Piling On [5:21 pm]
The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony’s suggested method for removing the program actually widens the security hole the original software created, researchers say.
[...] “This is a surprisingly bad design from a security standpoint,” said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. “It endangers users in several ways.”
[...] To get the uninstall program, users have to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet.
According to the Princeton analysis, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet.
“The consequences of the flaw are severe,” Felten and Halderman wrote in a blog posting Tuesday. “It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.”