Update to Press Release: EFF Does Not Recommend Patch at This Time
SunnComm Makes Security Update Available To Address Recently Discovered Vulnerability On Its MediaMax Version 5 Content Protection Software, Which Is Included On Certain SONY BMG CDs
San Francisco, CA and New York, NY - The Electronic Frontier Foundation (EFF) and SONY BMG Music Entertainment (SONY BMG) said today that SunnComm is making available a software update to address a security vulnerability with its MediaMax Version 5 content protection software on certain SONY BMG compact discs (CDs). The vulnerability was discovered by the security firm iSEC Partners after EFF requested an examination of the SunnComm software.
"We're pleased that SONY BMG responded quickly and responsibly when we drew their attention to this security problem," said EFF staff attorney Kurt Opsahl. "Consumers should take immediate steps to protect their computers."
"We're grateful to EFF and iSEC for bringing this to our attention," said Thomas Hesse, president, Global Digital Business, SONY BMG. "We believe that the availability of the update coupled with our campaign to notify customers will appropriately address the CDs with MediaMax Version 5 in the market."
SunnComm as well as independent software security firm NGS Software have determined that the security vulnerability is fully addressed by the update. NGS Director Robert Horton said, "After carefully researching the security vulnerability presented to us by SONY BMG, we have determined that it is not uncommon and, importantly, it is easily fixed by applying a software update."
The security vulnerability on SunnComm MediaMax Version 5 software differs from that reported in early November on First4Internet XCP software contained on certain SONY BMG CDs. A full list of the 27 U.S. SunnComm MediaMax Version 5 titles is included in the link below. Consumers can download the software update that is designed to address this security vulnerability from SunnComm's and Sony BMG's websites at http://www.sunncomm.com/support/updates/update.asp and http://www.sonybmg.com/mediamax.
The security issue involves a file folder installed on users' computers by the MediaMax software that could allow malicious third parties who have localized, lower-privilege access to gain control over a consumer's computer running the Windows operating system.
SONY BMG will notify consumers about this vulnerability and the update through the banner functionality included on the player, as well as through an Internet-based advertising campaign. The update is also being provided to major software and Internet security companies. EFF and SONY BMG urge all consumers who receive notice to download and install the patch immediately. In accordance with standard information security practices, EFF and iSEC delayed public disclosure of the details of the exploit to provide SunnComm the opportunity to develop an update.
Full list of titles affected:
iSEC Partners Report on the Vulnerability:
Electronic Frontier Foundation