Sony BMG has said it will suspend production of audio 'CDs' that use XCP, the rootkit-style DRM developed by British company First4Internet Ltd. However the music giant refused to apologize for the software, which exposes PCs to malware and which can disable the PC's CD drive when users try to remove the software.

Sony also declined to follow EMI's example in September and recall CDs already in the retail channels.

Around 20 CDs use XCP, which has been on the market since April. (The EFF has a list, here (http://www.eff.org/deeplinks/archives/004144.php)).

But since a security website drew attention to implications of XCP last week, Sony has been deluged with complaints, prompting lawsuits in California and Italy.

"We are aware that a computer virus is circulating that may affect computers with XCP content protection software," Sony said in a statement. "Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use."

Sony may rue the wave of consumer outrage, and the subsequent lawsuits. But it may also note that the scandal took more than six months to surface.

And the music publisher isn't exactly rushing to make amends. Sony's unfortunately worded phrase "ease of consumer use" reminds us that while the stealth DRM software installs itself without permission (the click-through statement fails to inform of the user of its true nature), uninstalling it requires the CD buyer to request permission from Sony via a web form (http://cp.sonybmg.com/xcp/english/uninstall.html). So it's hard to take Sony BMG's assurances seriously.

You can read Sony's statement here (http://blog.sonymusic.com/sonybmg/archives/xcp.html). Symantec has posted an advisory and removal tool here (http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html). ®

Related stories

How fat is my DRM? (20 December 2006)
http://www.theregister.co.uk/2006/12/20/sony_rootkit_drm_settlement/
Researcher: Sony BMG rootkit still widespread (16 January 2006)
http://www.theregister.co.uk/2006/01/16/sony_bmg_rootkit_still_widespread/
Hackers download pirate movies onto compromised PCs (21 December 2005)
http://www.channelregister.co.uk/2005/12/21/bittorrent_botnet_attack/
Sony BMG 'diligently re-evaluates' CD anti-piracy tech (12 December 2005)
http://www.theregister.co.uk/2005/12/12/sony_anti-piracy_review/
Intel readies rootkit- rooting hardware (9 December 2005)
http://www.theregister.co.uk/2005/12/09/intel_anti-rootkit_chip/
SonyBMG backtracks on buggy bug fix (9 December 2005)
http://www.theregister.co.uk/2005/12/09/sony_mediamax_problems/
Sony opens up over another CD security hole (7 December 2005)
http://www.theregister.co.uk/2005/12/07/sony_cd_security/
Sony's DRM woes worsen (30 November 2005)
http://www.theregister.co.uk/2005/11/30/sony_drm_spitzer/
Sony fiasco: More questions than answers (23 November 2005)
http://www.theregister.co.uk/2005/11/23/sony_drm_questions/
Sony unsinged by rootkit CD fiasco (22 November 2005)
http://www.theregister.co.uk/2005/11/22/analysis/
Texas puts Sony BMG in its sights (22 November 2005)
http://www.theregister.co.uk/2005/11/22/texas_sues_sony_bmg/
Gaffer tape defeats Sony DRM rootkit (21 November 2005)
http://www.theregister.co.uk/2005/11/21/gaffer_tape_trips_up_sony_drm/
Sony's CD rootkit infringes DVD Jon's copyright (18 November 2005)
http://www.theregister.co.uk/2005/11/18/sony_copyright_infringement/
Sony DRM uninstaller 'worse than rootkit' (17 November 2005)
http://www.theregister.co.uk/2005/11/17/sony_drm_uninstaller_peril/
Sony pulls rootkit DRM CDs (16 November 2005)
http://www.theregister.co.uk/2005/11/16/sony_withdraws_xcp_cds/
Sony rootkit DRM: how many infected titles? (15 November 2005)
http://www.theregister.co.uk/2005/11/15/sony_bmg_bodycount/
Mac anti-rip code surfaces on Sony BMG CD (11 November 2005)
http://www.theregister.co.uk/2005/11/11/sony_bmg_mac_drm/
Sophos develops Sony DRM unmasking tool (10 November 2005)
http://www.theregister.co.uk/2005/11/10/sony_drm_unmasked/
Sony hit by lawsuits over root kit (10 November 2005)
http://www.theregister.co.uk/2005/11/10/sony_sued_for_rootkit/
First Trojan using Sony DRM spotted (10 November 2005)
http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/
Sony digital boss - rootkit ignorance is bliss (9 November 2005)
http://www.theregister.co.uk/2005/11/09/sony_drm_who_cares/
Hidden DRM code's legitimacy questioned (3 November 2005)
http://www.theregister.co.uk/2005/11/03/secfocus_drm/
Sony to offer patch for 'rootkit' DRM (3 November 2005)
http://www.theregister.co.uk/2005/11/03/sony_rootkit_drm/
Removing Sony's CD 'rootkit' kills Windows (1 November 2005)
http://www.theregister.co.uk/2005/11/01/sony_rootkit_drm/
EMI recalls DRM-encumbered CD (29 September 2005)
http://www.theregister.co.uk/2005/09/29/emi_recalls_drm_cd/