The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs got worse Tuesday as researchers said Sony's suggested method for removing the program widened the security hole that the original software created.
Sony has moved to recall the discs in question. But consumers who have listened to them on their computers or tried to remove the software the CDs installed could still be vulnerable.
"This is a surprisingly bad design from a security standpoint," said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. "It endangers users in several ways."
The XCP copy-protection program was included on at least 20 Sony CDs, including releases by Van Zant, the Bad Plus, Neil Diamond and Celine Dion. Sony BMG said 4.7 million were shipped, with 2.1 million sold.
When the discs were put into a PC -- a necessary step for transferring music to iPods and other portable music players -- the CD automatically installed a program that restricted how many times the discs' tracks could be copied and made it inconvenient to transfer songs into the format used by iPods.
That anti-piracy software -- which works only on Windows PCs -- came with a cloaking feature that allowed it to hide files on users' computers. Security researchers classified the program as spyware, saying it secretly transmits details about what music the PC is playing. Manual attempts to remove the software can disable the PC's CD drive.
The program also gave virus writers an easy tool for hiding their malicious software. Last week "Trojan horse" programs emerged that took advantage of the cloaking feature to enter computers undetected, antivirus companies said.
Trojan horses are typically used to steal personal information, launch attacks on other computers and send spam.
Stung by the controversy, Sony BMG and the company that developed the anti-piracy software, First 4 Internet Ltd. of Oxfordshire, England, released a program that uninstalls XCP. But the uninstaller created a new set of problems.
To get the uninstaller program, users were asked to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, the program makes the computer open to downloading and installing code from the Internet.
