Oops, We Did It Again — Sony BMG’s SunnComm Patch Opens New Security Hole

By Michael Santo
Contributing Writer, RealTechNews

Less than one day after releasing a patch to fix a security hole in the SunnComm MediaMax copy protection software, both Sony BMG and the Electronic Frontier Foundation (EFF) are urging users not to install it. The patch includes a vulnerability similar to the one it attempted to fix.

But despite claims that “independent software security firm NGS Software have determined that the security vulnerability is fully addressed by the update,” Princeton researcher Alex Halderman has found otherwise.

“It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch,” Princeton professor Edward Felten explained. “The previously released MediaMax uninstaller is also insecure in the same way.” Source: BetaNews

We Say: It’s been 3 days since Sony released the updated uninstaller for the First4Internet XCP DRM; let’s hope that one is more successful. I warned about volunteering to use the XCP uninstaller, but I figured this patch was solid, since a third party had tested it. I guess I was wrong. You have to wonder if any artists are going to start leaving Sony because of all this bad publicity.