X

This week in security

Sony BMG Music Entertainment got some static over a potential security problem in some copy-protected CDs.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
See full bio
Steven Musil
2 min read
Sony BMG Music Entertainment got some static over a potential security problem in some copy-protected CDs.

Security experts said that anticopying technology used by Sony BMG could be adapted by virus writers to hide malicious software on the hard drives of computers that have played one of the CDs. The antipiracy tool is included on many of Sony BMG's latest music releases, from Van Zant to My Morning Jacket.

Sony BMG's technology partner First 4 Internet said it has released a patch to antivirus companies that will eliminate the copy-protection software's ability to hide. Consequently, it also will prevent virus writers from cloaking their work using the copy-protection tools.

In another contentious case, Cisco Systems has patched a flaw in the software used to run its routers and switches, a new twist in the company's dispute with a security researcher that has roiled the security community.

The networking giant released an update to fix a so-called heap-overflow vulnerability in its Internetwork Operating System, or IOS. This type of security flaw is commonly found in software and often allows a remote attacker to gain control of the affected system. In this case, that would mean control over a Cisco router or switch, which make up the infrastructure of many computer networks, including the Internet.

The newly disclosed flaw in IOS was part of a controversial presentation at the Black Hat security confab in July, but Cisco has been able to keep it under wraps until now. At Black Hat, security researcher Michael Lynn demonstrated how he could gain control over a router by exploiting security flaws.

In the meantime, two Microsoft security updates for Internet Explorer can break the functionality of Web sites that use certain custom applications. The problems occur after installing the patches Microsoft delivered with security bulletins MS05-038 and MS05-052, Microsoft said.

Both patches can cause problems with ActiveX controls, small programs designed to perform simple tasks that can make a Web site more interactive. The MS05-038 patch can also hinder Java applications. After the patches are installed, applications that are programmed in specific ways will no longer work in Internet Explorer, Microsoft said.

The issue of broken Web sites is the latest problem with Microsoft patches. One recent fix wreaked havoc on systems of users who had changed certain settings on their PCs to be more secure, while Windows 2000 users had trouble finding the right patch for another security problem.