"It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year," said Spitzer in a statement.
Spitzer's office sent investigators disguised as shoppers to several large music chains, including Virgin Megastore, FYE, Best Buy, Circuit City, Sam Goody, and Wal-Mart; the investigators were able to purchased copy-protected CDs at all the stores they visited.
They were also promised prompt delivery of copy-protected CDs when they shopped online at the Web sites of Circuit City, Best Buy, Sam Goody, FYE, and Wal-Mart. They were, however, unable to buy the titles at the sites of J & R Music World or Tower Records.
Mid-month, Sony BMG announced it was pulling all copies of the 52 audio CDs which installed a rootkit, code usually used only by hackers and spyware distributors to cloak their malicious software from anti-virus programs. Sony said it instructed retailers to yank the discs from shelves; consumers who had already purchased copy-protected CDs were urged to exchange them for unprotected discs.
"I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony," said Spitzer.
His office declined to comment on future plans involving Sony BMG and the copy-protected CDs.
Spitzer's attention is only the latest bad news in a month-long string of public relations disasters for Sony after a researcher said millions of its CDs secretly install a rootkit to users' PCs.
On Nov. 21, Texas Attorney General Greg Abbott filed a lawsuit against Sony BMG that alleged the company broke the state's new anti-spyware law. Abbott is asking for civil penalties of $100,000 for each violation.
"Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers,” said Abbott in a statement issued when the lawsuit was filed.