If you recall my previous posts about Sony's Digital Rootkit Management (here and here) or have read it elsewhere you will recall that the worry was that the rootkit Sony installed would open user's PCs to abuse and the like. Well Sony realized this was a bad thing (possibly due to the lawsuits) and produced a removal kit and then agreed not to use this sort of DRM ever again.
However that is not the end of it. Two further developments have occured, one of which is ironic and funny and one of which is serious. The serious one is that Sony's uninstaller has been written with precisely the same level of competance and security awareness (i.e. small to none) as the rootkit itself and leaves a backdoor on the computers of those who use it. The backdoor means that evil third-parties who own websites and who can get visitors who have run this uninstaller to visit can download and then run anything they want on the computer with the installer.
If you're vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line) cmd /k del "%windir%\downloaded program files\codesupport.*"
This is not an ideal solution ? depending on your security settings, it may not prevent the software from installing again - but it's better than nothing. We'll have to wait for First4Internet to develop a complete patch.
You can also set a kill-bit for it (the CLSID is {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}) to make sure it doesn't come back.
The problem with the unistaller (detailed at Freedom to Tinker) is that basically it fails to do a simple check to see if the files it is downloading come from Sony or Sony's subcontractor First4Internet. This is such a basic flaw that it seems incredible that any competant programmer would have done it or that any competant tester would not have found it. However, regretfully, it seems that the only programmers willing to write such draconian sorts of DRM code are either in league with criminals (that might explain where they get their ideas from) or drooling idiots who can't get a job at any more reputable software house (or both).
Leading us into the "drooling idiot" theory is the discovery by a Finnish hacker - one of those who also identified the problem above - and some others that Sony seems to have borrowed a whole load of code from the open source world and hence to have violated all sorts of license agreements and the DMCA in the process.
The open source code (parts of LAME) seems to be licensed under either the GPL or LGPL and in either case it would seem that there is a strong case that Sony has violated the conditions under which the code is released. To put this in simple language, Sony's DRM violates the digital rights of the authors of some of the code it uses.
If that wasn't enough, the code may also turn out to be in violation of the DMCA since it seems to have been deliberately engineered to break Apple's iTunes DRM. It is unclear whether the code is actually run or whether it is just part of the stuff nicked from the LAME open source libraries without alteration but either way I think a good lawyer could make the case that by distributing this code to millions of purchasers Sony is in violation of the DMCA.
Finally (for this post) info on the "call home" qualities of the Sony Rootkit and its uninstaller, not to mention its crashproneness, are at the site of one of the original discoverers. After you read all the depressing details and note the obvious lack of clarity on behalf of Sony & co, not to mention a certain economy with the actualit? as it were, I hope you will agree with me that Sony BMG needs to suffer a major drop in purchasing. I personally rarely buy any CDs these days so my protest will be more longer term in that I shall purchase no more Sony electronic gear ever. This means that Sony Ericsson phones, Sony digital cameras and Sony TVs and audio equipment are going to be skipped. Seeing as in the past I was very happy with my Sony Mavica camera and still (happily) use a Sony Trinitron TV and 50 CD jukebox this is not a decision I take lightly but I regret to say that the Sony response is so poor that I simply do not trust them.
Update: Duh - should have realized that the LGPL code that Sony appears to have ripped off is in fact code written by the RIAA's least favourite programmer DVD Jon - ironic isn't it...