More pain for Sony over CD code

Cyndi Lauper and Ray Charles are on the full list of XCP CDs

Hackers are exploiting flaws in the software Sony is using to remove its controversial copy protection system.

These are just proof of concept hacks, although security firms fear that users ridding themselves of Sony's CD software could soon face other dangers.

Other security researchers have released tools that close the loophole opened by Sony's uninstaller.

Sony's music arm has now published a list of all the CDs that use its much criticised anti-piracy system.

Criticism mounts

The websites set up to exploit the loophole opened by Sony BMG's uninstaller were discovered by security firm Websense.

It warned that anyone who has uninstalled Sony BMG's controversial XCP copy protection system and visits these sites could find their computer is attacked by malicious hackers.

So far the attacks seen on these websites have been fairly benign but Websense warned that "there is the potential for more nefarious actions to have been done".

Sony BMG has released the full list of XCP CDs

The loophole that Sony BMG's uninstaller opened was first noticed by security researchers Ed Felten and J Alex Halderman. The pair have also released tools that find and close the loophole.

Sony BMG's trouble over XCP began on 31 October when Windows programming expert Mark Russinovich noticed that a CD he had played on his PC used virus-like techniques to hide its anti-piracy system.

Since then Sony BMG has been subjected to a long series of criticisms over its anti-piracy system, the problems it can cause computer users and the onerous uninstallation process.

It also came under fire from Dutch electronics giant Philips which said the discs were not true compact discs because XCP was not in the standard that defines such things.

Most recently the US Computer Emergency Response Team issued advice about XCP.

"Do not install software from sources that you do not expect to contain software, such as an audio CD," it said.

Virus writers have even adapted XCP to stop their creations being found by security scanning software.

The row culminated with Sony BMG announcing that it would suspend production of CDs with the XCP system onboard.

It is also recalling all the remaining XCP CDs from shops and has started an exchange program for customers who want a disc free of the controversial code.

Sony has now published a full list of the 52 titles that use XCP. Previously it would only say that about 20 titles used it. It is also working on an improved uninstaller that does not leave PCs open to more attacks.

Although figures for how many people have installed XCP are hard to come by, respected net expert Dan Kaminsky has found evidence that the software is in use on more than 500,000 networks.

The CDs that used XCP were only sold in the US and Canada but were available on import in Europe.