Stop me if you've heard this one before. A record label uses DRM to sort of keep its customers from copying the music. It turns out that the software poses a threat to the user's PC. So the label issues a patch... which opens up another security hole. If you guessed that the label in question is Sony, you'd be correct. If you guessed that I'm recapping last month's rootkit debacle, you'd be wrong.

It's déjà vu all over again, as Yogi Berra once said. On Tuesday, Sony informed the world that its other DRM software contained a security vulnerability as well. SunnComm's Media Max version 5 is the culprit, with its installation of a directory that could provide a means by which malware writers could hijack a PCs running Windows. The problem was discovered in late November by Information Security Partners, which shared it with the EFF and Sony.

Common sense would tell most people that if your DRM software a) is a security risk for your customers and b) doesn't really do anything to solve the problem you think you have, then your best course of action is to drop the whole subject. Unfortunately, common sense and Sony are only passing acquaintances. Sony and SunnComm released a patch to fix the vulnerability. If by "fix," Sony and SunnComm meant "make the problem worse," then their solution is a rousing success.

According to Princeton computer science professor Ed Felton, the patch is insecure.

It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch. The previously released MediaMax uninstaller is also insecure in the same way, allowing an adversary to booby-trap files so that hostile software is run automatically when you try to use the uninstaller.

This time, Sony turned to security professionals for help and was able to release an updated patch earlier today that supposedly fixes the problems with the previous version. If you own one of the 27 CDs that came with MediaMax 5.0 and want to get rid of the software all together, SunnComm offers a web-based uninstall tool.

At this point, I don't know what I can say about the whole sorry mess that hasn't already been said, so I'll close with this: if Sony is trying to alienate its customers, expose itself to massive legal liability, and get the general public up in arms over DRM, it's doing a fine job. If the music label has some other goal in mind, it needs to change its tactics quickly.