Sony on Wednesday said it was investigating reports that some models of its Micro Vault fingerprint reader contained software drivers that installed on a PC a hidden folder that could be exploited by virus writers.
The disclosure was reminiscent of a more serious incident last year in which Sony distributed music CDs that unbeknownst to the customer installed copyright-protection software on a PC. The software included a cloaking mechanism that could be exploited by hackers.
In the latest incident, Sony said the controversial software shipped with three models of its Micro Vault USM-F line, and those versions have been recently discontinued. "No customers have reported problems to date," a Sony spokesman said. "We are still investigating this and are taking the issue very seriously."
Security firm F-Secure reported Monday that Sony's Micro Vault software installed a driver that creates a hidden folder using rootkit techniques. A rootkit is a general description of a program that conceals itself within an operating system in order to secretly run processes, files, or system data. The program is difficult to remove.
On Wednesday, F-Secure said that the Micro Vault application was not as serious as the previous CD software, but still presented a security risk since hackers could hide malware in the hidden folder. The folder is used to protect fingerprint authentication from tampering.
In general, the software is less onerous because it does not hide its folder deeply in the system, and probably wouldn't hide malware as effectively from anti-virus scanners, F-Secure said. In addition, the Micro Vault software does not hide processes or registry keys, and can be removed through a standard installation process.
But while Sony said it no longer offers the software with its fingerprint reader, F-Secure said the rootkit-carrying application was still available for download from Sony.net.
In a deal with U.S. regulators, Sony early this year agreed to pay consumers up to $150 for the cost of repairing computers damaged by CDs containing the digital rights management software. Sony BMG, the music division of the consumer electronics giant, shipped the software in 12 million CDs on 52 titles. The CDs started shipping in 2005, but the rootkit wasn't discovered until 2006.