Warning: Sony XCP Uninstaller Creates Security Holes
Many people have been concerned about the security risks of the XCP copy restriction software bundled on several recent Sony/BMG music CDs. Sony has made available a remarkably difficult-to-obtain uninstall program, which is not even capable of uninstalling all the components of the XCP system. However, Finnish security researcher Muzzy reported that this uninstall program introduces its own set of possible security problems -- and that it may even make matters worse.
Today, following up on this possibility, Ed Felten and Alex Halderman announced that they have
confirmed that Sony's Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony's Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit.
As Muzzy demonstrated, and Felten and Halderman have confirmed, the Sony update program leaves behind additional code with its own set of serious security vulnerabilities. As a result, Felten and Halderman encourage those infected with the Sony/BMG rootkit not to use the Sony-provided uninstaller. For the time being, Sony has not left its customers with any safe recourse.