The Unofficial Apple Weblog (TUAW)

AFAIK there is no security issue at all, nowhere in the whole rootkit install process is the security model of OS X circumvented.

First, you have to manually start the installer, after which you're asked for the admin password.

Reply

↓↑report

There is no compromise; the user will have had to authenticate with an administrator password to install the kernel extensions.

Nikon Capture does it, too, in addition to running an invisible background process without telling you. It is definitely malicious software, and Sony should be prosecuted for it, but there are no security implications.

Reply

↓↑report

From the sound of things, the OS X software on the Sony CDs does not have the "rootkit" software included. Since it is Suncomm DRM software, it is more likely a kernel extension that makes the CD Audio portion of the disc "disappear", so that you can't play or rip the disc. This would force you to use the DRM protected files on the data portion of the disc. However, you have the ability decline to install the software and then boom, no protection, iTunes and everything else sees the disc as normal.

Reply

↓↑report

the fact that you have to supply an admin password to install some mysterious software to listen to a cd tells me that everything is ok. As long as malware is like that (as opposed to clicking on a webpage, or opening a file, etc) i'm happy...

Reply

↓↑report

The fact that the user is prompted for the admin password is, of course, all nice and cozy. I still think that this is a risk for inexperienced users. You are often asked by, say, system update and various installers to supply your password and this makes non-power users prone to using it without too much thought.

Reply

↓↑report

Sony's Windows rootkit gives hackers a route into the mahcine to give it viruses whenever they fancy (if I understand it right).

I don't think Sony's OSX kernel extensions do the same thing. So I think we're good.

Reply

↓↑report

"I still think that this is a risk for inexperienced users."

Yes, but there's only so many ways an operating system can compensate for inexperienced users before it becomes tedious for experienced users to work. Safari's warning about executable files in compressed downloads, for instance, is a security measure that I don't need, since I'm highly aware of everything I download and the implications thereof. I'm glad it's there, but it annoys me.

Apple shouldn't go overboard. If they triple-checked each decision and did some sort of license agreement parsing and warning or something, it would just get more annoyingly "helpful." See Microsoft Clippy for an example of a nice idea in theory that simply doesn't work in practice.

I agree with the comments so far: it qualifies as no security risk on OS X's part, simply a huge deception on Sony's. The OS can try to protect the user from consequences of unintended actions, but at a certain point the OS has to just trust that the user knows what he or she is doing. I don't want to give up that freedom just because Sony is evil.

Reply

↓↑report

David - howdy!

You may want to have a look at http://www.freedom-to-tinker.com/, http://www.secureosx.com/sony/drm and http://www.stereophile.com/news/111405sonys/, among others, from where you can find links to other articles (I am not associated with any of them).

As far as I understand it, there is one DRM control for Mac OS that can be installed as part of the SunnComm package, but that requires you to authenticate the installation with a supervisor ID and password. Ahem, "music CD + request to authenticate as supervisor to install 'something'" = "Danger! Danger, Will Robinson!", at least to me.

There is obviously an economic rationale behind the decision to target Windows users for the DRM packages, given that operating system's installed base. We can expect an increased effort to impose DRM on Mac OS (and other OSes) as well, in an as deceitful way as has been the case with Windows, considering the sly attitude and approach the music industry has shown so far.

After falling asleep at the wheel while technology and society evolved past it, the music industry is now engaged in a desperate attempt to recover ground it has lost forever. If that means tampering with the innards of our computers, or lobbying to have our rights curtailed, so it shall be (just study Sony's reaction to the sorry mess it created). This fortuitous expos?f this industry's greed, cynicism and collective stupidity highlights the fact that Mac OS X users are - for the moment - able to exercise their rights more fully (or in a less unencumbered way) than Windows users. Note, though, that to fully exercise our rights means we must also be respectful of the rights of others, so illegal use of intellectual property must be prevented. (Why not educate people, instead? Education liberates, so that makes control more difficult...)

Mac OS X is safer, but poor systems administration, and - perish the thought - collusion between the IT industry and the music industry, could lead to a sorry state of affairs; if not collusion, then the inability to properly control and prevent this muck from being installed on our systems. Above all, the security and usability of our computing systems cannot be compromised because of the self-interest seeking with guile behavior of a clique. So, yes, tools to authenticate and lock down an installed image, and flag these tampering attempts should be made available to all and sundry (though this sound depressingly like spyware detection in the Windows world).

Hello, entrepreneurs out there?

P.S.: What I find amazing is the level of contempt with which Windows users are being treated by the music industry, which is only made worse by comments along the line that 'Mac/Linux users are not affected and should be able to play the CDs without problems' (notwithstanding the declining quality of audio due to copy-prevention techniques being used to modify the CD format, and that also applies to iTMS-purchased music).

Reply

↓↑report

OK, here's a few things to consider. First, no rootkit for MacOS X. It's the SunnComm crap. Second, there's no auto run for the Mac. The user has to follow the instructions on the CD for the software to get on his computer.

And they're misleading as all get-out. If you read the back of one of these, it'll make it sound like the CD won't work in a Mac without the special software, but that's a lie. These discs work PERFECTLY in iTunes. How do I know? I have a CD that relies on SunnComm's DRM software. Works PERFECTLY in my iBook. No software installation necessary.

The user has to install the software himself. SunnComm does everything it can to trick users into installing the software, but YOU DON'T HAVE TO.

According to SunnComm's site (http://tickets.sunncomm.com/selfhelp/addbook_readarticle.php?articleID=72&PHPSESSID=2f9ec8a2718b4ef62c52e476a7dc93b5):

"Please note that Apple's proprietary technology does not support secure music formats other than their own, and therefore the secure music file formats on this disc can�t be directly imported into iTunes or iPods."

Notice something here: "THE SECURE MUSIC...CAN'T BE DIRECTLY IMPORTED". What they're saying here is ONLY their DRM-encrusted Windows Media files won't work on a Mac.

They continue:

"While these discs aren�t currently compatible with iTunes or iPod, we are actively working on an acceptable solution, and have reached out to Apple in hopes of addressing this issue."

They try very hard here to make it seem as if the CD itself won't work absent the DRM software, but the exact opposite is true. Then they try to blame Apple!

It's a load of rubbish, and they hope you'll swallow it hook, line and sinker.

Reply

↓↑report

This is the reason why Virus checkers for Mac OS X are silly.

This could have very easily been a completely malicious virus/trojan/worm/rootkit. (If it came in an email as an attachment, sure you shouldn't type your password, let alone execute the file, but I bet you many, many people still would).

Did your virus checker catch it? Did anything catch it? Nope. When or if the first successful, crippling Mac virus makes the rounds, it will be the same way. Hell, virus checkers are suspect as a security practice even on Windows, let alone OS X.

Reply

↓↑report

The only security that works is the one that does not involve end-users participation. To normal people, computers work by magic, where you insert disks in slots and you answer prompts on the screen. They are conditioned to follow instructions, to blindly follow procedures because they are motivated by the results, they don't care about the process.

Obviously, I would know better than to run the crappy installer and give it my password. But most people would not. This is why phishing works so well. There is very little effective protection from that, except education. And education is the hardest thing to do.

On related note. Sony sucks. It's a good thing I stopped buying CD 10 years ago. Don't buy CDs. Boycot Sony. Sony sucks.

Reply

↓↑report

Doesn't the very word "rootkit" originate from the Unix world and doesn't it mean that it gives you ROOT level access?? Root level access is much more restrictive than administrator access and encompasses kernel extensions whereas administrative access does not.

Just entering your administrative password during an installation is not enough to allow the manipulation of kernel extensions in Mac OS X, or so I have been led to believe.

Can anyone resolve this apparant discrepancy?

Reply

↓↑report

I look forward to the day spyware and viruses start to appear on OS X. It will only lead to better security on this platform and it will flesh out the fluff in terms of AV/anti-Spyware software and result in us having provable software solutions.

But as to the Sony debacle, it should be noted again that the rootkit was Windows only. There is no Sony rootkit for the Mac.

Reply

↓↑report