A patch for Sony's controversial digital rights management (DRM) software opens a serious security hole when installed on a Windows machine, according to security researchers from Princeton University. The revelation deepens a public relations nightmare for Sony, which has said it will stop selling music CDs which install the DRM monitoring program when the CD is played, and will replace disks that have already been sold.

"The consequences of the flaw are severe," Ed Felten and Alex Halderman write in their weblog. "It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get."

Security researcher Dan Kaminsky has surveyed Internet nameservers, and found that at least 568,000 DNS servers have received queries unique to the operation of the Sony DRM software, meaning at least that many computers (and probably more) have the problematic rootkit installed. A subset of those will also have the security hole installed by Sony's attempted fix.

The security hole, which was first noticed by Finnish researcher Muzzy, involves an ActiveX control called CodeSupport, which is marked as safe for scripting, allowing any web page to give it instructions. "One thing CodeSupport can be told to do is download and install code from an Internet site," the Princeton researchers note. "Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet (the DRM software maker). This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission."

Users who have installed the patch can uninstall the CodeSupport component, according to the Princeton team, which offers instructions for a command line uninstall of the ActiveX control. The security hole creates extra work for network administrators at corporations and universities. Damage may be mitigated by the fact that those who installed the patch were security-minded in the first place, and thus are likely to be aware of ongoing issues involving the Sony rootkit.

Upcoming releases of Microsoft's spyware removal tools will uninstall the Sony copy-protection software, which disguises its actions and thus functions as a rootkit. It's not yet clear whether Microsoft will alter its deployment timeline to address the new security holes.