Sony BMG has admitted to a new security problem affecting nearly six million of its CDs, after the detection of vulnerability with the MediaMax patch it supplied on 6 December.

According to watchdog group the Electronic Frontier Foundation (EFF) the most recent CD software "could allow malicious third parties … to gain control over a consumer's computer running the Windows operating system".

The EFF hired security firm Information Security Partners to analyse MediaMax. The company found a new vulnerability with the software that could allow unauthorised users to take full control of the computer's operations.

Sony BMG issued a patch but this was also flawed and could actually cause the security problem it was supposed to block.

Sony BMG stated that it is working on the problem and will release a modified patch if necessary. The problem only applies to CDs issued in the US and Canada.

The problems began last month when Sony BMG began shipping many of its music discs with a program called XCP.

The program had no effect on standard CD players, but installed itself on computers running Windows when a CD owner tries to play the disc on the computer.

It also proved very difficult to remove and was flagged by antivirus vendors as a vulnerability. To compound the problem XCP secretly sent information about users' listening habits over the internet to Sony BMG.

Sony began to withdraw about 4.7 million affected discs from stores, and set up an exchange programme for consumers who had bought about 2.1 million discs.

Meanwhile Sony BMG kept on using a different anti-piracy program called MediaMax, produced by SunnComm.

The EFF filed a lawsuit against Sony BMG's use of both XCP and MediaMax, claiming that the SunnComm program was also flawed.

The EFF cited research by J Alex Halderman, a student at Princeton University, who claimed that MediaMax sends information about users over the internet without their permission.

Halderman also claimed that MediaMax installs itself even if the user clicks a button that is supposed to stop the installation.