Sony reported that over the past eight months it shipped more than 4.7 million CDs with the so-called XCP copy protection. More than 2.1 million of those discs have been sold.
"We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets," Sony said in a statement. "We deeply regret any inconvenience this may cause our customers."
Sony's copy-protection software was created by British company First 4 Internet. The software is installed on a computer's hard drive when certain Sony compact discs are put in the CD player and the listener accepts a license agreement.
The software then hides itself using a controversial programming tool called a "rootkit," which takes over high-level access to some computing functions. The rootkit blocks all but the most technically savvy users from being able to detect its presence.
Sony has worked with antivirus companies to help their products pierce this veil of invisibility, and has posted a patch on its Web site that will uncloak the hidden software. It also said it would temporarily stop manufacturing discs using the First 4 Internet tools.
However, two Princeton researchers have discovered a security flaw in the software provided by Sony to uninstall its controversial DRM.
According to the report, when a user fills out the Web-based form to request the download, an ActiveX file called CodeSupport is loaded onto the computer. However, after the user leaves Sony's site, the file is still marked as "safe" for scripting.
The result of this error on First 4 Internet and Sony's part is potentially severe. Any site could call the CodeSupport file and ask it to perform functions, such as downloading and installing malicious code. Because the software does not make sure the code it is running actually comes from Sony, it opens the door for anyone to take advantage of an affected system.
Sony later replaced that Web-based uninstall tool with one that downloads a program with its own instructions, as opposed to one that accepts instructions from Web sites. The researchers said the new program appeared to be safe.