OT: RED Alert regarding rootkit uninstaller

baysidebas wrote on 11/15/2005, 11:03 AM

Full text here.

Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs
Tuesday November 15, 2005 by Ed Felten

[This post was co-written by J. Alex Halderman and Ed Felten.]

Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

Comments

Chienworks wrote on 11/15/2005, 11:05 AM

Hmmm. That's odd. All i see of your message is "-->" and it's in a very small box, with the "Reply, etc." outside of it. What did you post? Did you try insterting HTML?

------- added
Never mind, you edited it and now it's all there.

------- added more
Here's your link, fixed: http://www.freedom-to-tinker.com/?p=927

baysidebas wrote on 11/15/2005, 11:06 AM

What a difference a missing quotation mark can make.

Chienworks wrote on 11/15/2005, 11:11 AM

That's why i rarely, if ever, use quote marks in URLs.

baysidebas wrote on 11/15/2005, 11:15 AM

hmmm, when I go to edit the friendly link, this is all that shows (excluding the outside brackets): "a href="http://www.freedom-to-tinker.com/?p=927">Full text here.</a"

where is the Sony forums thing coming from?

musicvid10 wrote on 11/16/2005, 7:34 PM

Any time you edit a post it messes with links. Best thing is to hit edit, and replace the link fresh.

baysidebas wrote on 11/17/2005, 7:01 AM

Thanks, re-entering the full link did the trick. Also thanks for the quotation mark tip. The URL works just as well without quotes surrounding it. Funny that every reference I've ever seen for links in html use the quotes, possibly has something to do with embedded spaces, will have to examine that further.

Chienworks wrote on 11/17/2005, 7:07 AM

Yes, the quotes are necessary if you have embedded spaces. However, that begs the question of why anyone would ever put spaces in URLs? I can't see the point. There's too much chance for getting it wrong when posting or typing the link. On top of that, some browsers and web servers can't handle the actual space character. If you must post a link that someone else made that has spaces in it you can replace the spaces with %20 and then the quotes won't be necessary.

dreamlx wrote on 11/17/2005, 9:19 AM

In fact, the quotes are always necessary, without quotes, the link is no longer valid html. Most browsers however can parse the html without quotes but you should always put them.

baysidebas wrote on 11/17/2005, 12:55 PM

Makes sense. Thank you.