[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Monday, 3 September 2007, 09:55 GMT 10:55 UK
Sony confirms security problem
Finger hovers over USB stick (F-secure)
The flaw affected three models of USB memory sticks
Electronics giant Sony has confirmed a recently discovered security flaw in some of its products that could leave PCs vulnerable to attack by hackers.

The firm said that the fault, which affected software packaged with memory sticks, was developed by a third-party.

Sony said it was conducting an internal investigation into the problem and would offer a fix "by mid-September".

The vulnerability, found by security firm F-secure, was similar to one found on CDs sold by Sony BMG in 2005.

That led to the discs being recalled and several lawsuits against the record label.

A Sony spokesperson said of the latest vulnerability: "While relatively small numbers of these models were sold, we are taking the matter seriously and conducting an internal investigation. No customers have reported problems related to situation to date."

Surprise flaw

The flaw affects three models of Sony's MicroVault USB sticks with fingerprint readers.

CD being put into computer
Security flaws were also discovered on Sony BMG CDs in 2005

Although the spokesperson said that the models have now been discontinued, they are still available to purchase through several websites.

The flaw was in software that came bundled with the USB devices. The program used virus-like techniques to create a hidden directory on a computer's hard drive.

Researchers at F-secure said that a hacker could then infect a computer as any files stored on the hidden directory would be invisible to the user and also from some virus scanners and security software.

"The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives," said researchers at security firm McAfee, who also investigated the flaw.

"However, in this case the authors apparently did not keep the security implications in mind."

Researchers at both F-secure and McAfee expressed surprise at the flaw, as Sony has faced similar problems in the past.

In 2005, Sony BMG sold CDs bundled with XCP digital-rights management (DRM) software, installed as an anti-piracy measure. It also left machines open to exploit by malicious programmers and computer virus writers.

In addition, researchers found vulnerabilities in another program, known as MediaMax, used by the firm on other CDs. In all, millions of discs sold in North America were thought to have been sold that used the controversial programs.

Quick fix

However, security researchers said that latest flaw was not as serious.

"In a nutshell, the USB case is not as bad as the XCP DRM case," said a blog entry on the F-secure website.

As well as differences in how the software was installed and operated, the researchers said there was a legitimate case for having the software on the USB sticks

"Sony is attempting to protect the user's own data. In the DRM case, Sony was attempting to restrict you - the user - from accessing the music on the CD you bought.

"So their intent was more beneficial to the consumer in this case."

F-secure is assisting Sony with their investigation.

The Sony spokesperson said: "While the software at the issue was developed by a third-party vendor in conjunction with our outsourced device manufacturer, as a precaution and to alleviate any potential concerns, we will be issuing a downloadable software to address the situation by mid-September."

Sony faces renewed security woes
29 Aug 07 |  Technology
Sony BMG sues anti-piracy company
13 Jul 07 |  Business
Sony CD row compensation agreed
30 Jan 07 |  Technology
Free downloads end Sony CD saga
23 May 06 |  Technology
CD anti-piracy firm vows openness
06 Feb 06 |  Technology
Sony BMG repents over CD debacle
09 Dec 05 |  Technology
Anti-piracy CD problems vex Sony
08 Dec 05 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific