Sony continues to distribute software containing a rootkit-like cloaking technology, which security firms say could be used by criminals to hide malware, from its Web site.
A Sony spokesperson yesterday claimed that users of its biometric MicroVault USB device are not at risk because the product has been discontinued. However ZDNet Australia discovered the products were being sold at a Sydney-based Sony Central retail outlet today for AU$35.
Staff at the store had not received any information from Sony about potential security issues associated with the product.
In addition, the offending software is still available on Sony's Web site and according to F-Secure tests, still cloaks itself in the Windows directory.The problem stems from a device driver required to activate the MicroVault USB device's biometric feature, which hides itself within a Windows directory, offering hackers a place to store malicious code on a PC and avoid detection by various security applications.
Patrik Runald, senior security specialist at F-Secure, criticised Sony's software for unnecessarily creating a security risk.
-If it just protected its own files this wouldn't be an issue. The problem is that it protects and hides a whole directory and all files in that directory -- including those not part of the original software package," said Runald.
Runald said that while he hadn't seen any threats being spread yet, it took just two weeks for malware to appear after the information on the Sony BMG rootkit was made available.
-We could definitely see the same thing happen here," said Runald.
Runald said malware could arrive by e-mail or Web browser and then use Sony's software to hide its files and avoid detection by antivirus products.
For owners of the USB stick, there is no way to work around the problem because in order to use all the device's features, the software must be installed.