A patch posted by Sony BMG Music Entertainment last week that reveals its copy-protection scheme's files may make some computers crash, said one of the researchers who first uncovered Sony's use of a hacker rootkit on its music CDs.
"Sony’s uncloaking patch puts users systems at risk of a blue-screen crash and the associated chance of data loss," claimed Mark Russinovich, the chief software architect at Winternals Software, on his blog. "[This] type of cloaking prohibits safely unloading the driver while Windows is running."
The crash could happen as the patch is installed, said Russinovich.
The controversy over Sony's XCP (eXtended Copy Protection) technology, which is provided by U.K.-based First4Internet, began last week when Russinovich and Finnish-security firm F-Secure published results of separate investigations. It turns out, said both Russinovich and F-Secure, that XCP relies on a rootkit -- a tool typically used only by hackers and spyware writers -- to hide its files, probably to make it more difficult for someone to crack the copy protection.
The presence of a rootkit, said Russinovich and F-Secure, risks opening the PC to attack, since hackers would hide their malicious software simply by renaming files before embedding them on the machine.
A safer way to de-cloak the rootkit so that it and other XCP files are visible to security software such as anti-virus and anti-spyware programs, is to select "Run" from the Windows Start menu, then enter "sc delete $sys$aries" and reboot.
"This sequence deletes the driver from the Windows Registry so that even though its image is still present on disk, the I/O system will not load it during subsequent boots," said Russinovich.