Sony BMG Pulling Controversial DRM
Following a week of consumer pressure, Sony BMG is backing away from its controversial CD copy-protection software, which installs a rootkit to prevent the DRM from being removed and potentially opens the door for security vulnerabilities. The label will stop making CDs that use the technology, known as XCP.
"As a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology," the company said in a statement. "We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use."
The news comes one day after antivirus firms discovered a new trojan horse that takes advantage of a cloaking mechanism employed by Sony's software. Security researchers warned that viruses and other malware could hide using the DRM and thus make removal more difficult.
Lawsuits have also been filed against Sony BMG in both California and New York by consumers who claim that Sony's DRM, which attempts to stop computer users from copying a CD's audio tracks to a hard drive, is invasive and damaging to computer systems.
Beyond the cloaking risk, coding errors in the DRM software have been reported to leave systems vulnerable to crashes.
SysInternals' Mark Russinovich first reported on the software after his company's security tool recognized a "rootkit" on his machine. Rootkits are malicious applications that hide deep within an operating system to perform tasks without a user's knowledge. The technology can be used to cloak viruses and worms, or in this case, DRM.
Russinovich's report spread like wildfire across the Net and was quickly picked up by mainstream media. Sony responded with a statement claiming it no longer used the technology and offered instructions for customers explaining how to remove the hidden software from their PCs.
Antivirus vendors have also been forced to decide whether to classify Sony's software as malware if it is detected on customers' systems. McAfee, Sophos and Computer Associates have taken an aggressive stance and offer removal tools, while Symantec is directing users to Sony customer support and Microsoft remains undecided.
For its part, Sony says it has been responsive to the situation by posting removal instructions. But Russinovich disagrees, saying, "Without exaggeration I can say that I've analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall."