The security hole, which was first noticed by Finnish researcher Muzzy, involves an ActiveX control called CodeSupport, which is marked as safe for scripting, allowing any web page to give it instructions. “One thing CodeSupport can be told to do is download and install code from an Internet site,” the Princeton researchers note. “Unfortunately, CodeSupport doesnโt verify that the downloaded code actually came from Sony or First4Internet (the DRM software maker). This means any web page can make CodeSupport download and install code from any URL without asking the userโs permission.”
Users who have installed the patch can uninstall the CodeSupport component, according to the Princeton team, which offers instructions for a command line uninstall of the ActiveX control. The security hole creates extra work for network administrators at corporations and universities. Damage may be mitigated by the fact that those who installed the patch were security-minded in the first place, and thus are likely to be aware of ongoing issues involving the Sony rootkit.
Upcoming releases of Microsoft’s spyware removal tools will uninstall the Sony copy-protection software, which disguises its actions and thus functions as a rootkit. It’s not yet clear whether Microsoft will alter its deployment timeline to address the new security holes.