Two lawsuits were filed against Sony BMG today in connection with software that it included on music CDs, programs that reportedly installed an undisclosed "rootkit" on the hard drives of computers running Windows.
The software at issue in the cases is called First4Internet XCP and SunnComm MediaMax. One suit, filed by the Electronic Frontier Foundation, alleges that
the XCP and SunnComm technologies have been installed on the computers of millions of unsuspecting music customers when they used their CDs on machines running the Windows operating system. Researchers have shown that the XCP technology was designed to have many of the qualities of a "rootkit." It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, it degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers. The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer's hard drive as the only solution. When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users' machines. Sony BMG has still refused to use its marketing prowess to widely publicize its recall program to reach the over 2 million XCP-infected customers, has failed to compensate users whose computers were affected and has not eliminated the outrageous terms found in its End User Licensing Agreement (EULA).
In a separate legal action, the state of Texas also sued Sony over the same software today. Texas Attorney General Greg Abbott alleged that the XCP software "can leave computers vulnerable to viruses and other security problems."
Sony BMG agreed to recall the discs using the software last week, according to the Associated Press.