MySpace Demands Apple Change Quicktime To Fix MySpace Worm

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Dec 6, 2006.

  1. macrumors bot

    MacRumors

    #1
    [​IMG]

    According to News.com, MySpace.com is demanding that Apple change its Quicktime player software to address an issue that occurred recently when the popular social networking website was attacked by a phishing/worm attack that used embedded Quicktime movies to propagate.

    Nevertheless, Apple is obliging.

    It remains unclear how the temporary solution will be distributed. Also, while MySpace had temporarily blocked the web links in question while waiting for Apple's response, MacRumors is unaware of any attempts by the company to address the root cross-scripting vulnerability that may still be potentially be exploited via other yet-unknown means.
     
  2. Editor emeritus

    longofest

    #2
    +1 for Apple's security reputation (which it could use after last month)

    -5 for MySpace's security reputation
     
  3. macrumors P6

    twoodcc

    #3
    well i think it's good that Apple is doing something about it, but myspace shouldn't demand them too though
     
  4. macrumors 6502a

    Dunepilot

    #4
    Myspace really is a crock. My band's account got compromised the other day, which was irritating.

    And why on earth do people put that ridiculous transparency effect on their pages? Crashes Safari every time.
     
  5. macrumors 68030

    benthewraith

    #5
    Because the people that use them don't know what a good webpage looks like?
     
  6. macrumors 68030

    Flowbee

    #6
    This is potentially much more harmful to Apple from a PR standpoint than last week's Nike+iPod "stalking" story. Let's see what the press does with this one.
     
  7. Moderator emeritus

    mkrishnan

    #7
    Well, bitching about MySpace aside, there is a vulnerability in Quicktime. Which is bad. But Apple is fixing it, which is good. I can live with that, I guess.
     
  8. macrumors 6502a

    iJaz

    #8
    Isn't Myspace run by a (former) notorious spammer? That says something about their credibility.
     
  9. macrumors 65816

    Rojo

    #9
    Is it wrong of me to get a good chuckle from this story? ;)
     
  10. macrumors 65816

    Seasought

    #10
    No actually... :D
     
  11. macrumors 68020

    Unspeaked

    #11
    You mean NewsCorp?

    Yeah, Rupert Murdoch has a long history of Nigerian Bank Account schemes...
     
  12. macrumors 68030

    redAPPLE

    #12
    "Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.


    maybe it is just me, does it only happen with IE users? if so, why is this solely Apple's problem?
     
  13. macrumors 601

    Westside guy

    #13
    It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

    There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".
     
  14. macrumors member

    kenzbud

    #14
    So is this a problem that has always been around and was just now brought to attention because of myspace's popularity or is this a totally new issue?
     
  15. macrumors 68020

    MacinDoc

    #15
    If I understand the article and the background information correctly, the bug is actually in the MySpace website, and a feature of Quicktime is one means by which the bug can be exploited. So MySpace's complaint is like blaming the manufacturer of a mouse if a hacker uses the mouse to reformat your hard drive. Apple's response to MySpace's demand is for PR purposes, and it certainly demonstrates that Apple has a greater concern for MySpace users that MySpace itself does. MySpace's real focus should be to fix its own bugs, because I'm sure that hackers will find other ways to exploit them, once the Quicktime features are disabled.
     
  16. macrumors demi-god

    Spanky Deluxe

    #16
    Wow, a security vulnerability does some good for once!
     
  17. macrumors 65816

    iJawn108

    #17
  18. macrumors 6502a

    #18
    Myspace is so *****ty it's not even funny. It's the slowest running web site on the internet, and it's always down.

    They should resolve some of their own issues before they go and tell Apple what to do...
     
  19. Moderator emeritus

    mkrishnan

    #19
    It appears to have been an unknown vulnerability in QT that has been around for some time....

    However, it's important to note I think that QT is the VECTOR. That is, it delivers the exploit, but the exploit itself seems to be a Windows exploit... as far as I know there isn't any evidence of MacOS spyware related to this... just Windows?

    Nonetheless, if this impacts OS X as a vector, it's a missing link, because there's never really been an exploited vulnerability in OS X that allowed software to be installed without user intervention before.
     
  20. macrumors 6502a

    failsafe1

    #20
    Fixing vuneralbilities is a good thing. Shame it came to light because of myspace. Yuck
     
  21. macrumors 65816

    #21
    This generally concurs with my understanding of the issue (still trying to dig up more specifics on it).

    Basically an interactivity feature of QuickTime (exists for various good reasons) is being leveraged to bring up a spoofed login page attempting to trick a myspace user to provide their login information. If they do that then javascript in the spoofed webpage then walks their myspace site attempting to inject links to a fishing site and add the QuickTime movie to the users site.

    So I really don't see the vulnerability existing in QuickTime... any number of other methods could be used to attempt similar trickery (flash can do similar things). All I can see Apple doing is providing a way for a hosting site to disable this feature for all movies downloaded from its site (likely strip the track).

    ...welcome to wonderful world of cross-site scripting attacks.
     
  22. Administrator

    Doctor Q

    Staff Member

    #22
    I'd like to know if it's technically a feature of QuickTime, a vulnerability of QuickTime, or a bug in QuickTime. The choice might involve semantics, but it's also a technical distinction.

    Is a feature being removed?
     
  23. Moderator emeritus

    mkrishnan

    #23
    That's a good question...although, I would tend to think that if whatever is involved here was being used frequently, this exploit would have been identified already. But then you never know.
     
  24. macrumors regular

    #24
    Well, maybe if the worm actual only effected the MySpace users seen on DateLine's "To Catch a Predator", it would be a good thing.:D

    Actually...aren't most....nahhy, I won't go there.:rolleyes:

    Kudos for Apple to step up even if is is a combination of issues with QT and MySpace and IE.
     
  25. macrumors 6502a

    #25
    I demand MySpace do more to make sure pedophiles stay out.
     

Share This Page