Asian users hit by Vaio security glitch

The electronics company says 900,000 Vaio PCs, almost all shipped in Japan, are vulnerable to data security breaches--for which a software patch is available.
Written by Graeme Wearden, Contributor
LONDON--Sony has warned that some models in its Vaio laptop and PC range have a security hole that would allow a malicious hacker to edit or delete data from the machine's hard drive over the Internet.

The company is urging users with to download a patch from its Web site, and experts have warned that standard antivirus and security products will not offer protection.

Earlier, Reuters reported that 900,000 of Sony's Vaio personal computers, almost all shipped in the Japanese market, were vulnerable to data security breaches, although the problem could be fixed with a software patch.

Sony said 890,000 of the PCs were shipped domestically, while the rest went to the Middle East and Asia, excluding China, adding that it would cost the company about US$1.49 million (200 million yen) to solve the problem.

The electronics giant said the security problems could be prevented with a software patch available on CD-ROM or downloaded from the Internet in English and Japanese. A Sony representative said that the company will set up a call center to handle customer inquiries, notify customers via direct mail and provide CD-ROMs for those unable to download the software patch, Reuters said.

Vaios bought in Europe and America are not affected by the problem, the company said. According to a Singapore-based Sony Electronics spokesperson, about 1,500 units in Singapore, Malaysia and Hong Kong are affected.

The security hole lies within software that comes pre-installed on the Vaio. According to Mark Read, professional services consultant at MIS Corporation Defense Solutions, it is very important that users download the patch. "Because this is a problem within Sony's own software, a standard antivirus or security package won't pick up when the Vaio is under attack," he explained.

Precise details about the security hole are few, but Sony believes there are three ways that a third-party could get access to the Vaio. The hole could be exploited by malicious code that is included in the text of an email, in an email attachment, or embedded in a Web site.

In all cases, the attack would take place locally rather than across the Web. "The Internet method of infection sounds similar to a Trojan Horse," explained Read. "A hacker will write the code and insert it into the Web page -- and this will be downloaded onto the user's Vaio when they visit the page."

In a statement, Sony has announced that it is planning to strengthen product security by "working to integrate the process of software design with the system of checking software security." No further details of this plan have been disclosed, but Read believes it may involve giving Sony the ability to patch a customer's machine automatically.

"They're probably looking at a system where they can immediately contact a computer when there's a security problem and sort it out immediately, rather than relying on the owner to fix it," Read suggested. He warned, though, that such a system would have major privacy issues. "Any such system would have to include manual controls, otherwise a user wouldn't have any idea about what his machine was doing," he added.

Staff writer Graeme Wearden reported from London; John Lui contributed to this report.

Editorial standards