Sony Discloses List of Rootkit CDs
The initial count of 20 CDs that bundled Sony BMG's now infamous XCP copy-protection software has grown. The label has issued a list detailing 52 CDs dating back to early 2005 that include the controversial rootkit.
2.1 million copies of the discs made their way to consumers and, according to security expert Dan Kaminsky who analyzed DNS requests for Sony's update servers used by the DRM software, they have infected more than 500,000 different PCs. Another 2.4 million CDs were being pulled from store shelves.
"We will shortly be releasing new versions of these titles without the XCP software. You therefore need to check this list for both the name of the album and the item number (which can be found on the spine of the CD)," Sony says regarding the new list.
Since its discovery in late October, news of the rootkit has spiraled out of control, with consumers and artists alike angry at the revelation. In an apology issued earlier this week, Sony said it "deeply regrets any inconvenience to our customers."
But that hasn't stopped lawsuits stemming from consumers' outrage, nor accusations of collusion between security companies and Sony. No antivirus vendor has so far removed the copy-protection software itself, only the rootkit cloaking mechanism.
Questions regarding the security of Windows have also been raised in the aftermath. Jupiter Research senior analyst Joe Wilcox wonders why the problem went undetected for 7 months, even with Sony's XCP software phoning home.
"My conclusion: Windows security isn't enough, and the problem isn't some inherent weakness in the operating system," says Wilcox. "Here we see the failure of many different security products -- whether their ability to detect or customers' correct use of the software -- to uproot a rootkit many months in distribution."
There is, however, one silver lining in this whole mess: customers who purchased Ricky Martin's comeback CD "Life" or The O.C. dad Peter Gallagher's "7 Days in Memphis" were not exposed to the rootkit, despite the albums being marked as such.