Sony the DRM chameleon

Poor old Sony, it just can’t seem to shake its digital rights management woes.

Unless you’ve recently become a hermit, you can’t fail to have missed the controversy that surrounded Sony’s use of rootkit technology to disguise copy protection software on users’ PCs, exposing them to a serious security risk in the process.

The measure of the scale of the PR disaster for Sony can be seen by the fact it was one of the few “technology” controversies that created waves in the mainstream press.

Now Sony has revealed that a different type of copy protection software used on its CDs poses a security risk.

This time the danger comes from MediaMax 5, a DRM software created by SunnComm Technologies, which has been distributed on 27 different Sony BMG CDs in the US. The flaw could allow a hacker to use a privilege escalation attack to take control of a vulnerable computer.

The flaw was revealed after digtial rights group the Electronic Frontier Foundation (EFF) asked security company iSEC, to look at the SunComm software, and is the kind of technical scrutiny that Sony is going to have to get used to - trust and Sony are two words that don’t fit easily together right now.

Whilst Sony bungled its response to the First4Internet rootkit fiasco – and I’m being generous here – its handling of the current DRM problem suggests it has at least taken some of the lessons on board, in public anyway.

By waving the white flag with the EFF in attendance, the media giant is trying to make out it is a changed beast. Sony says it has also got security company, NGS Software to certify that the patch addresses the vulnerability and plans an advertising campaign to notify customers.

But has Sony’s attitude really changed? By all account the SunnComm MediaMax software is still a nasty piece of work, with or without the security vulnerability.

According to the EFF other causes for concern are “undisclosed communications with servers Sony controls whenever a consumer plays a MediaMax CD; undisclosed installation of over 18 MB of software regardless of whether the user agrees to the End User License Agreement; and failure to include an uninstaller with the CD”.

Perhaps a more apt analogy to describe Sony might be that of a chameleon. Whilst the comany's outward appearance might change, underneath it is still the same creature.

UPDATE - 8/12/05 - More bad news for Sony as it has now emerged that the patch issued for the SunnComm DRM flaw introduces its own vulnerabiities.