First 4 Internet XCP DRM Vulnerabilities
added November 15, 2005 | updated November 16, 2005

US-CERT is aware of several vulnerabilities regarding the XCP Digital Rights
Management (DRM) software by First 4 Internet, which is distributed by some
Sony BMG audio CDs. The XCP copy protection software uses "rootkit"
technology to hide certain files from the user. This technique can pose a
security threat, as malware can take advantage of the ability to hide files.
We are aware of malware that is currently using this technique to hide.

One of the uninstallation options provided by Sony also introduces
vulnerabilities to a system. Upon submitting a request to uninstall the DRM
software, the user will receive via email a link to a Sony BMG web page.
This page will attempt to install an ActiveX control when it is displayed in
Internet Explorer. This ActiveX control is marked "Safe for scripting,"
which means that any web page can utilize the control and its methods. Some
of the methods provided by this control are dangerous, as they may allow an
attacker to download and execute arbitrary code.

More information about this vulnerability can be found in the following
US-CERT Vulnerability Note:

    * VU#312073 - First 4 Internet XCP "Software Updater Control" ActiveX
control incorrectly marked "safe for scripting"

US-CERT recommends the following ways to help prevent the installation of
this type of rootkit:

    * Do not run your system with administrative privileges. Without
administrative privileges, the XCP DRM software will not install.
    * Use caution when installing software. Do not install software from
sources that you do not expect to contain software, such as an audio CD.
    * Read the EULA (End User License Agreement) if you do decide to install
software. This document can contain information about what the software may

You are a subscribed member of the infowarrior list. Visit for list information or to unsubscribe. This message 
may be redistributed freely in its entirety. Any and all copyrights 
appearing in list messages are maintained by their respective owners.

Reply via email to