[ISN] Sony confirms security problem

From: InfoSec News (alerts@private)
Date: Tue Sep 04 2007 - 03:00:26 PDT


http://news.bbc.co.uk/2/hi/technology/6975838.stm

BBC News
3 September 2007

Electronics giant Sony has confirmed a recently discovered security flaw 
in some of its products that could leave PCs vulnerable to attack by 
hackers.

The firm said that the fault, which affected software packaged with 
memory sticks, was developed by a third-party.

Sony said it was conducting an internal investigation into the problem 
and would offer a fix "by mid-September".

The vulnerability, found by security firm F-secure, was similar to one 
found on CDs sold by Sony BMG in 2005.

That led to the discs being recalled and several lawsuits against the 
record label.

A Sony spokesperson said of the latest vulnerability: "While relatively 
small numbers of these models were sold, we are taking the matter 
seriously and conducting an internal investigation. No customers have 
reported problems related to situation to date."


Surprise flaw

The flaw affects three models of Sony's MicroVault USB sticks with 
fingerprint readers.

Although the spokesperson said that the models have now been 
discontinued, they are still available to purchase through several 
websites.

The flaw was in software that came bundled with the USB devices. The 
program used virus-like techniques to create a hidden directory on a 
computer's hard drive.

Researchers at F-secure said that a hacker could then infect a computer 
as any files stored on the hidden directory would be invisible to the 
user and also from some virus scanners and security software.

"The apparent intent was to cloak sensitive files related to the 
fingerprint verification feature included on the USB drives," said 
researchers at security firm McAfee, who also investigated the flaw.

"However, in this case the authors apparently did not keep the security 
implications in mind."

Researchers at both F-secure and McAfee expressed surprise at the flaw, 
as Sony has faced similar problems in the past.

In 2005, Sony BMG sold CDs bundled with XCP digital-rights management 
(DRM) software, installed as an anti-piracy measure. It also left 
machines open to exploit by malicious programmers and computer virus 
writers.

In addition, researchers found vulnerabilities in another program, known 
as MediaMax, used by the firm on other CDs. In all, millions of discs 
sold in North America were thought to have been sold that used the 
controversial programs.


Quick fix

However, security researchers said that latest flaw was not as serious.

"In a nutshell, the USB case is not as bad as the XCP DRM case," said a 
blog entry on the F-secure website.

As well as differences in how the software was installed and operated, 
the researchers said there was a legitimate case for having the software 
on the USB sticks

"Sony is attempting to protect the user's own data. In the DRM case, 
Sony was attempting to restrict you - the user - from accessing the 
music on the CD you bought.

"So their intent was more beneficial to the consumer in this case."

F-secure is assisting Sony with their investigation.

The Sony spokesperson said: "While the software at the issue was 
developed by a third-party vendor in conjunction with our outsourced 
device manufacturer, as a precaution and to alleviate any potential 
concerns, we will be issuing a downloadable software to address the 
situation by mid-September."


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 04 2007 - 03:14:54 PDT