Sony confirms security problem

The flaw affected three models of USB memory sticks

Electronics giant Sony has confirmed a recently discovered security flaw in some of its products that could leave PCs vulnerable to attack by hackers.

The firm said that the fault, which affected software packaged with memory sticks, was developed by a third-party.

Sony said it was conducting an internal investigation into the problem and would offer a fix "by mid-September".

The vulnerability, found by security firm F-secure, was similar to one found on CDs sold by Sony BMG in 2005.

That led to the discs being recalled and several lawsuits against the record label.

A Sony spokesperson said of the latest vulnerability: "While relatively small numbers of these models were sold, we are taking the matter seriously and conducting an internal investigation. No customers have reported problems related to situation to date."

Surprise flaw

The flaw affects three models of Sony's MicroVault USB sticks with fingerprint readers.

Security flaws were also discovered on Sony BMG CDs in 2005

Although the spokesperson said that the models have now been discontinued, they are still available to purchase through several websites.

The flaw was in software that came bundled with the USB devices. The program used virus-like techniques to create a hidden directory on a computer's hard drive.

Researchers at F-secure said that a hacker could then infect a computer as any files stored on the hidden directory would be invisible to the user and also from some virus scanners and security software.

"The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives," said researchers at security firm McAfee, who also investigated the flaw.

"However, in this case the authors apparently did not keep the security implications in mind."

Researchers at both F-secure and McAfee expressed surprise at the flaw, as Sony has faced similar problems in the past.

In 2005, Sony BMG sold CDs bundled with XCP digital-rights management (DRM) software, installed as an anti-piracy measure. It also left machines open to exploit by malicious programmers and computer virus writers.

In addition, researchers found vulnerabilities in another program, known as MediaMax, used by the firm on other CDs. In all, millions of discs sold in North America were thought to have been sold that used the controversial programs.

Quick fix

However, security researchers said that latest flaw was not as serious.

"In a nutshell, the USB case is not as bad as the XCP DRM case," said a blog entry on the F-secure website.

As well as differences in how the software was installed and operated, the researchers said there was a legitimate case for having the software on the USB sticks

"Sony is attempting to protect the user's own data. In the DRM case, Sony was attempting to restrict you - the user - from accessing the music on the CD you bought.

"So their intent was more beneficial to the consumer in this case."

F-secure is assisting Sony with their investigation.

The Sony spokesperson said: "While the software at the issue was developed by a third-party vendor in conjunction with our outsourced device manufacturer, as a precaution and to alleviate any potential concerns, we will be issuing a downloadable software to address the situation by mid-September."