Sony BMG Music Entertainment has released a list of 52 “enhanced content” CDs issued since April of 2005 that contain controversial content/copy-protection software. The software actively hides from customers, is not uninstallable, and sends information to Sony servers without disclosure or consent.

When inserted in a computer running the Windows operating system, an installer automatically invites the user to install a player to “enhance” their listening experience.

However, when installed on your computer, the software (known as a “rootkit”) opens a large security hole in your system by making its files invisible to you—the user—and anti-virus and anti-spyware software. As of this date, three trojans take advantage of this hole and are rapidly spreading to compromised machines. These trojans are, as with the rootkit, invisible to current anti-virus and anti-spyware software.

In addition to the rootkit, the software “phones home” to Sony servers whenever it is used, apparently to look for updated album art and lyrics. This behavior is never mentioned in the end user license agreement and could be used to monitor the music you listen to.

At this time there is no easy way for a user to confirm the presence of the rootkit, and Sony has yet to provide an uninstaller for their software. The rootkit may be removed manually, but any misstep may result in the disabling of your CD drive or a “blue screen of death.” [Update: Sony has made an uninstaller available here.]

OfficeMedic recommends that customers call 951-242-3798 to schedule an 8-point security sweep of their systems. In addition, customers should take these steps now:

• Find and identify all Sony BMG CDs using XCP content protection. Sony will exchange these CDs for media without the rootkit software. [Update (5/22/2006): Sony will also offer other incentives under a settlement approved today.]
• When inserting an audio CD into your computer, hold down the Shift key to disable the auto-run feature—and any installer software.
• Businesses should update company policies to prohibit the use of an employee’s CD in company computers.

“It’s very important to remember that it’s your intellectual property – it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.”
— Stewart Baker, Department of Homeland Security, Assistant Secretary for Policy, on Sony’s content-protection software.