MySpace Demands Apple Change Quicktime To Fix MySpace Worm

[MacRumors]

According to News.com, MySpace.com is demanding that Apple change its Quicktime player software to address an issue that occurred recently when the popular social networking website was attacked by a phishing/worm attack that used embedded Quicktime movies to propagate.

The worm exploits a common type of Web vulnerability called a cross-site scripting flaw in the site along with a feature called HREF track in QuickTime that has legitimate uses but can also be abused, experts said.

Nevertheless, Apple is obliging.

Apple is working on a QuickTime fix, but has a temporary solution available Tuesday, company spokeswoman Lynn Fox said in an e-mail.

"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.

Apple said it has provided MySpace with the temporary fix. The computer company said it would be up to the social-networking site to offer it to users. MySpace has not responded to an inquiry from CNET News.com as to when the temporary solution would be available to users.

It remains unclear how the temporary solution will be distributed. Also, while MySpace had temporarily blocked the web links in question while waiting for Apple's response, MacRumors is unaware of any attempts by the company to address the root cross-scripting vulnerability that may still be potentially be exploited via other yet-unknown means.

 

[longofest]

+1 for Apple's security reputation (which it could use after last month)

-5 for MySpace's security reputation

 

[twoodcc]

well i think it's good that Apple is doing something about it, but myspace shouldn't demand them too though

 

[Dunepilot]

Myspace really is a crock. My band's account got compromised the other day, which was irritating.

And why on earth do people put that ridiculous transparency effect on their pages? Crashes Safari every time.

 

[benthewraith]

Myspace really is a crock. My band's account got compromised the other day, which was irritating.

And why on earth do people put that ridiculous transparency effect on their pages? Crashes Safari every time.

Because the people that use them don't know what a good webpage looks like?

 

[Flowbee]

This is potentially much more harmful to Apple from a PR standpoint than last week's Nike+iPod "stalking" story. Let's see what the press does with this one.

 

[mkrishnan]

Well, bitching about MySpace aside, there is a vulnerability in Quicktime. Which is bad. But Apple is fixing it, which is good. I can live with that, I guess.

 

[iJaz]

Isn't Myspace run by a (former) notorious spammer? That says something about their credibility.

 

[Rojo]

Is it wrong of me to get a good chuckle from this story?

 

[Seasought]

Is it wrong of me to get a good chuckle from this story?

No actually...

 

[Unspeaked]

Isn't Myspace run by a (former) notorious spammer? That says something about their credibility.

You mean NewsCorp?

Yeah, Rupert Murdoch has a long history of Nigerian Bank Account schemes...

 

[redAPPLE]

"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.


maybe it is just me, does it only happen with IE users? if so, why is this solely Apple's problem?

 

[Westside guy]

maybe it is just me, does it only happen with IE users? if so, why is this solely Apple's problem?

It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".

 

[kenzbud]

So is this a problem that has always been around and was just now brought to attention because of myspace's popularity or is this a totally new issue?

 

[MacinDoc]

It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".

If I understand the article and the background information correctly, the bug is actually in the MySpace website, and a feature of Quicktime is one means by which the bug can be exploited. So MySpace's complaint is like blaming the manufacturer of a mouse if a hacker uses the mouse to reformat your hard drive. Apple's response to MySpace's demand is for PR purposes, and it certainly demonstrates that Apple has a greater concern for MySpace users that MySpace itself does. MySpace's real focus should be to fix its own bugs, because I'm sure that hackers will find other ways to exploit them, once the Quicktime features are disabled.

 

[Spanky Deluxe]

Wow, a security vulnerability does some good for once!

 

[iJawn108]

My freind sent me this

CLICK AT YOUR OWN RISK!


http://vids.myspace.com/quicktime/upgrade.cfm

is that the patch? or a hoax to try and install the worm?

 

[sbrhwkp3]

Myspace is so *****ty it's not even funny. It's the slowest running web site on the internet, and it's always down.

They should resolve some of their own issues before they go and tell Apple what to do...

 

[mkrishnan]

So is this a problem that has always been around and was just now brought to attention because of myspace's popularity or is this a totally new issue?

It appears to have been an unknown vulnerability in QT that has been around for some time....

However, it's important to note I think that QT is the VECTOR. That is, it delivers the exploit, but the exploit itself seems to be a Windows exploit... as far as I know there isn't any evidence of MacOS spyware related to this... just Windows?

Nonetheless, if this impacts OS X as a vector, it's a missing link, because there's never really been an exploited vulnerability in OS X that allowed software to be installed without user intervention before.

 

[failsafe1]

Fixing vuneralbilities is a good thing. Shame it came to light because of myspace. Yuck

 

[shawnce]

If I understand the article and the background information correctly, the bug is actually in the MySpace website, and a feature of Quicktime is one means by which the bug can be exploited.

This generally concurs with my understanding of the issue (still trying to dig up more specifics on it).

Basically an interactivity feature of QuickTime (exists for various good reasons) is being leveraged to bring up a spoofed login page attempting to trick a myspace user to provide their login information. If they do that then javascript in the spoofed webpage then walks their myspace site attempting to inject links to a fishing site and add the QuickTime movie to the users site.

So I really don't see the vulnerability existing in QuickTime... any number of other methods could be used to attempt similar trickery (flash can do similar things). All I can see Apple doing is providing a way for a hosting site to disable this feature for all movies downloaded from its site (likely strip the track).

...welcome to wonderful world of cross-site scripting attacks.

 

[Doctor Q]

I'd like to know if it's technically a feature of QuickTime, a vulnerability of QuickTime, or a bug in QuickTime. The choice might involve semantics, but it's also a technical distinction.

Is a feature being removed?

 

[mkrishnan]

I'd like to know if it's technically a feature of QuickTime, a vulnerability of QuickTime, or a bug in QuickTime. The choice might involve semantics, but it's also a technical distinction.

Is a feature being removed?

That's a good question...although, I would tend to think that if whatever is involved here was being used frequently, this exploit would have been identified already. But then you never know.

 

[SciTeach]

Well, maybe if the worm actual only effected the MySpace users seen on DateLine's "To Catch a Predator", it would be a good thing.

Actually...aren't most....nahhy, I won't go there.

Kudos for Apple to step up even if is is a combination of issues with QT and MySpace and IE.

 

[Arcus]

I demand MySpace do more to make sure pedophiles stay out.