Sony knew about rootkits 28 days before the story broke

BusinessWeek reports that Sony knew on Oct 4 that its DRM system was built on rootkits and exposed its customers to danger of opportunistic infections from other malicious programs. The story wasn't made public until Oct 31, and Sony didn't recall its infected CDs until 11 — five and half weeks later. Many new infections occurred during the gap, while Sony sat mum. Sony claims that it had intended all along to go public with the news that it had endangered its customers' PCs, identities, and data, but not until it managed to produce a patch.

Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers. "We're very, very sorry for the disruption and inconvenience that this has caused to music consumers," says Thomas Hesse, president of Sony BMG's Global Digital Business.

Link

(via /.)

Previous installments of the Sony Rootkit Roundup: Part I, Part II, Part III

(Cool Sony CD image courtesy of Collapsibletank)