SunnComm MediaMax Security Vulnerability FAQ
SunnComm MediaMax Security Vulnerability FAQ

What is the SunnComm MediaMax Security Vulnerability?

Certain audio compact discs distributed by Sony BMG contain a version of the SunnComm MediaMax software, which creates a serious risk of a "privilege escalation attack." This new security vulnerability -- different than the one reported in early November regarding Sony BMG CDs sold with software called XCP -- affects all Sony BMG CDs that contain version 5 of SunnComm MediaMax software. According to Sony BMG, about six million CDs have this software.

Sony BMG's
list of affected CDs


Is there a solution?

On Tuesday December 6, Sony BMG and SunnComm
made available a patch that was designed to resolve this security
vulnerability. We're pleased that Sony BMG responded quickly and
responsibly when we drew their attention to this serious security
problem.

However, the day after the patch was released, Professor
href="http://www.freedom-to-tinker.com/?p=942">Ed Felten and Alex Halderman
identified a new problem. Sony BMG has now released a second patch, which
security researchers are reviewing.

  • do not use the MediaMax patch
  • do not use the previously released MediaMax uninstaller, and
  • do not insert a MediaMax-bearing CD into your PC."

    • -->

    SunnComm's uninstaller
    Sunncomm patch, Alternate link to patch
    -->


    What is a privilege escalation attack?

    A privilege escalation attack is the act of exploiting a security weakness in an application to gain access to resources that normally would have been protected from an application or user. This means that low-rights users can add files to a directory and overwrite the binaries installed therein, which will be then be unknowingly executed by a later user with higher level of rights. In other words, a guest user or a malicious program can effectively make changes to a computer that would normally be reserved to an administrator.


    Can you explain this with an analogy?

    Consider an office worker who has keys to her office and to the front door of the building, but not to other offices or to the supply closet. There are many ways to gain additional access: Sometimes those locks can be picked, sometimes the locks are left unlocked, and sometimes an attacker can steal the building manager's keys. This vulnerability is yet another way to gain increased access, similar to leaving the manager's keys out. By stealing the manager's keys, the office worker can escalate her privileges, i.e. get into offices and other room where she is not authorized.


    What are access controls?

    On a computer system, information resources are protected with access controls analogous to door locks. A common implementation of such access controls is called an access control list (ACL). An ACL is simply a table listing principals (e.g. user accounts) and the privileges each principal has with an object.

    An ACL might stipulate, for example, that user account Bob can read the spreadsheet file accounts-2005.xls, while user account Jane can both read and write it. In this example, the Bob and Jane accounts are principals, the accounts-2005.xls file is the object, and "read" and "write" are privileges.


    What are some details of the MediaMax vulnerability?

    MediaMax version 5 leaves a crucial folder "unlocked," that is to say with an ACL that allows all principals to have all privileges. The reason this is a problem is that the folder contains an executable program (MMX.EXE, the MediaMax program) that must be run by a user account with high privileges. An attacker can overwrite MMX.EXE with code of her choice, and the next time a MediaMax disc is played, her attack code will be executed.

    Specifically, the directory that the SunnComm MediaMax software creates, located in "c:\Program Files\Common Files\SunnComm Shared\," overrides the default Access Control List (also known as the file system permissions). The SunnComm Shared directory uses an ACL that doesn't protect against low rights users (i.e., "Everyone" in Windows parlance) overwriting the contents including the installed binaries.

    Returning to our example of Bob and Jane, it mean that Bob can now rewrite the spreadsheet, or more worrisome, replace it with a malicious program.


    How could this harm consumers' computer?

    The SunnComm MediaMax version 5 software distributed by Sony BMG could expose the computers of millions of users to attacks by malicious hacker and virus writers. They undermine significant security protections otherwise present on computers running Windows, which are designed to prevent users (either people or programs) from gaining control of your computer.


    Who discovered the MediaMax security vulnerability?

    iSEC Partners discovered the security vulnerability after EFF requested an examination of the software, and EFF and iSEC promptly communicated it to Sony BMG. In accordance with standard information security practices, EFF and iSEC delayed public disclosure of the details of the exploit to give Sony BMG the opportunity to develop a patch.

    iSEC Partners' report [PDF, 237K]


    Who is iSEC Partners?

    iSEC Partners is a proven full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. iSEC Partners' security assessments leverage their extensive knowledge of current security vulnerabilities, penetration techniques and software development best practices to enable their customers to secure their applications against ever-present threats on the Internet. Primary emphasis is placed upon helping software developers build safe, reliable code.

    Areas of research interest include application attack and defense, web services, operating system security, privacy, storage network security and malicious application analysis.

    For more information: http://www.isecpartners.com.


    Are there any more security issues with SunnComm's MediaMax software?

    We don't know. We have identified one security issue, but there may be others. Even before this vulnerability came to light, security researcher Ed Felten noted "the MediaMax software will still erode security, for reasons stemming from the basic design of the software." See Freedom to Tinker for more. We urge Sony BMG to undertake rigorous security testing on all of its software, and we will continue to look into this issue.


    How many CDs are affected?

    There are over 20 million Sony BMG CDs with some version of the SunnComm MediaMax software. Sony BMG says that about six million have the MediaMax version 5 that is subject to this vulnerability, and has provided a list of affected titles. In addition EFF has prepared a Spotter's Guide to help you identify MediaMax CDs in the wild.

    Sony BMG's
    list of affected CDs
    EFF's Spotter's Guide


    What are some of the artists with SunnComm MediaMax CDs?

    MediaMax can be found on a wide variety of popular artists' music,
    such as Britney Spears "Hitme (Remix)" , David Gray's "Life In Slow
    Motion," My Morning Jacket's "Z," Santana's "All That I Am," and
    Sarah McLachlan's "Bloom (Remix Album)."

    Sony BMG's
    list of affected CDs
    EFF's list of CDs affected and possibly affected by MediaMax.


    Does the patch resolve all the issues with CDs with SunnComm MediaMax software?

    No. There are other severe problems with MediaMax discs, including: undisclosed communications with servers Sony controls whenever a consumer plays a MediaMax CD; undisclosed installation of over 18 MB of software regardless of whether the user agrees to the End User License Agreement; and failure to include an uninstaller with the CD. EFF will continue to raise these issues with Sony BMG.


    Does SunnComm MediaMax appear on CDs other than those released by
    Sony BMG?

    Yes. According to SunnComm, its "MediaMax technology has appeared on over 140 commercially released CD titles across more than 30 record labels." Earlier this year, SunnComm forecast "that its MediaMax CD Copy Management Technology will be Applied to More than 145,000,000 Audio CDs this Year." Currently our focus is on the Sony BMG CDs, but we are investigating whether the vulnerability exists on other labels, and urge every label that has used the MediaMax technology to check with security experts immediately.

    SunnComm press release: SunnComm Ups Security Another Notch
    SunnComm press release: SunnComm Forecasts for MediaMax


    Is EFF Suing Sony BMG?

    Yes. On November 21, EFF, along with the law firms of Green Welling,
    LLP, and Lerach, Coughlin, Stoia, Geller, Rudman and Robbins, LLP,
    filed a California class action lawsuit in Los Angeles against Sony
    BMG including claims arising from both XCP and SunnComm CDs. We also
    filed a national class action on December 2 in New York and are joined
    in that action by the Law Offices of Lawrence E. Feldman and Associates.

    Sony BMG litigation information


    What more does EFF want Sony BMG to do?

    EFF would like Sony BMG and all record labels to stop using DRM on
    their CDs and stop requiring its customers to agree to a EULA as a
    condition of playing CDs on their computers. See:
    href="/IP/DRM/guide/">The Customer is Always Wrong,
    href="/IP/DRM/20030401_drm_skeptics_view.php">DRM Skeptics View,
    and
    href="http://www.nytimes.com/2005/12/06/opinion/06kulash.html">New
    York Times Op-Ed: Buy, Play, Trade, Repeat.

    Barring that, we would like Sony BMG to ensure, before a CD is released to the public, that it contains no security vulnerabilities, can be fully uninstalled by end users, properly protects consumer privacy including allowing consumers to opt-out of any reporting back to the company done by the CD, and is provided on terms that are fair, reasonable and fully disclosed. To the extent that they fail to do so, they need to remove such products from the market immediately, engage in a robust notice campaign and compensate consumers who have purchased them, including those harmed by XCP and MediaMax software already.