The monthly update to the Windows Malicious Software Removal Tool adds detection and deletion for "F4IRootkit," Microsoft's name for the invisibility tool Sony BMG added to 52 of its music albums, and placed on more then 5 million CDs.
In early November, a security research disclosed that Sony BMG was using the rootkit -- usually deployed only by hackers and spyware makers -- to hide the XCP copy-protection software built by First4Internet. The rootkit, said the researcher, posed a substantial security risk, since attackers could use it to hide their malicious code from anti-virus and anti-spyware defenses.
Previously, Microsoft added detection for the rootkit to its Defender anti-spyware software, but the reach of Malicious Software Removal Tool is broader, since it's automatically downloaded by the Redmond, Wash.-based developer's update services.
Security bulletin MS05-054 also included a Sony BMG tidbit. That patch for Internet Explorer sets the "kill bit" for older editions of the ActiveX control left in place after First4Internet's original rootkit uninstaller was used. Setting the kill bit, said Microsoft, prevents the ActiveX control from running.
"Older versions of this control have been found to contain a security vulnerability," Microsoft said in the bulletin.
Microsoft has often recommended setting kill bits in the Windows Registry as a temporary solution to software vulnerabilities, but the practice has been denigrated by some experts as crude.