OK, I’m not going to talk about that security flaw in IE here – I’ll leave that to others, such as The Register in ‘Critical’ IE bug threatens PC users. What I’ll mention briefly here is the wording I’ve seen elsewhere, too:
The other option is to choose an alternative browser, such as Firefox or Opera. However, even these browsers are not as safe from attack as they were once considered.
Firefox has been subject to a number of flaws over the past year, including one that could leave its users more vulnerable to phishing scams. Meanwhile, a report published in September by Symantec rated Internet Explorer as safer than Firefox. The report found some 25 flaws in Mozilla’s Firefox internet browser, almost double the number it discovered in IE.
Vulnerabilities in Opera is not mentioned – not here, not elsewhere – and I wonder: Why not? There are vulnerabilities to mention, right? Since it’s mentioned that it’s not as safe from attacks as once considered, I mean. Wouldn’t it be natural to mention at least one, serious vulnerability, like with Firefox?
Not many days have passed since Sony got negative attention for its DRM protection of Copy Protected CDs, to which they were quickly issuing an update to remove it.Or – did they? The update is 3.5 MB, seems to update all the files, and leaves some more files there, according to Ed Felten, who had looked a bit closer at it:
The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, theyâ€™re not just taking away the rootkit-like function â€” theyâ€™re almost certainly adding things to the system as well. And once again, theyâ€™re not disclosing what theyâ€™re doing.
No doubt theyâ€™ll ask us to just trust them. I wouldnâ€™t. The companies still assert â€” falsely â€” that the original rootkit-like software â€œdoes not compromise securityâ€ and â€œ[t]here should be no concernâ€ about it. So I wouldnâ€™t put much faith in any claim that the new update is harmless. And the companies claim to have developed â€œnew ways of cloaking files on a hard driveâ€. So I wouldnâ€™t derive much comfort from carefully worded assertions that they have removed â€œthe â€¦ component .. that has been discussedâ€.
But, there’s more – related to the rootkit, unrelated to the “fix”.
Use the rootkit to cheat other companies
Players of World of Warcraft don’t like the game makers, and the controversial tactics to avoid cheating in the game. (To my limited understanding – I don’t play it myself.) The program ‘Warden’ scans the players’ PCs, to make sure there’s no processes running tohelp cheating in the game.
Sony to the rescue – their rootkit DRM helps War of Worldcraft hackers to fool the Warden. After all, with the DRM rootkit installed, all that is needed to hide a process is to start the filename with $sys$ – right?
When it was discovered that Sony took its DRM-implementation too far it was something that didn’t escape the news. It was discussed all over the place, and didn’t give Sony high thoughts.
Sony has reacted, and posted a service pack/update that removes the cloaking technology. But does it apologise? No – instead it downplays the problems, saying it wasn’t malicious and didn’t compromise security.
Funny. I thought the previous article showed how easy security could be compromised…
Bad move, not to apologise. If Sony doesn’t regret the actions, what can we expect from the company later?
Today I was made aware of an article called Sony, Rootkits and Digital Rights Management Gone Too Far by Mark Russinovich – and it’s scary news. Mark had bought a Copy Controlled CD made by Sony, and as a result from playing it on his PC, Sony had taken the liberty to install software on his computer – and hidden it.
One thing is to try to limit what can be done with the music on the CD, but trying to hide that you’ve installed software, and make it very difficult to uninstall, that’s going too far. Especially as the software in question takes up resources, poses a security risk, and may also be unstable in itself. This sounds too much alike what is commonly known as malware.
Another question that begs to be asked is: Is what Sony has done here legal? Sony may write about this in their EULA, (but it is not certain that they actually do this, even after they updated it after the fact,) but an EULA can’t override laws – not everywhere at least – and may even be known before the product is bought to be valid.
Maybe it’s time for consumers to sue?