After weeks of criticism, Sony BMG is withdrawing CDs containing clumsy digital rights management (DRM) technology from store shelves.

The company is also planning to offer customers a way to exchange CDs that contain the flawed copy-protection software.

"We share the concerns of consumers regarding discs with the XCP software, and we are instituting a program that will allow customers to exchange any CD with XCP software for the same CD without copy protection," Sony said in a statement released yesterday.

XCP, which stands for Extended Copy Protection, is Windows software designed to limit the number of copies a PC user can make of a CD, but it uses controversial cloaking techniques to hide itself on the computer. Critics had warned that these techniques could harm a computer's performance and possibly even be used by malicious software writers to attack a machine.

Cloaked hackers

Late last week, the first examples of malicious software that exploited the XCP cloaking mechanism appeared, prompting Sony to temporarily cease production of XCP-enabled CDs.

Sony originally chose to defend its use of XCP, minimizing the security and privacy risks associated with it, but its decision to withdraw its infected CDs from sale appeared to acknowledge the seriousness of the matter: "We deeply regret any inconvenience this may cause our customers," Sony said.

Still, Sony has some important questions to answer, according to the computer expert who first discovered the problems with XCP.

The biggest problem Sony now faces is helping customers who have installed the nearly undetectable software to remove it from their machines, said Mark Russinovich, chief software architect with Winternals Software. Users who want to take XCP off their computers had been forced to send an email to Sony and then download an ActiveX control that exposes them to further security risks, he said.

Sony on Tuesday promised to provide a "simplified and secure procedure" for uninstalling XCP. But the company provided no details on what this new procedure might be, or on how customers might exchange their XCP CDs. It also failed to address concerns about a second type of copy-protection software, called MediaMax, that ships with Sony CDs. Computer experts have said that this software suffers from many of the same problems as XCP.

Russinovich had some advice for Sony on how to simplify things. First off, the company should drop the dangerous ActiveX software, he said. Secondly, they should release a secure uninstaller that is easier to obtain: "They should just say, 'If you want the uninstaller, here it is: Click this link to execute it,'" he said. "I've seen no valid reason to have the uninstall process be what it is."

Security researcher Dan Kaminsky has estimated that at least 500,000 computers have installed the software