Posted by Brian Wong Sony BMG Music Entertainment (Sony) has released a list of 52 CDs which contain the XCP digital rights management (DRM) software. The United States Computer Readiness Team (US-CERT) summary of the most frequent, high-impact security incidents currently being reported to the US-CERT notes “several vulnerabilities regarding the XCP Digital Rights Management (DRM) software by First 4 Internet, which is distributed by some Sony BMG audio CDs.” The vulnerabilities result from both the XCP rootkit technology – US-Cert notes it is “aware of malware that is currently using this technique to hide” – and the First4Internet web-based XCP uninstaller which includes an ActiveX control called CodeSupport which is incorrectly marked as “safe for scripting.” The First4Internet web-based XCP uninstaller likely introduced a security vulnerability to computers in addition to those affected by the XCP rootkit; the issue has received sufficient press coverage to lead people who did not have the XCP rootkit installed to nonetheless run the web-based XCP uninstaller. Sony, Microsoft and Symantec have yet to decide whether to issue updates to remove the security vulnerability caused by the uninstaller. As we noted earlier, Sony has replaced the web-based XCP uninstaller with a downloadable file. Ed Felten, a Professor of Computer Science and Public Affairs at Princeton University, has posted a link to a tool (Internet Explorer required) that should disable the CodeSupport ActiveX control if it is already on a Windows system, and it should prevent any future reinstallation or reactivation of CodeSupport. Felten also posted a test for whether the CodeSupport component is installed on a PC at the CodeSupport detector web page (Internet Explorer required).