Sony BMG is offering to replace up to two million CDs containing its controversial XCP copy protection software, even as new concerns emerge.

The company is offering music lovers who bought CDs containing the technology free replacement, free MP3 versions of the tracks and an uninstaller to remove the trouble software that even Microsoft has defined as a security risk.

The software, which installed itself in a hidden form on Windows systems, was designed to prevent music buyers burning more than three copies of their discs. However, the form of protection used could also be abused by malware authors to install potentially damaging software on host machines.

Hiatus hubbub grows

However, researchers now say that both the uninstall software Sony has made available for removing XCP (Extended Copy Protection), along with a separate uninstaller for a Sony copy protection program called MediaMax, contain critical security holes. Sony had already ceased distribution of the XCP uninstaller after its security problems were brought to light earlier this week.

On Thursday, however, Princeton University computer science student Alex Halderman claimed that SunnComm's MediaMax uninstaller also presented a risk. Sony uses MediaMax software to prevent unauthorised copying of some of its CDs, the company has said.

"It turns out that the Web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the Web-based uninstaller for Sony's other DRM, XCP," he wrote. Sony BMG stopped distributing its MediaMax uninstaller on Thursday.

Sony has been on the defensive for nearly three weeks now, ever since Windows expert Mark Russinovich revealed that XCP was using "rootkit" techniques, normally only used by hackers, to conceal itself on Windows systems.

Fury within Sony's walls

Releases from 52 artists have been affected by the debacle. Insider reports indicate fury within the company itself, with artists and label managers complaining that the company's policy actually affects the customers it needs most, the music fans prepared to buy CDs at retail.