PDA

View Full Version : MySpace Demands Apple Change Quicktime To Fix MySpace Worm




MacRumors
Dec 6, 2006, 09:29 AM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

According to News.com, MySpace.com is demanding that Apple change its Quicktime player software (http://news.com.com/2100-7349_3-6141031.html?tag=cnetfd.mt) to address an issue that occurred recently when the popular social networking website was attacked by a phishing/worm attack that used embedded Quicktime movies to propagate.

The worm exploits a common type of Web vulnerability called a cross-site scripting flaw in the site along with a feature called HREF track in QuickTime that has legitimate uses but can also be abused, experts said.

Nevertheless, Apple is obliging.

Apple is working on a QuickTime fix, but has a temporary solution available Tuesday, company spokeswoman Lynn Fox said in an e-mail.

"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.

Apple said it has provided MySpace with the temporary fix. The computer company said it would be up to the social-networking site to offer it to users. MySpace has not responded to an inquiry from CNET News.com as to when the temporary solution would be available to users.

It remains unclear how the temporary solution will be distributed. Also, while MySpace had temporarily blocked the web links in question while waiting for Apple's response, MacRumors is unaware of any attempts by the company to address the root cross-scripting vulnerability (http://seclists.org/fulldisclosure/2006/Nov/0275.html) that may still be potentially be exploited via other yet-unknown means.



longofest
Dec 6, 2006, 09:32 AM
+1 for Apple's security reputation (which it could use after last month)

-5 for MySpace's security reputation

twoodcc
Dec 6, 2006, 09:33 AM
well i think it's good that Apple is doing something about it, but myspace shouldn't demand them too though

Dunepilot
Dec 6, 2006, 09:37 AM
Myspace really is a crock. My band's account got compromised the other day, which was irritating.

And why on earth do people put that ridiculous transparency effect on their pages? Crashes Safari every time.

benthewraith
Dec 6, 2006, 09:42 AM
Myspace really is a crock. My band's account got compromised the other day, which was irritating.

And why on earth do people put that ridiculous transparency effect on their pages? Crashes Safari every time.

Because the people that use them don't know what a good webpage looks like?

Flowbee
Dec 6, 2006, 09:44 AM
This is potentially much more harmful to Apple from a PR standpoint than last week's Nike+iPod "stalking" story. Let's see what the press does with this one.

mkrishnan
Dec 6, 2006, 09:45 AM
Well, bitching about MySpace aside, there is a vulnerability in Quicktime. Which is bad. But Apple is fixing it, which is good. I can live with that, I guess.

iJaz
Dec 6, 2006, 09:46 AM
Isn't Myspace run by a (former) notorious spammer? That says something about their credibility.

Rojo
Dec 6, 2006, 09:46 AM
Is it wrong of me to get a good chuckle from this story? ;)

Seasought
Dec 6, 2006, 09:52 AM
Is it wrong of me to get a good chuckle from this story? ;)

No actually... :D

Unspeaked
Dec 6, 2006, 09:56 AM
Isn't Myspace run by a (former) notorious spammer? That says something about their credibility.

You mean NewsCorp?

Yeah, Rupert Murdoch has a long history of Nigerian Bank Account schemes...

redAPPLE
Dec 6, 2006, 09:59 AM
"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.


maybe it is just me, does it only happen with IE users? if so, why is this solely Apple's problem?

Westside guy
Dec 6, 2006, 10:15 AM
maybe it is just me, does it only happen with IE users? if so, why is this solely Apple's problem?

It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".

kenzbud
Dec 6, 2006, 10:37 AM
So is this a problem that has always been around and was just now brought to attention because of myspace's popularity or is this a totally new issue?

MacinDoc
Dec 6, 2006, 10:47 AM
It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".
If I understand the article and the background information correctly, the bug is actually in the MySpace website, and a feature of Quicktime is one means by which the bug can be exploited. So MySpace's complaint is like blaming the manufacturer of a mouse if a hacker uses the mouse to reformat your hard drive. Apple's response to MySpace's demand is for PR purposes, and it certainly demonstrates that Apple has a greater concern for MySpace users that MySpace itself does. MySpace's real focus should be to fix its own bugs, because I'm sure that hackers will find other ways to exploit them, once the Quicktime features are disabled.

Spanky Deluxe
Dec 6, 2006, 10:54 AM
Wow, a security vulnerability does some good for once!

iJawn108
Dec 6, 2006, 10:58 AM
My freind sent me this

CLICK AT YOUR OWN RISK!


http://vids.myspace.com/quicktime/upgrade.cfm

is that the patch? or a hoax to try and install the worm?

sbrhwkp3
Dec 6, 2006, 11:03 AM
Myspace is so *****ty it's not even funny. It's the slowest running web site on the internet, and it's always down.

They should resolve some of their own issues before they go and tell Apple what to do...

mkrishnan
Dec 6, 2006, 11:04 AM
So is this a problem that has always been around and was just now brought to attention because of myspace's popularity or is this a totally new issue?

It appears to have been an unknown vulnerability in QT that has been around for some time....

However, it's important to note I think that QT is the VECTOR. That is, it delivers the exploit, but the exploit itself seems to be a Windows exploit... as far as I know there isn't any evidence of MacOS spyware related to this... just Windows?

Nonetheless, if this impacts OS X as a vector, it's a missing link, because there's never really been an exploited vulnerability in OS X that allowed software to be installed without user intervention before.

failsafe1
Dec 6, 2006, 11:06 AM
Fixing vuneralbilities is a good thing. Shame it came to light because of myspace. Yuck

shawnce
Dec 6, 2006, 11:14 AM
If I understand the article and the background information correctly, the bug is actually in the MySpace website, and a feature of Quicktime is one means by which the bug can be exploited.

This generally concurs with my understanding of the issue (still trying to dig up more specifics on it).

Basically an interactivity feature of QuickTime (http://www.apple.com/quicktime/tutorials/hreftracks.html) (exists for various good reasons) is being leveraged to bring up a spoofed login page attempting to trick a myspace user to provide their login information. If they do that then javascript in the spoofed webpage then walks their myspace site attempting to inject links to a fishing site and add the QuickTime movie to the users site.

So I really don't see the vulnerability existing in QuickTime... any number of other methods could be used to attempt similar trickery (flash can do similar things). All I can see Apple doing is providing a way for a hosting site to disable this feature for all movies downloaded from its site (likely strip the track).

...welcome to wonderful world of cross-site scripting attacks.

Doctor Q
Dec 6, 2006, 11:16 AM
I'd like to know if it's technically a feature of QuickTime, a vulnerability of QuickTime, or a bug in QuickTime. The choice might involve semantics, but it's also a technical distinction.

Is a feature being removed?

mkrishnan
Dec 6, 2006, 11:17 AM
I'd like to know if it's technically a feature of QuickTime, a vulnerability of QuickTime, or a bug in QuickTime. The choice might involve semantics, but it's also a technical distinction.

Is a feature being removed?

That's a good question...although, I would tend to think that if whatever is involved here was being used frequently, this exploit would have been identified already. But then you never know.

SciTeach
Dec 6, 2006, 11:19 AM
Well, maybe if the worm actual only effected the MySpace users seen on DateLine's "To Catch a Predator", it would be a good thing.:D

Actually...aren't most....nahhy, I won't go there.:rolleyes:

Kudos for Apple to step up even if is is a combination of issues with QT and MySpace and IE.

Arcus
Dec 6, 2006, 11:20 AM
I demand MySpace do more to make sure pedophiles stay out.

Swarmlord
Dec 6, 2006, 11:26 AM
They "demand" Apple changes Quicktime? I'd personally delay any fixes until they "asked" for a remedy to the problem.

longofest
Dec 6, 2006, 11:40 AM
For those confused about "where the bug lies"... It is a two-edged sword. The root-cause is in a cross-site scripting vulnerability on MySpace's website. This is then exploited by a "feature" that can be abused in Quicktime.

Honestly, I'm regurgitating a lot of that, and I'd certainly like to know someone who has actually developed using quicktime before and has used the HREF track feature that is in question. But this is certainly not all Apple's fault like MySpace seems to be indicating. If MySpace doesn't address the root cause of the problem, they are going to get more of these attacks.

YoNeX
Dec 6, 2006, 11:42 AM
And I demand MySpace to be trashed, but you don't see me getting what I want? :D

shawnce
Dec 6, 2006, 11:43 AM
For those confused about "where the bug lies"... It is a two-edged sword. The root-cause is in a cross-site scripting vulnerability on MySpace's website. This is then exploited by a "feature" that can be abused in Quicktime.

Honestly, I'm regurgitating a lot of that, and I'd certainly like to know someone who has actually developed using quicktime before and has used the HREF track feature that is in question. But this is certainly not all Apple's fault like MySpace seems to be indicating. If MySpace doesn't address the root cause of the problem, they are going to get more of these attacks.

Example use of HREF track... watching a training video and as the video plays related web content is changed in sync with the current topic of the video.

godrifle
Dec 6, 2006, 11:45 AM
+1 for Apple's security reputation (which it could use after last month)

-5 for MySpace's security reputation

Good post. Thanks for the laugh. I thought I was playing D&D there for a minute! :D

mkrishnan
Dec 6, 2006, 11:46 AM
For those confused about "where the bug lies"... It is a two-edged sword. The root-cause is in a cross-site scripting vulnerability on MySpace's website. This is then exploited by a "feature" that can be abused in Quicktime.

What exactly does it mean for a *website* to have a cross-scripting vulnerability? The javascript in QT is client side, is it not? So if there is a JScript vulnerability, doesn't it have to occur at the browser level? Or does the JScript somehow make a request of MySpace's web server that gets bounced to an outside server by MySpace, which should not be allowed?

Eidorian
Dec 6, 2006, 11:47 AM
We have devised a way to disable this QuickTime feature for those who use Internet Explorer.

http://www.math.purdue.edu/~abarreno/holland_plant.jpg

I think it's safe to end the thread there.

godrifle
Dec 6, 2006, 11:48 AM
It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".

It's not a bug in QuickTime. It's a bug in MySpace. Check out this post (http://www.gigoblog.com/2006/12/05/myspace-attack-technique-revealed/) for a pretty direct explanation of exactly how this hack works. QuickTime is just the platform.

spicyapple
Dec 6, 2006, 11:49 AM
MySpace filth should be left off the front page. They make me sick. :mad: I want to throw up in their mouths a little bit. No, scratch that. A lot.

shawnce
Dec 6, 2006, 11:51 AM
What exactly does it mean for a *website* to have a cross-scripting vulnerability? The javascript in QT is client side, is it not? Not... well it is client side but the script isn't in the QT movie. All QuickTime can do is call a javascript function of the page it is hosted in. Note that QT can provide data to the javascript functions it calls (which makes sense).

So if there is a JScript vulnerability, doesn't it have to occur at the browser level? Or does the JScript somehow make a request of MySpace's web server that gets bounced to an outside server by MySpace, which should not be allowed? I haven't see a good description of exactly what happens in this exploit but it sounds like that when a user visits a web-page with crafted QT movie and views that movie it either brings up a another page that shows a fake myspace login page and/or it calls a javascript function found in the hosting web-page. If the later then the hosting web-page would be a myspace page and hence could be using myspace javascript code against itself.

UPDATE... ah after looking at the link godrifle provided it looks like that a QT movie is being used to call a javascript function that exists in myspace pages. This function is provided by myspace developers and it is being used to rewrite a part of the web-page (MySpace menu) using a vulnerability in MySpace (CSS can be used to modify the look of the MySpace page so as to hide elements allowing replacement with others). This allows it to hijack the menu for its fishing purposes.

godrifle
Dec 6, 2006, 11:51 AM
I'd like to know if it's technically a feature of QuickTime, a vulnerability of QuickTime, or a bug in QuickTime. The choice might involve semantics, but it's also a technical distinction.

Is a feature being removed?

A feature in QuickTime, being used to exploit a vulnerability to a simple CSS hack in MySpace, employing Javascript.

princealfie
Dec 6, 2006, 11:51 AM
They should scrap myspace altogether.

iMikeT
Dec 6, 2006, 11:52 AM
1) Who the hell is myspace to demand anything? This is their problem and they're blaming someone else.
2) The report says that this worm is affecting IE users. Isn't that a Microsoft problem?
3) Myspace.com sucks.

Eraserhead
Dec 6, 2006, 11:52 AM
This is potentially much more harmful to Apple from a PR standpoint than last week's Nike+iPod "stalking" story. Let's see what the press does with this one.

Saw that story in the Metro today, it didn't mention the distance thing though, also apparently you need to spend 150 to get the scanner for the Nike+iPod thing, last time I looked eyes were free, and can see further too.

thestaton
Dec 6, 2006, 11:52 AM
haha, who in the heck is myspace to demand anything? there two bit half coded POS crashes on average 50% of the time no matter what browser I use.

like someone else said I demand they crack down on pedophiles, learn how to write successful code, and until they are anything more than a popular hangout for kids they don't get much respect in my book.

godrifle
Dec 6, 2006, 11:56 AM
Saw that story in the Metro today, it didn't mention the distance thing though, also apparently you need to spend 150 to get the scanner for the Nike+iPod thing, last time I looked eyes were free, and can see further too.

Of course, there's also the age-old "following" hack that impacts all users of Nike shoes. :eek:

shawnce
Dec 6, 2006, 12:00 PM
Of course, there's also the age-old "following" hack that impacts all users of Nike shoes. :eek: That is why Nike is recommending that all users of Nike shoes disable their walking and running features so they can avoid being followed or otherwise tracked in public.

Digitaljim
Dec 6, 2006, 12:02 PM
Is it wrong of me to get a good chuckle from this story? ;)

For the love of God, anyone who visits MySpace deserves to have their computer compromised... preferably compromised by throwing it down a flight of stairs.

iJaz
Dec 6, 2006, 12:11 PM
You mean NewsCorp?

Yeah, Rupert Murdoch has a long history of Nigerian Bank Account schemes...

Nope, I do not mean Rupert Murdoch, obviously. I didn't know he owned Myspace. And I didn't know about his Nigerian Bank Account schemes...
I actually meant the founding of Myspace as a spam delivery system http://www.valleywag.com/tech/myspace/myspace-the-business-of-spam-20-exhaustive-edition-199924.php and I thought the original founders still owned Myspace, my mistake.

oldwatery
Dec 6, 2006, 12:17 PM
It is amazing how polarizing myspace can be.
It is probably one of the most popular sites on the internet yet nearly every post here slams it.
Interesting dont you think?
I agree that one: Apple are being super stand up with their response but that they should also make sure the world knows this is a myspace issue.
Two: myspace should not be demanding anything.
Three: the site and social concept sucks. This is singularly one of the worst things to have come out of the internet and it is having a dramatic effect on our children....a very bad effect.
Just another Rupert Murdoch pile of c**p.
Yep....very polarizing ;)

spicyapple
Dec 6, 2006, 12:20 PM
It is probably one of the most popular sites on the internet yet nearly every post here slams it.
Windows is the most popular OS and nearly every post here slams it. Mac users just don't like MySpace for some reason. Social networking sites are cool; I had a profile on Xanga and later moved over to Facebook. :)

mozmac
Dec 6, 2006, 12:21 PM
I prefer Facebook over MySpace. MySpace is too smutty. It's just trashy all around. Facebook has a much cleaner look and the content is usually higher class.

mkrishnan
Dec 6, 2006, 12:23 PM
Windows is the most popular OS and nearly every post here slams it. Mac users just don't like MySpace for some reason. Social networking sites are cool; I had a profile on Xanga and later moved over to Facebook. :)

Besides this, who cares if people hate MySpace? This news still identifies a vulnerability related to Quicktime. And there doesn't seem to be any evidence that the vulnerability is purely limited to MySpace, even though it only appears to be exploited there. So it should be of importance regardless of one's views on MySpace....

0010101
Dec 6, 2006, 12:30 PM
MySpace is pretty crappy looking, but the truth is, for whatever reason, it's probably the most popular site of its kind on the 'net.

If QuickTime has a 'feature' that can be exploited and used for evil, that's a security issue and should be fixed by Apple.

50548
Dec 6, 2006, 01:00 PM
It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".

Just to be clear, this DOES NOT affect Macs and OS X...thanks again, Apple, for giving us the best and safest OS in the world...:rolleyes:

Stridder44
Dec 6, 2006, 01:14 PM
http://www.math.purdue.edu/~abarreno/holland_plant.jpg

I think it's safe to end the thread there.

Winner. Thread over.

Also, Facebook ftw!

macman2790
Dec 6, 2006, 01:21 PM
myspace sucks, i hope nothing gets fixed.

dizastor
Dec 6, 2006, 01:26 PM
I demand MySpace do more to make sure pedophiles stay out.

consider yourself banned from MySpace. :D

helmsc
Dec 6, 2006, 02:19 PM
I demand MySpace do more to make sure pedophiles stay out.

Would that not kill myspace.com? :p

aftk2
Dec 6, 2006, 02:26 PM
To add a little bit to the discussion:

This isn't really a security flaw in Quicktime. This is a feature. However, in an untrusted environment, this feature can be compromised. There have been so many JavaScript related attacks (in which some user posts JavaScript to a MySpace page, and this JavaScript then does something malicious to other logged-in users when they visited the page) on MySpace that MySpace wants to disable JavaScript on all user input. Ok, so far so good. However, Flash and Quicktime both have the ability to do some rudimentary JavaScript. MySpace yells at Adobe, who implement some undocumented features in flash player 9, at MySpace's request. These are essentially plugin parameters; they didn't remove the ability for the flash player to work with JavaScript, they added some parameters that MySpace can append to all submitted <embed> tags, that will disable any JavaScript within the flash movie.

I imagine they'd like Apple to adopt a similar parameter for their Quicktime player. So what they're really asking for is an additional feature to Quicktime, not a bug fix.

Oh, and I like MySpace, as a means to an end - but it really does lower your estimation of the average person.

MacCheetah3
Dec 6, 2006, 02:38 PM
Hi
This generally concurs with my understanding of the issue (still trying to dig up more specifics on it).

Basically an interactivity feature of QuickTime (http://www.apple.com/quicktime/tutorials/hreftracks.html) (exists for various good reasons) is being leveraged to bring up a spoofed login page attempting to trick a myspace user to provide their login information. If they do that then javascript in the spoofed webpage then walks their myspace site attempting to inject links to a fishing site and add the QuickTime movie to the users site.

So I really don't see the vulnerability existing in QuickTime... any number of other methods could be used to attempt similar trickery (flash can do similar things). All I can see Apple doing is providing a way for a hosting site to disable this feature for all movies downloaded from its site (likely strip the track).

...welcome to wonderful world of cross-site scripting attacks.
Exactly! This is more of a trojan if anything of the sort. It requires the use of a less intelligent or less alert victim to actually do any harm. The "worm" itself just directs users to a phony login page, a very regular phishing technique, and that's where the information is actually harvested and than the harvested account is abused.

This is pretty easily handled by MySpace by sending out an email to members warning of phishing attempts or even just the users by only logging in at the main site ( http://www.myspace.com ), if logging in is necessary ( time outs, logouts ). Another method may be to have a digitally signed ( protected ) login procedure.

vallette
Dec 6, 2006, 02:41 PM
Besides this, who cares if people hate MySpace? This news still identifies a vulnerability related to Quicktime. And there doesn't seem to be any evidence that the vulnerability is purely limited to MySpace, even though it only appears to be exploited there. So it should be of importance regardless of one's views on MySpace....

One more time, this IS NOT a bug or vulnerability in QT. It's an XSS vulnerability in MySpace that can be exploited using a documented QT feature. If the MySpace javascript was coded properly this wouldn't be an issue. This is solely the responsibility of of MySpace, the fact that Apple's willing to help solve the problem is a great PR move.

Unspeaked
Dec 6, 2006, 03:04 PM
Nope, I do not mean Rupert Murdoch, obviously. I didn't know he owned Myspace. And I didn't know about his Nigerian Bank Account schemes...
I actually meant the founding of Myspace as a spam delivery system http://www.valleywag.com/tech/myspace/myspace-the-business-of-spam-20-exhaustive-edition-199924.php and I thought the original founders still owned Myspace, my mistake.

Ah, I see. That article's ben disputed, but I don't think any official link has been revealed.

In any case, I do agree that MySpace has always been a little fishy.

As for their corporate history, the site was only independently owned for about a year, at which point a company called Intermix purchased a majority stake.

Intermix sold their assets to NewsCorp last year for many, many times their market value, and they and the MySpace founders made out like bandits!

bousozoku
Dec 6, 2006, 03:11 PM
Hi

Exactly! This is more of a trojan if anything of the sort. It requires the use of a less intelligent or less alert victim to actually do any harm. The "worm" itself just directs users to a phony login page, a very regular phishing technique, and that's where the information is actually harvested and than the harvested account is abused.

This is pretty easily handled by MySpace by sending out an email to members warning of phishing attempts or even just the users by only logging in at the main site ( http://www.myspace.com ), if logging in is necessary ( time outs, logouts ). Another method may be to have a digitally signed ( protected ) login procedure.

Tom has been attempting to warn people for 3 weeks or so and apparently, it continues to happen. That doesn't surprise me somehow. It's pretty simple to pay attention and to know where you are at all times, but most people believe that's it's possible to drive correctly and talk on the phone at the same time.

If their own profiles are compromised because they don't take care of things properly, why is it Apple's problem at all? People take advantage of other people. They should be going after them instead of blaming it on a feature of QuickTime.

Mitch1984
Dec 6, 2006, 03:20 PM
Apple shouldsay, yeah we'll fix it but. Fix your pages so they don't crash our browser and do MySpace IM for Mac, you sods!

Westside guy
Dec 6, 2006, 03:20 PM
It's not a bug in QuickTime. It's a bug in MySpace. Check out this post (http://www.gigoblog.com/2006/12/05/myspace-attack-technique-revealed/) for a pretty direct explanation of exactly how this hack works. QuickTime is just the platform.

No. While MySpace's coding is poorly thought out, it is a cross-site scripting vulnerability (http://en.wikipedia.org/wiki/Cross-site_scripting) in QuickTime that allows this to happen. These sorts of things used to be a big problem in web server software like Apache and IIS. Now that tools like Quicktime and Flash are becoming more sophisticated, they're being exploited too.

Whether or not MySpace should allow users to modify CSS is a separate argument. In my opinion it's extremely stupid of them to do it - this has made it extremely easy for bad guys to exploit an open Firefox flaw (https://bugzilla.mozilla.org/show_bug.cgi?id=360493) and now this Quicktime flaw. But, in the end, they ARE flaws in Firefox and in Quicktime (matter of fact, the Quicktime flaw is rather similar to the Firefox flaw).

shawnce
Dec 6, 2006, 04:00 PM
Actually it looks like HREF tracks can indeed include simple javascript command sequences... however I don't think it can include decision logic. It is more of command one, command two, etc. not if this do that type of scripting.

It isn't clear to me yet who would/should do the validation of the context of the javascript command in relation to the domain of the site hosting the video (the QT plugin or say IE).

bleachthru
Dec 6, 2006, 04:01 PM
I prefer Facebook over MySpace. MySpace is too smutty. It's just trashy all around. Facebook has a much cleaner look and the content is usually higher class.

http://www.prisonplanet.com/articles/june2005/090605thefacebook.htm

hulugu
Dec 6, 2006, 04:09 PM
Mac users just don't like MySpace for some reason. Social networking sites are cool; I had a profile on Xanga and later moved over to Facebook. :)

Social networking is great, but MySpace just sucks.

racebit
Dec 6, 2006, 04:16 PM
1) Who the hell is myspace to demand anything? This is their problem and they're blaming someone else.
2) The report says that this worm is affecting IE users. Isn't that a Microsoft problem?
3) Myspace.com sucks.

I have to agree with 1 & 3. Where exactly does myspace get the balls to "demand" that apple do anything at all? Does it think its user base of teen emo kids give them powers to boss around corporations that actually provide decent products?

But I digress...:rolleyes:

cloudnine
Dec 6, 2006, 04:17 PM
Wow... lots of bitterness against MySpace... how come?

Just curious... I mean, 30 gazillion users can't be *that* wrong, can they? Although, yeah, MySpace has more errors and crashes than a PC.

Almost.

Clive At Five
Dec 6, 2006, 04:18 PM
http://www.prisonplanet.com/articles/june2005/090605thefacebook.htm

Okay, I think it's obvious (even by reading a few paragraphs of the article) that this guy is a paranoid liberal extremist. Yes, Facebook might have tons of information in a database but that doesn't make it Big Brother. Big Brother implies direct governmental control and monitoring. Facebook is commercial. And it's volunteer.

And trust me: I bash Bush with the rest of 'em, but anyone who refers to the Bush Administration as a "regime" has issues. That article should DEFINITELY be taken with a grain of salt.

And lastly, as a member of both, I can vouch for mozmac and say that MySpace is scummy and Facebook is clean, refined, and safe. At anytime, if I do not want to receive messages from a person or group, I can block it. The same is not true for MySpace.

MySpace = Spam Nation. I will soon go out in a ball of flames, posting messages to everyone I know and don't know, telling of the evils which lie within. I will be a Facebook crusader until MySpace bans me.

-Clive

poppe
Dec 6, 2006, 04:34 PM
Screw myspace. Myspace is just a place for guys to find chicks to do, and is a place for girls to slut them selves out (no offense to the normal users out there)

lorductape
Dec 6, 2006, 04:55 PM
THey shouldn't have fixed it, I hate myspace.
:mad: :mad: :mad:
:mad: :mad: :mad:
:mad: :mad: :mad:

lkrupp
Dec 6, 2006, 05:04 PM
Fixing vuneralbilities is a good thing. Shame it came to light because of myspace. Yuck

Except that it is NOT a vulnerability, security flaw, or any other bad thing on the part of Apple, as you imply. This is a legitimate, useful feature that will now be disabled because MySpace has a problem.

The bad guys are slowly but surely dictating to us how we will use the internet. How many other legitimate, useful, features will, or have already been, disabled by Apple or Microsoft so the bad guys can't exploit them while we meekly stand by and let the scum bags tell us which features we can enjoy or not? This whole thing sucks.

poppe
Dec 6, 2006, 05:08 PM
Except that it is NOT a vulnerability, security flaw, or any other bad thing on the part of Apple, as you imply. This is a legitimate, useful feature that will now be disabled because MySpace has a problem.

The bad guys are slowly but surely dictating to us how we will use the internet. How many other legitimate, useful, features will, or have already been, disabled by Apple or Microsoft so the bad guys can't exploit them while we meekly stand by and let the scum bags tell us which features we can enjoy or not? This whole thing sucks.

This is kinda the way of the world though.. I mean how many things do we have to no just because thieves and crooks have stopped us from living a normal simple life... Sucks but just a way of the world...

kresh
Dec 6, 2006, 05:48 PM
http://www.prisonplanet.com/articles/june2005/090605thefacebook.htm


What an absolute horrible world this person has to live in due to his/her imagination. I can't imagine the burden of paranoia this individual has to carry every day.

It would not be to hard to imagine this individual wearing disguises as he or she interacts with real people in the real world.

I'm not sure of his/her gender, because I am convinced he/she would lie about it, so as not to reveal anything about himself/herself.

It is really quite sad. I really wish this person could just take a month, stay away from the internet and college campuses, go out into the real world and enjoy life. This burden is too much to carry for very long.

mkrishnan
Dec 6, 2006, 05:53 PM
One more time, this IS NOT a bug or vulnerability in QT. It's an XSS vulnerability in MySpace that can be exploited using a documented QT feature. If the MySpace javascript was coded properly this wouldn't be an issue. This is solely the responsibility of of MySpace, the fact that Apple's willing to help solve the problem is a great PR move.

This is that part that I admitted I do not fully understand. But I don't buy into your perspective just yet, either. Lots of vulnerabilities are part of features that have legitimate usage.

Where is the XSS interpreted? If it is interpreted on the client side, I stick to the belief that this is fundamentally a client-side issue and not a MySpace issue. The problem lays with the browser Javascript engine and/or QT. But if the script is being executed on the server, certainly it's a MySpace issue.

The end result of this vulnerability though, is malicious code is run through a browser window on the client computer. That's a client-side issue to me. Not a MySpace issue. Even if MySpace fixes their implementation to prevent this, there's no preventing the same exploit from being embedded in someone else's website.

jmbear
Dec 6, 2006, 06:38 PM
Anything that screws MySpace is good!

Those social networking megasites like MySpace, hi5 and Friendster are bound to die anyway, smaller "community specific" social networking services will prevail. And I base that comment on my incredibly awesome insight.

rstorm
Dec 6, 2006, 06:48 PM
Apple should and will fix this. It is a vulnerability that needs to be fixed.

scrambledwonder
Dec 6, 2006, 07:45 PM
Somebody I know once said, "MySpace is the Internet equivalent of rhinestone cell phone dongles." I think that pretty much sums it up.

mdriftmeyer
Dec 6, 2006, 08:05 PM
We write crappy code that isn't W3C Compliant nor ECMA Compliant; and that uses a database that can't scale for crap and they want Apple to patch a workaround to cover their ignorance?

astewart
Dec 6, 2006, 08:20 PM
I'll Stick with Bebo, seems more solid! :rolleyes:

bleachthru
Dec 6, 2006, 09:10 PM
What an absolute horrible world this person has to live in due to his/her imagination. I can't imagine the burden of paranoia this individual has to carry every day.

It would not be to hard to imagine this individual wearing disguises as he or she interacts with real people in the real world.

I'm not sure of his/her gender, because I am convinced he/she would lie about it, so as not to reveal anything about himself/herself.

It is really quite sad. I really wish this person could just take a month, stay away from the internet and college campuses, go out into the real world and enjoy life. This burden is too much to carry for very long.

Wow man, get a sense of humor, this link was meant to be a joke. I just found it rather amusing that people were using this forum to debate which is a better social network to use? Who cares, what does this have to do with apple, and rumors surrounding apple? At any rate, social networking is designed for bored kids with nothing better to do, the link was posted purely for it's ridiculousness. Oh and also, I do enjoy life. There is just more to it than being spammed by webcam hoes, and Phishers on myspace/facebook/ any number of those lame sites. Thank you that is all.

racebit
Dec 6, 2006, 10:11 PM
Somebody I know once said, "MySpace is the Internet equivalent of rhinestone cell phone dongles." I think that pretty much sums it up.

I was thinking more along the lines of poison ivy. Its like a bad itch that won't go away, and only gets bigger and more irritating when scratched.;)

bousozoku
Dec 6, 2006, 10:56 PM
This was Tom's latest blog entry:

Tuesday, December 05, 2006


get the quicktime update
Current mood: cranky
Category: MySpace

the security problems this weekend were related to a hole in activex quicktime installer.

you can read about it on cnet here:

http://news.com.com/MySpace+to+Apple+Fix+that+worm/2100-7349_3-6141031.html

if you've got the quicktime player (and you probably do, if you have itunes) or watch movies, then you need to click on the update link that you'll see on your homepage. by updating quicktime you can protect yourself on myspace and any other website.

yes the link/update is legit, and yes the message about it on your homepage is really from me.

if you don't see the message on your homepage, it's because a) you don't have quicktime and therefore dont need to install the update, b) you've already updated.

you cannot get the update from quicktime's webstie yet. get it here.

some people have asked about the active x popup they see on the page when you're prompted to install. yes it should be there.. just allow it to go thru and install.

I tried to comment on the problem and it gave me an error twice. The third time it accepted it, but strangely, none of the comments are visible to the public. :rolleyes:

BrianMojo
Dec 6, 2006, 11:17 PM
If QuickTime has a 'feature' that can be exploited and used for evil, that's a security issue and should be fixed by Apple.

Ridiculous. That's like saying that because you can mislabel a link that you shouldn't be able to label links at all.

MacsomJRR
Dec 6, 2006, 11:32 PM
good for Apple making an effort to take care of this quickly after being notified... myspace is a popular "cool" site that could definitely hurt the image of Apple among the younger generations if they wanted too. Although a worm that destroyed myspace might not be the worst thing in the entire world.

bankshot
Dec 7, 2006, 12:07 AM
Whether or not MySpace should allow users to modify CSS is a separate argument. In my opinion it's extremely stupid of them to do it - this has made it extremely easy for bad guys to exploit an open Firefox flaw (https://bugzilla.mozilla.org/show_bug.cgi?id=360493) and now this Quicktime flaw. But, in the end, they ARE flaws in Firefox and in Quicktime (matter of fact, the Quicktime flaw is rather similar to the Firefox flaw).

I don't have a problem with allowing users to modify CSS to customize their personal pages. I help run a community site that is absolutely dwarfed by MySpace (about 1200 active users), and we allow our users to have their own CSS. People love using it to customize the look of their pages.

What MySpace should do is get rid of all embedded content. No QuickTime or Flash, no vulnerability. We disallow <embed>, <object>, <iframe>, <script>, and others. We also filter out some of the sneakier ways to inject javascript into a page, such as within links or CSS url() constructs.

Of course, MySpace would never do that, because half their popularity is probably based on being able to put annoying Flash and other content on your page. So they try to bully the plugin makers instead...

Edit: forgot to add that it appears that the above Firefox flaw has nothing to do with CSS. It's simply that they allow a user to put the <form> tag into their own page.

bankshot
Dec 7, 2006, 12:16 AM
Where is the XSS interpreted? If it is interpreted on the client side, I stick to the belief that this is fundamentally a client-side issue and not a MySpace issue. The problem lays with the browser Javascript engine and/or QT. But if the script is being executed on the server, certainly it's a MySpace issue.

The issue isn't where the code is interpreted. Of course it's interpreted by the client, because it uses javascript to inject itself into the user's own profile. That doesn't mean the client contains any vulnerability.

The security rules for the client are very simple: do not allow javascript from one site to send data to another site. A client vulnerability would be one that allows a malicious javascript on some MySpace user's page to send your MySpace login info to an external site, without your knowledge. All current browsers should be immune to such an attack. That is all they should be responsible for in terms of cross site scripting.

Think about when you browse store.apple.com. If that site has any javascript in it, do you think it's a security problem if that javascript sends information about your store.apple.com experience back to store.apple.com? Of course not. Apple has full control over the site, so if their own javascript sends information about your browsing experience at their site, that's inherently information they already had access to. No security problem, on the client or otherwise.

The MySpace problem is that they allow users to customize pages on myspace.com -- each user's own personal page belongs to myspace.com, after all. In doing so, it is their responsibility to filter out any type of scripting attempt from user-submitted content.

See, visiting a user's MySpace page is very different from visiting a page at Apple's website. On Apple's site, every script and movie is put there by Apple. They develop it with a unified purpose in mind, and check it over before it goes live. Even if it erroneously sends bad information to the site, the worst that can happen is that your browsing experience on their site is a little clunky.

Contrast that with MySpace, where much of the content is user-uploaded, and is not designed or checked by human eyes working for MySpace. Moreover, it's a site where you, the visitor, may have your own little area that you can upload to (if you have a MySpace account). Now, when a script causes your browser to send certain information to myspace.com, that information could be crafted to modify your MySpace account. And the script could have come from someone completely outside of MySpace (the company), with malicious intentions to do funny things to your account.

This is completely, 100% a MySpace issue. They allow their users to upload content which is then viewed by anyone who sees the user's page. Thus it is their responsibility to filter that content so that any script which could modify the viewer's own account is completely removed.

As I said in my previous post, MySpace could do the right thing and disallow all embedded content like Flash, QuickTime, Windows Media, etc. That removes this vector for inserting a script into a MySpace page. Of course they won't, because that's at least half the appeal of their godawful site, so they bully the plugin makers instead.

poppe
Dec 7, 2006, 01:24 AM
Die myspace Die. I'm tired of my roommate being on for literally 6 hours straight each day... Die Myspace Die!

aafuss1
Dec 7, 2006, 06:10 AM
Looks like us QuickTime on the Mac or Safari users aren't affected-as the upgrade page uses IE ActiveX.

Snowy_River
Dec 7, 2006, 09:11 AM
Looks like us QuickTime on the Mac or Safari users aren't affected-as the upgrade page uses IE ActiveX.

Gee, imagine if (back while it was supported) MS IE for Mac had a problem like this. How long, do you suppose, it would take MS to respond to such a problem, when it didn't effect their main product line / OS? I think that Apple deserves good kudos for jumping right on this.

(Of course, I find it a little curious to learn that QT uses ActiveX at all, but I'm sure Apple has its reasons.)

johnmcboston
Dec 7, 2006, 10:13 AM
Die myspace Die. I'm tired of my roommate being on for literally 6 hours straight each day... Die Myspace Die!

Well, what does he do there? I've actually found a ton of new local bands and 'undiscovered' music. Now, if MS would just get enough servers to support the stupid thing. :)

tveric
Dec 7, 2006, 11:37 AM
Every once in a while you get a story here that really exposes the Mac fanboyz and makes me cringe. This is one of them.

Folks, this vulnerability isn't MySpace's fault. You can bitch all you want about how crap their website is, and how they're not HTML compliant, and blah blah, but the fact remains, this is a Quicktime vulnerability that TARGETS MySpace users specifically. That's hardly the fault of MySpace. The fact that the website is so popular makes it a target, and the fact that Quicktime had this vulnerability made Quicktime the means through which some loser hacker attacked the target.

Yet 90% of the comments here are "it's not Apple's fault because I hate MySpace and so it must be MySpace's fault!" Folks, I hate MySpace too, but please don't embarrass the rationally-thinking mac users by posting baseless ill-informed diatribes on how this is all MySpace's fault. It's an Apple security hole and they're fixing it. End of story.

kresh
Dec 7, 2006, 12:02 PM
Wow man, get a sense of humor, this link was meant to be a joke. I just found it rather amusing that people were using this forum to debate which is a better social network to use? Who cares, what does this have to do with apple, and rumors surrounding apple? At any rate, social networking is designed for bored kids with nothing better to do, the link was posted purely for it's ridiculousness. Oh and also, I do enjoy life. There is just more to it than being spammed by webcam hoes, and Phishers on myspace/facebook/ any number of those lame sites. Thank you that is all.

I appologize, you did not state that the link was a blog of yours. My comments were not directed at you but at the blogger. If I had realized that you were the author, I would not have said anything.

mkrishnan
Dec 7, 2006, 12:13 PM
The MySpace problem is that they allow users to customize pages on myspace.com -- each user's own personal page belongs to myspace.com, after all. In doing so, it is their responsibility to filter out any type of scripting attempt from user-submitted content.

I think I'm understanding you... and thank you for bearing with me and explaining... but I'm going to ask to dip into that bank one more time. :D

I understand what you are saying that, when one goes to a site like apple.com, they know that the site is "credible" and won't have malicious code in it. But while MySpace seems like it might be such a site, it isn't, because users are allowed to insert embedded content that isn't really effectively filtered by MySpace.

And so when a user goes to MySpace, they become vulnerable to an exploit using Javascript that was put there by a user and was not controlled by MySpace, correct? That exploit happens client-side on the client's browser, but it only happens because the client loaded the MySpace page in the first place. So if the client stayed off MySpace, the problem would never occur.

What I'm trying to say is that I do not believe that is a good or sufficient standard for defining a vulnerability. My standard (the issue of phishing aside) is that a user should be able to go to *any* web page on the internet and should not be vulnerable to either:

(A) that website installing executable code on the client without permission
(B) an unauthorized transmission of information to that website.

It seems from what I understand that there is a true vulnerability here in that, even if MySpace filtered their website effectively, any other website could be infiltrated with the same malicious code involved here, and users who either purposely or inadvertently (e.g. through a pop-up that wasn't blocked) go there would be vulnerable to the same attack.

So I still don't think it's reasonable to say that this is a MySpace only issue... because the impact is on the level of the client, and any other website that implemented the same code would have the same effect.

poppe
Dec 7, 2006, 01:24 PM
Well, what does he do there? I've actually found a ton of new local bands and 'undiscovered' music. Now, if MS would just get enough servers to support the stupid thing. :)

The first day we met he did this: "Oh dude check out this 'hottie' i'm gonna write her: 'hey darling I just moved here from london will you show me around" And that lasted about 6 hours that one day him telling me about a new "hottie" ever 5 seconds...

Really do girls really like guys that have their own flat iron? Seriously?

bankshot
Dec 7, 2006, 05:12 PM
Yet 90% of the comments here are "it's not Apple's fault because I hate MySpace and so it must be MySpace's fault!" Folks, I hate MySpace too, but please don't embarrass the rationally-thinking mac users by posting baseless ill-informed diatribes on how this is all MySpace's fault. It's an Apple security hole and they're fixing it. End of story.

Disagree 100%. I cringe right along with you at most of the blatant fanboy stuff around here. But this is solely MySpace's flaw. The fact that QuickTime is used as a vehicle is no different than if a simple HTML link were used as the vehicle. Should we have all web browsers remove a potentially dangerous feature (web links) because they can be abused by malicious users on sites that don't filter their content? Of course not! Asking Apple to do the same with QuickTime is no different.

In the case of web links, MySpace took responsibility and designed their software to filter out malicious scripting attempts from links. They need to step up and do something similar to handle QuickTime, Flash, Windows Media, and whatever other garbage they allow users to post directly to their sites. Apple may be playing nice by working with MySpace to give them an easier method to filter out malicious uploads, but it is still 100% MySpace's responsibility to do so.

Like I said last night, at a community site I help run, we do it the easy way: we don't allow users to embed anything like QuickTime, Flash, etc into their pages. Problem solved. We took responsibility and closed the hole on our site.

bankshot
Dec 7, 2006, 05:33 PM
And so when a user goes to MySpace, they become vulnerable to an exploit using Javascript that was put there by a user and was not controlled by MySpace, correct? That exploit happens client-side on the client's browser, but it only happens because the client loaded the MySpace page in the first place. So if the client stayed off MySpace, the problem would never occur.

Exactly. And moreover, if the client doesn't themselves have a MySpace account, there's nothing for the malicious script to vandalize. No exploit, period, in that case. I can visit any malicious MySpace page I want, because I've never registered there, so I don't have a profile that can be vandalized with these methods.

This is kind of an aside, but I really believe that the term "cross-site scripting" to describe this type of vulnerability is a huge misnomer. It's only "cross-site" if the script were somehow able to send information from one site to a completely different site. It is definitely the browser's responsibility to make sure this never happens, and I'm not aware of any open vulnerabilities in the latest browsers that do this.

A true cross-site vulnerability is one where you visit somebody's MySpace page, and a malicious script causes your browser to send your banking website's login creditials to that user's site somehow. All browsers should prevent this sort of attack because any site other than your bank's website has no right to that information.

My standard (the issue of phishing aside) is that a user should be able to go to *any* web page on the internet and should not be vulnerable to either:

(A) that website installing executable code on the client without permission
(B) an unauthorized transmission of information to that website.

Ok, that's fine. The first one, if it were to happen, would be 100% a browser bug. No browser should install and/or execute unknown code without your consent.

The second one depends on your definition of "unauthorized." If you mean "in the background" then removing this feature breaks a lot of recent advances in web scripting technology, collectively known as AJAX. AJAX is here to stay (and to make our lives easier!), and the convention from the start has been that no browser should be able to send any information to a website that didn't originate from that same website -- whether information from your hard drive or from a different website. The definition of "unauthorized" has always been "information that didn't originate from the same site." That is not the same as "unwanted" which is what you may be thinking of. Unfortunately, there is no possible way for a browser to determine what is "unwanted."

It seems from what I understand that there is a true vulnerability here in that, even if MySpace filtered their website effectively, any other website could be infiltrated with the same malicious code involved here, and users who either purposely or inadvertently (e.g. through a pop-up that wasn't blocked) go there would be vulnerable to the same attack.

So I still don't think it's reasonable to say that this is a MySpace only issue... because the impact is on the level of the client, and any other website that implemented the same code would have the same effect.

It's not a MySpace-only issue in the sense that any site that displays user-uploaded content must check and filter out any malicious scripting attempts. Any community site where registered users may upload content to their own pages must face this same issue, but it's still the site's responsibility.

It can't possibly be a browser issue because the browser is still following the rules all along: any information it sends to MySpace also originated from MySpace. The browser cannot possibly be smart enough to know that this area of MySpace (some malicious user's page) isn't authorized to touch that area of MySpace (the viewer's profile settings). This is not (in my opinion) a true "cross-site" vulnerability which is the responsibility of the browser because information never leaves myspace.com.

Consider this scenario: Apple adds a feature to .Mac where it can list your favorite new Apple products. You can add products to your favorites list manually, or whenever you view a particular product's page multiple times, it has a script which adds that product to your list in the background, automatically. So in essence, the product area of Apple's website is making scripted changes to the .Mac area.

Is this unauthorized? Is it a vulnerability? No. Apple designed it to work that way, and your browser is still only sending information to and from apple.com.

Now, if Apple allowed any third-party accessory manufacturer to write their own product pages and place them on Apple's site, we'd have the same type of vulnerability. Let's say Bose places a malicious script on their product pages, on apple.com which removes all competitors' products from your .Mac favorites list. This is exactly what's going on at MySpace. In the hypothetical Apple case, it is Apple's responsibility to make sure their accessory suppliers can't add these things to pages on apple.com. Just as MySpace has the responsibility to make sure that their users can't add malicious scripts to pages on myspace.com.

tveric
Dec 7, 2006, 11:41 PM
The fact that QuickTime is used as a vehicle is no different than if a simple HTML link were used as the vehicle. Should we have all web browsers remove a potentially dangerous feature (web links) because they can be abused by malicious users on sites that don't filter their content?

nice try with the apples and oranges comparison. Quicktime, an app that is provided by a single vendor, is hardly the same as web links, an HTML standard. Lots of FUD from this guy, folks, move on.

bankshot
Dec 8, 2006, 01:14 AM
nice try with the apples and oranges comparison. Quicktime, an app that is provided by a single vendor, is hardly the same as web links, an HTML standard. Lots of FUD from this guy, folks, move on.

FUD? Give me a break. :rolleyes:

QuickTime has a feature that allows the user to click on the movie and send the browser to a web destination. That is the feature that's being used here, and it's the only feature of QuickTime that's relevant to this issue. In this context, it's exactly like a standard HTML link. Apples to apples.

The fact that QuickTime comes from a single vendor changes nothing. Like many other standard web features (links, forms, buttons, images, CSS, etc), it can be abused by users who are allowed to upload their own content to a website they don't own. The QuickTime HREF track is no less secure than any of these other web features, period. It is not Apple's responsibility to remove or cripple a perfectly working feature because sites that are setup to display foreign-originated content are too lazy to filter that content. Just as the standards bodies who developed the HTML+CSS specifications do not have that responsibility with respect to their features either.

I really don't care that this is associated with an Apple product. I don't care that it's MySpace, which I'm not fond of. I'd say the same thing if it were a Microsoft, Adobe, or some free/standards-based feature being exploited on Google, Yahoo, LiveJournal, or any other community site.

The owner of any community site with user-generated content must take steps to ensure that that content does not cause harm to the other users' data. The site I help run does it, so can MySpace if they want to.

Lara F
Dec 8, 2006, 02:01 AM
I hate MySpace's crummy coding as much as the next person. Ever since the summer I've gotten numerous error messages when clicking a link, or the music doesn't play/download/add to my profile as it's supposed to. And there's the pages where I can barely scroll down due to all the junk making Safari crawl. That said, IMO it's ignorant to keep stating that it's nothing but a stupid teen hangout. I'm past those years, but as someone who loves indie Brit music, I'm very grateful to MySpace for allowing me to discover bands I'd never have known otherwise. My faves don't even have a record deal at the moment, but thanks to MySpace (and Wiretap Pro) ;) I have at least some of their songs on my iPod. Like it or not, it really has made a difference in exposure for bands.

Kudos to Apple for doing what they can to fix the problem.

johhny.ace
Jan 11, 2007, 12:01 AM
no wonder there are lot of sex predators on myspace and etc it don't have efficient security to protect itself..

two thumbs up apple.. :D