I was laughing so hard when I read this I had tears in my eyes.
You remember way back to last week, when it was discovered that SonyBMG had placed on many of its CDs a software program that installed a rootkit in a users PC? After a couple of days of yelling and screaming, Sony grudgingly announced that , okay, they would provide a method of "fixing" the rootkit--not by removing it, mind you, but just that they would remove the "cloaking" feature so that third-party viruses couldn't hide there.
Now it turns out that the method they chose to fix the rootkit opens a hole a mile wide on the user's PC. Someone wishing to remove the cloaking feature first fills out a form on the SonyBMG website, then Sony downloads an ActiveX control that they install on their computer. The ActiveX control then talks to Sony and together they remove the cloaking attribute.
The problem just discovered is that the ActiveX code ITSELF IS A HUGE LIABILITY! It seems that whoever wrote the ActiveX control forgot to limit its use to just SonyBMG. In other words, a hacker can write a web page that automatically calls that ActiveX control, which then automatically authorizes the web page to download ANY software it wants! The person behind the web page can completely take over your PC!!!
Unbelievable. The people behind this fiasco at SonyBMG really need an award or something--it just doesn't get any better than this.
More info here.
You remember way back to last week, when it was discovered that SonyBMG had placed on many of its CDs a software program that installed a rootkit in a users PC? After a couple of days of yelling and screaming, Sony grudgingly announced that , okay, they would provide a method of "fixing" the rootkit--not by removing it, mind you, but just that they would remove the "cloaking" feature so that third-party viruses couldn't hide there.
Now it turns out that the method they chose to fix the rootkit opens a hole a mile wide on the user's PC. Someone wishing to remove the cloaking feature first fills out a form on the SonyBMG website, then Sony downloads an ActiveX control that they install on their computer. The ActiveX control then talks to Sony and together they remove the cloaking attribute.
The problem just discovered is that the ActiveX code ITSELF IS A HUGE LIABILITY! It seems that whoever wrote the ActiveX control forgot to limit its use to just SonyBMG. In other words, a hacker can write a web page that automatically calls that ActiveX control, which then automatically authorizes the web page to download ANY software it wants! The person behind the web page can completely take over your PC!!!
Unbelievable. The people behind this fiasco at SonyBMG really need an award or something--it just doesn't get any better than this.
More info here.