Now it turns out that the uninstaller for the DRM includes a signed ActiveX control that is exploitable.

So far only the RebootMachine command has been demoed, ExecuteCode is still awaiting abuse.

So let's look at what Sony have done so far

1. Bought a rootkit to hide software on their customer's PCs
2. Include a music player that phones home whenever it is used, and probably breaks the GPL by using the LAME MP3 decoder. Hey, GPL violation, go for it :)
3. Shipped the software on music CDs. Not programs, music disks.
4. Provide an uninstall mech that updates the application, and installs an AX control that lets scripted web pages 0wn the PC
5. Serve up this AX control for all and sundry at http://www.xcp-aurora.com/clients/SoftwareUpdate.cab.

ActiveX is a fundamental design flaw of IE. It is the fundamental architectural problem: no sandbox, just a signed assertion by the developers that they aren't idiots. Which in this case is clearly false, though I suspect the uninstaller was rushed out.

I'm glad to see the MS anti-spyware tool is going to purge this app, because you can't trust Sony to do it without introducing a new security disaster.

Here is the ironic thing. Buy paying the premium for a Sony CD, you actually get a worse user experience than buying the one or two tracks you actually want on iTunes. Let's compare and contrast those.

Burning. iTunes: Apple get to restrict your burning rights and streaming after-purchase. Sony: no, 3 burns is all you ever get.

Security. iTunes. No rootkit. No activeX control. works on Windows Vista betas. Sony: rootkit as standard; uninstaller a security nightmare of its own, toasts windows vista.

Music quality. iTunes. OK. Sony CD. Good if you rip it yourself at 256kb/s MP3. Bad if you let sony do it.

Interop: iTunes. None -works on PC, Mac and iPod. Sony CD: WMA. Works on PC, maybe mac (?), and devices other than iPod. If you rip the CD to MP3 you get proper interop.

You'd be mad to buy the CD. And if you do get it, you'd have to hand rip it for security and interop reasons. Maybe in years to come this whole debacle is going to be analysed in business studies classes as a 'what not to do', something like "How Sony killed their CD business and discredited DRM in the process". We shall see. The one thing I do know is that I am going to have to check any CD I buy (I know, how retro) very carefully.