Record label Sony BMG caused outrage in 2005 when digital rights management technology included on audio CDs installed so-called rootkit software on users' computers. That software changed the way users' operating systems played CDs and created a security vulnerability. The installation was hidden in a way that made its removal difficult for users.
Security companies F-Secure and McAfee now claim that software installed by a Sony memory stick and fingerprint reader called MicroVault causes similar problems, installing itself secretly at the heart of a computer's operating system and offering worms or viruses a potential hiding place from anti-virus software.
A blog by security company F-Secure broke the news of the vulnerability. It said: "The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under 'c:\windows\'. So…the directory and files inside it are not visible through Windows API."
"Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) – depending on the techniques employed by the antivirus software," said the blog. "There are also ways to run files from this directory. "It is therefore technically possible for malware to use the hidden directory as a hiding place."
Security experts say that hiding malicious files in such folders has become much more common since the publicity surrounding Sony's first rootkit problem, and that there are a number of worms or viruses in existence that exploit such flaws.
Security company McAfee confirmed F-Secure's claims. A McAfee spokesman told the Reuters news agency that it also believed the hidden folder could be used to mask malicious files and prevent their detection by anti-virus software.
Sony had no comment to make on the claims.