We support Microsoft .NET Framework 2.0 & 1.1, all versions of Access, SQL 2000, SQL 7.0, SQL 2005 Express, SOAP, FrontPage 2002, 2003, Visual Studio 2005, Index Server, XML, UDDI, & Mobile device support. We also offer great third party tools like SmarterMail, Merak Mail, SmarterStats, PHP, Perl, MySql, DeepMetrix Livestats XSP 8.0.   We support Microsoft .NET Framework 2.0 & 1.1, all versions of Access, SQL 2000, SQL 7.0, SQL 2005 Express, SOAP, FrontPage 2002, 2003, Visual Studio 2005, Index Server, XML, UDDI, & Mobile device support. We also offer great third party tools like SmarterMail, Merak Mail, SmarterStats, PHP, Perl, MySql, DeepMetrix Livestats XSP 8.0.
 Thursday, December 08, 2005
Sony Rookit Beat goes on

Is the web unistall of Sony DRM leaving the system more open due to the Active X object needed to get it removed? Honestly I cannot understand how a company can do this without legal people doing something.

Matti Nikki of Finland was the first to figure out just what the uninstaller was doing. It seems the uninstaller puts an ActiveX control called CodeSupport on the target machine even before the uninstall URL can be obtained.

The control is marked "safe for scripting" and remains this way on the machine even after the uninstall process is concluded.

What this means is that any remote user can use the methods of this control to do anything. Here's the list of methods that Muzzy found:

GenerateRequestPacket
ExecuteCode (can crash browser)
Uninstall
RebootMachine (exploitable; Muzzy has a demo that may make the
situation worse)
GetProgress
OnLoaded
InitializeDiscScan
GetNumberOfDiscs
IsDRMServerValid
GetAlbumArtist
GetAlbumName
GetMaxBurnCount
GetCurrentBurnCount
GenerateIncrementPacket
IsContentOwnerValid
DoIncrement
GetInstalledSoftwareVersion
IsXCPDiscPresent
InstallUpdate (possibly exploitable, downloads given a URL)
GetInstallProgress
GetCompletionStatus
IsXCPDiscPresentAsLong
IsAdministrator

It was at this point that Ed Felten and Alex Halderman of Princeton got involved on their Freedom to Tinker Weblog. They realized that the CodeSupport control would allow any Web page to download, install and run any code it wants to on your computer, since Code Support doesn't verify that it is only working with the uninstaller code it was supposed to deal with.

Halderman and Felten have written exploits (that they are not making public) to verify that this can occur. While Sony has replaced the Web-based installer with a downloadable .exe file, it remains unclear at this point (given the company's track record) whether the new installer is safe to use.

There is a simple way suggested by Halderman and Felten to remove the CodeSupport component from Windows if you have been affected.

From the Start Menu, choose Run, and then type the following (between the brackets without typing the brackets) into the box that appears.
[cmd /k del "%windir%\downloaded program files\codesupport.*"]

That should delete all files associated with control. Please understand that you do this at your own risk, since your security settings may not prevent the software from being installed again.

Threats
12/8/2005 9:55:59 AM (Pacific Standard Time, UTC-08:00)  #    Disclaimer  |  Comments [0]  | 
Related Posts:
Obama sex video
Attack Breaks DNS Patches!
Kaminsky provides the why
DNS vulnerability
MPack: the Strange Case of the Mass-Hacking Tool
WashingtonPost on SQL injection