence can
trigger security warnings. In addition, it can take a lot of work to determine
what is there, not to mention figuring out how to remove it without disabling
your optical drive completely.

By the way, I am not recommending the Sysinternals freeware
security tools simply because I am not sufficiently familiar with them.
However, Russinovich has written for Microsoft, including an
article about rootkits
in the June issue of Windows IT Pro Magazine, so his
software is legitimate and certainly worth checking out to see if you should
add it to your arsenal.

New threats

FrSIRT has reported a critical
vulnerability in the Cisco IOS
that can allow either a remote or local
attacker to compromise
the system by executing arbitrary code
or—at the minimum—trigger a denial
of service event. Related to the infamous exploit disclosed at July’s
Black Hat security conference
, this vulnerability affects Cisco IOS versions
12.0 through 12.4.

To protect against this vulnerability, update to the latest
release of the appropriate version. For more information, see Cisco
Security Advisory: IOS Heap-based Overflow Vulnerability in System Timers
. Note
that some of the updates won’t be available until later this month.

In addition, eEye Digital Security has identified a critical
vulnerability that involves a remotely exploitable arbitrary command execution
threat in Macromedia Flash Player versions 7.0.19.0 and earlier. Macromedia has
confirmed
the vulnerability
. To close this hole, upgrade
to the current version
of Flash Player 8 (8.0.22.0); if you want to stay
with version 7, upgrade
to 7.0.60.0 or 7.0.61.0
.

Meanwhile, Apple QuickTime versions prior to 7.0.3 for both
Windows and OS X platforms contain a critical remote code execution and denial
of service threat due to two integer overflow vulnerabilities: A flaw in NULL
pointer dereference code and a memory corruption error when dealing with
compressed PICT image files. Apple recommends
immediately upgrading to QuickTime version 7.0.3
.

Final word

Only last week, I pointed out the difficulty of
developing strict definitions for relatively new security terms
, and I
mentioned how this could negatively affect the creation of strong, enforceable
laws related to high-tech threats. In those seven days, a real-world example
has cropped up that further highlights my point.

London’s Wimbledon Magistrates Court recently ruled that a
teenager accused of sending five million e-mails to an ex-employer with the
probable aim of crashing the company’s e-mail server—which it did—had not violated the United
Kingdom’s 1990 Computer Misuse Act (CMA)
—even if he actually did it and it
was his intent. The defendant’s attorney argued that, since the purpose of an
e-mail server is to process e-mail, simply flooding it with an excessive number
of messages doesn’t constitute a crime.

While similar problems have arisen in the prosecution of
other cases in other countries, this is a serious blow to British prosecutors
and security specialists alike. That’s because there was never any adjudication
of whether the actual attack took place or caused any damage—the court ruled
that an e-mail flood denial of service attack simply isn’t illegal in the first
place.

While the CMA explicitly outlaws unauthorized access or
unauthorized modification of electronic data, it does not address some very
common and easy to implement attacks. Of course, the problem is that much has
changed since 1990.

In an attempt to avoid having to prove actual damages, many
computer-related laws instead make specific activities illegal. However, that
means you must update the legal language almost monthly to keep up with all the
possible new attack vectors to keep the law current.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.