Sony BMG Music Entertainment’s decision to include covert and potentially dangerous software on millions of its compact discs taught us two painfully important lessons: that people have placed too much faith in the safety of commercially distributed software and that the tools for protecting computers from malicious “rootkit” applications have been inadequate.

As the music and movie industries continue to put legal pressure on file-trading networks such as Kazaa and individual violaters, Sony BMG Music Entertainment made the decision to try to thwart file-sharing at the head of the problem: on the CD. To do that, the company included a software program called the Extended Copy Protection (XCP), a digital rights management (DRM) application developed by First4Internet. Among other problems, it caused a security hole to open that enabled other virus writers to covertly install malicious applications. Unlike a virus that propagates exponentially from system to system, and quickly draws attention, such “rootkit” applications often fly under the radar.

Making matters worse, consumers are understandably much less wary of commercial software than files they download or that are included as e-mail attachments. So it’s not surprising that the discovery of Sony’s placement of software containing a security vulnerability was inadvertent.

Windows expert Mark Russinovich was one of millions of music fans who purchased a CD from a SonyBMG artist and listened to it on his computer – never imagining he was opening up a gaping security hole on his PC. It was only months after Russinovich first listened to a Van Zant brothers CD that he realized the CD had damaged his computer.

“The problem is that software coming from an established company like Sony will always be trusted by the consumer,” says Russinovich, “even if they had software that popped up a warning that a driver was being installed, most [people] would likely allow it.”

Russinovich posted his discovery of the unwanted “rootkit” software on his blog, along with the explanation of how it outsmarted the existing antivirus and spyware software. Since then, Russinovich has completed a free utility that identifies rootkits. But he acknowledges on his website that there will never be a universal rootkit scanner.

Even computer security companies have been naïve, though, in not closely scrutinizing commercial software for code that opens security holes. “We had not looked at this particular technology before,” says Vincent Weafer, senior director of Symantec Security Response. The XCP software is not a virus itself, he says, but rather opens security holes that can be exploited.

“[There is a] difference between malicious code, as opposed to technology that can be used for malicious purposes,” Weafer says. But hackers were quick to jump on the security risk. Weafer says a virus that exploits the XCP vulnerability called “Backdoor.Ryknos” was identified by Symantec on November 10, and the company posted a removal tool.

And within two weeks, Symantec will be updating its antivirus products to identify rootkits.

However, the cat-and-mouse game played by security companies and virus writers had a twist this time: antivirus companies were slow to create utilities to remove the Sony software – out of fear of violating the Digital Millennium Copyright Act, according to security expert Dan Kaminsky. He says creating new software to remove DRM software is a violation of the DMCA, forcing antivirus companies to create patches that eliminate the software’s dangerous behavior, but do not remove it.

Now government officials and watchdog groups are joining forces with consumers in legal actions against Sony. And potential judgments against the company could send a strong message to commercial software companies and the music industry: they are accountable for actions that violate personal privacy and damage property.

“Consumers have the right to expect to listen to music without companies spying on them,” says Kurt Opsahl, staff attorney for the Electronic Frontier Foundation (EFF). At least six lawsuits have been filed over the spread of the XCP vulnerability, he says. The Attorney General in the state of Texas filed a complaint, claiming Sony violated the state’s anti-spyware laws, and requested $100,000 in damages per violation. And civil complaints against Sony have been filed in California, New York, and the District of Columbia.

The EFF’s class action suit, filed on November 21, asks Sony to launch a campaign to alert consumers that they may have installed software containing security vulnerabilities, according to Opsahl. Sony should also be required to stop distributing the MediaMax software, he says, that reports information about CDs being played on computers to SunnComm, the company that developed the software. Opsahl says even if consumers decline the end-user licensing agreement when the CDs is placed in their computers, MediaMax will be installed; the complaint also takes Sony to task for not including a utility for uninstalling MediaMax.

For its part, Sony has been slow in reacting. In response to mounting negative publicity, Sony has offered to exchange CDs with the XCP software for “clean” versions. The company also posted a utility for uninstalling the software – but it included more vulnerabilities, and therefore was quickly removed from Sony’s website.

Currently, the company’s website offers a program that removes the rootkit vulnerability, but does not eradicate the software that sends user data to Sony’s servers. According to a message posted there on November 15, the company is still developing an uninstall utility. Sony has also recalled the CDs from its retail music partner stores. The company did not return phone calls for this article.

According to Harvard law student Ben Edelma, Sony could automatically alert consumers who listened to the CDs while online. “When a CD’s player checks in with Sony’s Web servers, the Web servers have an opportunity to send the player a banner message for display within the player program,” Edelman explained in an e-mail. “In this way, Sony could easily send users more information about the software they have (unwittingly) installed on their PCs. But so far Sony has refused to send such messages.”

Dissatisfaction over Sony’s response has prompted several efforts to boycott the companies products, as well as a stern warning to the music industry from Stewart Baker, assistant secretary for policy at the Department of Homeland Security, about being too aggressive in pursuing piracy.

Since the rootkit was discovered, however, “there hasn’t been a noticeable impact on sales from [Sony],” according to Geoff Mayfield, senior analyst at music sales tracking firm Billboard. “I didn’t see anything out of the ordinary in terms of an album’s regular selling pattern.”