Sony's Vaio hit by security hole

Company warns that users must download a fix quickly, or risk finding that their data has been deleted
Written by Graeme Wearden, Contributor

Sony has warned that some models in its Vaio laptop and PC range have a security hole that would allow a malicious hacker to edit or delete data from the machine's hard drive over the Internet.

The company is urging users with to download a patch from its Web site, and experts have warned that standard antivirus and security products will not offer protection. Vaios bought in Europe and America are not affected by the problem, said the company.

The vulnerability affects some models in the Vaio range that were purchased in Japan since May 2001. Vaios bought in East and South East Asia, Oceania, The United Arab Emirates, Saudi Arabia and South Africa since November 2001 may also be affected. Sony is contacting Japanese customers by email, but those in other affected countries must visit Sony's Web site to see if their model is one of those at risk by checking the information for the country of purchase.

The security hole lies within software that comes pre-installed on the Vaio. According to Mark Read, professional services consultant at MIS Corporation Defense Solutions, it is very important that users download the patch. "Because this is a problem within Sony's own software, a standard antivirus or security package won't pick up when the Vaio is under attack," he explained.

Precise details about the security hole are few, but Sony believes there are three ways that a third-party could get access to the Vaio. The hole could be exploited by malicious code that is included in the text of an email, in an email attachment, or embedded in a Web site.

In all cases, the attack would take place locally rather than across the Web. "The Internet method of infection sounds similar to a Trojan Horse," explained Read. "A hacker will write the code and insert it into the Web page -- and this will be downloaded onto the user's Vaio when they visit the page."

In a statement, Sony has announced that it is planning to strengthen product security by "working to integrate the process of software design with the system of checking software security." No further details of this plan have been disclosed, but Read believes it may involve giving Sony the ability to patch a customer's machine automatically.

"They're probably looking at a system where they can immediately contact a computer when there's a security problem and sort it out immediately, rather than relying on the owner to fix it," Read suggested. He warned, though, that such a system would have major privacy issues. "Any such system would have to include manual controls, otherwise a user wouldn't have any idea about what his machine was doing," he added.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

Editorial standards