MediaMax Permanently Installs and Runs Unwanted Software, Even If User Declines EULA

SunnComm DRM more sinister than first thought
Posted by Dan Bell on 03 December 2005 - 00:12 - Source: Freedom to tinker

cdfree used our news submit to tell us "It is hard to believe that this activation of the previously loaded driver is just a bug in the software. It looks like Sony-BMG and SunnComm intended to have the malware driver activated in spite of the desires of the user."

This is most interesting indeed. It seems that it's a very prudent move to have auto play disabled on your computer, especially if you purchase and play Sony music discs in your PC. According to Freedom to Tinker: "MediaMax phones home whenever you play a protected CD, automatically installs over 12 MB of software before even displaying an End User License Agreement, and fails to include an uninstaller."

Designed to interfere with ripping and copying Cd's, MediaMax in some cases, installs drivers even if you decline the EULA! Due to a reaction to an earlier news article on another MediaMax digital rights management (DRM) story, the author was alerted to this behavior. He had not noticed it previously, due to his strictly controlled test environment and procedures.
I’ve performed further tests and can now confirm that MediaMax is permanently activated in several common situations in spite of explicitly withheld consent.

When this happens depends on what version of MediaMax is being used. An older version, called CD-3, was introduced in 2003 and is present on albums released as recently as this summer. There is also a newer version, MediaMax MM-5, which has been shipping for a little over a year. You can tell which version is on a CD by examining the files in the disc’s root directory. Albums protected by MediaMax CD-3 contain a file called LaunchCD.EXE while MM-5 albums include a file named PlayDisc.exe.

When you insert a CD containing either version of MediaMax, an installer program automatically starts (unless you have disabled the Windows autorun feature). This installer places the copy protection driver and other files on the hard disk, and then presents a license agreement, which you are asked to accept or decline. In the following scenarios the driver may become permanently activated even if you always decline the agreement:

* You insert a CD-3 album, then later insert an MM-5 album
* You insert an MM-5 album, then later insert a CD-3 album
* You insert an MM-5 album, reboot, then later insert the same album or another MM-5 album

These steps don’t have to take place all at once. They can happen over a period of weeks or months.

What great work this person is doing! You can visit the Freedom to Tinker website if you would like to read the story in it's entirety. In addition, there are links there to the person that discovered the behavior to begin with and you can read those comments as well.
http://www.cdfreaks.com/news/12758


MediaMax Permanently Installs and Runs Unwanted Software, Even If User Declines EULA
Monday November 28, 2005 by J. Alex Halderman

In an earlier post I described how MediaMax, a CD DRM system used by Sony-BMG and other record labels, behaves like spyware. (MediaMax is not the same as XCP, the technology that Sony-BMG has recalled; Sony-BMG is still shipping MediaMax discs.) MediaMax phones home whenever you play a protected CD, automatically installs over 12 MB of software before even displaying an End User License Agreement, and fails to include an uninstaller.

Part of the software that MediaMax installs is a driver meant to interfere with ripping and copying from protected discs. I had believed that MediaMax didn’t permanently activate this driver—set it to run whenever the computer starts—unless the user accepted the license agreement. As it turns out, this belief was wrong, and things are even worse that I had thought.

In the comments to our last MediaMax story, reader free980211 pointed out that the driver sometimes becomes permanently activated if the same protected CD is used more than once, even if the user never agrees to the EULA. This wasn’t apparent from my earlier tests because they were conducted under tightly controlled conditions, with each trial beginning from a fresh Windows installation and involving only carefully scripted operations. I’ve performed further tests and can now confirm that MediaMax is permanently activated in several common situations in spite of explicitly withheld consent.

When this happens depends on what version of MediaMax is being used. An older version, called CD-3, was introduced in 2003 and is present on albums released as recently as this summer. There is also a newer version, MediaMax MM-5, which has been shipping for a little over a year. You can tell which version is on a CD by examining the files in the disc’s root directory. Albums protected by MediaMax CD-3 contain a file called LAUNCHCD.EXE, while MM-5 albums include a file named PlayDisc.exe.

When you insert a CD containing either version of MediaMax, an installer program automatically starts (unless you have disabled the Windows autorun feature). This installer places the copy protection driver and other files on the hard disk, and then presents a license agreement, which you are asked to accept or decline. In the following scenarios the driver may become permanently activated even if you always decline the agreement:

* You insert a CD-3 album, then later insert an MM-5 album
* You insert an MM-5 album, then later insert a CD-3 album
* You insert an MM-5 album, reboot, then later insert the same album or another MM-5 album

These steps don’t have to take place all at once. They can happen over a period of weeks or months.

This is bad news for people who like to play CDs in their computers. Many users are unaware that their CDs contain MediaMax until the license agreement appears on their screens, but by this time it may be too late to stop the driver from being permanently activated. Even if users are careful to decline the EULA every time, the circumstances when the software becomes active anyway are common enough to be practically inevitable.

This may be an annoyance to music fans—unless you disable the driver, you’ll have a hard time playing any MediaMax-protected titles, let alone copying them to your iPod—but it’s also a security risk, since the driver is loaded as part of the Windows kernel and has the ability to control virtually any aspect of the computer’s operation. We don’t know whether the MediaMax driver contains any vulnerability that can be exploited to do further damage, but the way it is installed creates a dangerous precedent.

Is this behavior illegal? It should be. Installation of system level software where the user has explicitly denied permission raises serious security concerns and is wrong.
http://www.freedom-to-tinker.com/?p=936