MySpace Demands Apple Change Quicktime To Fix MySpace Worm

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Dec 6, 2006.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]

    According to News.com, MySpace.com is demanding that Apple change its Quicktime player software to address an issue that occurred recently when the popular social networking website was attacked by a phishing/worm attack that used embedded Quicktime movies to propagate.

    Nevertheless, Apple is obliging.

    It remains unclear how the temporary solution will be distributed. Also, while MySpace had temporarily blocked the web links in question while waiting for Apple's response, MacRumors is unaware of any attempts by the company to address the root cross-scripting vulnerability that may still be potentially be exploited via other yet-unknown means.
     
  2. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #2
    +1 for Apple's security reputation (which it could use after last month)

    -5 for MySpace's security reputation
     
  3. macrumors P6

    twoodcc

    Joined:
    Feb 3, 2005
    Location:
    Right side of wrong
    #3
    well i think it's good that Apple is doing something about it, but myspace shouldn't demand them too though
     
  4. macrumors 6502a

    Dunepilot

    Joined:
    Feb 25, 2002
    Location:
    UK
    #4
    Myspace really is a crock. My band's account got compromised the other day, which was irritating.

    And why on earth do people put that ridiculous transparency effect on their pages? Crashes Safari every time.
     
  5. macrumors 68030

    benthewraith

    Joined:
    May 27, 2006
    Location:
    Miami, FL
    #5
    Because the people that use them don't know what a good webpage looks like?
     
  6. macrumors 68030

    Flowbee

    Joined:
    Dec 27, 2002
    Location:
    Alameda, CA
    #6
    This is potentially much more harmful to Apple from a PR standpoint than last week's Nike+iPod "stalking" story. Let's see what the press does with this one.
     
  7. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #7
    Well, bitching about MySpace aside, there is a vulnerability in Quicktime. Which is bad. But Apple is fixing it, which is good. I can live with that, I guess.
     
  8. macrumors 6502a

    iJaz

    Joined:
    Dec 16, 2004
    #8
    Isn't Myspace run by a (former) notorious spammer? That says something about their credibility.
     
  9. macrumors 65816

    Rojo

    Joined:
    Sep 26, 2006
    Location:
    Brookyln
    #9
    Is it wrong of me to get a good chuckle from this story? ;)
     
  10. macrumors 65816

    Seasought

    Joined:
    Nov 3, 2005
    #10
    No actually... :D
     
  11. macrumors 68020

    Unspeaked

    Joined:
    Dec 29, 2003
    Location:
    West Coast
    #11
    You mean NewsCorp?

    Yeah, Rupert Murdoch has a long history of Nigerian Bank Account schemes...
     
  12. macrumors 68030

    redAPPLE

    Joined:
    May 7, 2002
    Location:
    2 Much Infinite Loops
    #12
    "Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.


    maybe it is just me, does it only happen with IE users? if so, why is this solely Apple's problem?
     
  13. macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy part of the Pacific NW
    #13
    It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

    There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".
     
  14. macrumors member

    kenzbud

    Joined:
    Oct 21, 2005
    #14
    So is this a problem that has always been around and was just now brought to attention because of myspace's popularity or is this a totally new issue?
     
  15. macrumors 68020

    MacinDoc

    Joined:
    Mar 22, 2004
    Location:
    The Great White North
    #15
    If I understand the article and the background information correctly, the bug is actually in the MySpace website, and a feature of Quicktime is one means by which the bug can be exploited. So MySpace's complaint is like blaming the manufacturer of a mouse if a hacker uses the mouse to reformat your hard drive. Apple's response to MySpace's demand is for PR purposes, and it certainly demonstrates that Apple has a greater concern for MySpace users that MySpace itself does. MySpace's real focus should be to fix its own bugs, because I'm sure that hackers will find other ways to exploit them, once the Quicktime features are disabled.
     
  16. macrumors demi-god

    Spanky Deluxe

    Joined:
    Mar 17, 2005
    Location:
    London, UK
    #16
    Wow, a security vulnerability does some good for once!
     
  17. macrumors 65816

    iJawn108

    Joined:
    Apr 15, 2006
    #17
  18. macrumors 6502a

    Joined:
    Jul 17, 2005
    Location:
    Lake George, NY
    #18
    Myspace is so *****ty it's not even funny. It's the slowest running web site on the internet, and it's always down.

    They should resolve some of their own issues before they go and tell Apple what to do...
     
  19. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #19
    It appears to have been an unknown vulnerability in QT that has been around for some time....

    However, it's important to note I think that QT is the VECTOR. That is, it delivers the exploit, but the exploit itself seems to be a Windows exploit... as far as I know there isn't any evidence of MacOS spyware related to this... just Windows?

    Nonetheless, if this impacts OS X as a vector, it's a missing link, because there's never really been an exploited vulnerability in OS X that allowed software to be installed without user intervention before.
     
  20. macrumors 6502a

    failsafe1

    Joined:
    Jul 21, 2003
    #20
    Fixing vuneralbilities is a good thing. Shame it came to light because of myspace. Yuck
     
  21. macrumors 65816

    Joined:
    Jun 1, 2004
    #21
    This generally concurs with my understanding of the issue (still trying to dig up more specifics on it).

    Basically an interactivity feature of QuickTime (exists for various good reasons) is being leveraged to bring up a spoofed login page attempting to trick a myspace user to provide their login information. If they do that then javascript in the spoofed webpage then walks their myspace site attempting to inject links to a fishing site and add the QuickTime movie to the users site.

    So I really don't see the vulnerability existing in QuickTime... any number of other methods could be used to attempt similar trickery (flash can do similar things). All I can see Apple doing is providing a way for a hosting site to disable this feature for all movies downloaded from its site (likely strip the track).

    ...welcome to wonderful world of cross-site scripting attacks.
     
  22. Administrator

    Doctor Q

    Staff Member

    Joined:
    Sep 19, 2002
    Location:
    Los Angeles
    #22
    I'd like to know if it's technically a feature of QuickTime, a vulnerability of QuickTime, or a bug in QuickTime. The choice might involve semantics, but it's also a technical distinction.

    Is a feature being removed?
     
  23. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #23
    That's a good question...although, I would tend to think that if whatever is involved here was being used frequently, this exploit would have been identified already. But then you never know.
     
  24. macrumors regular

    Joined:
    Apr 18, 2006
    Location:
    NEK
    #24
    Well, maybe if the worm actual only effected the MySpace users seen on DateLine's "To Catch a Predator", it would be a good thing.:D

    Actually...aren't most....nahhy, I won't go there.:rolleyes:

    Kudos for Apple to step up even if is is a combination of issues with QT and MySpace and IE.
     
  25. macrumors 6502a

    Joined:
    Dec 28, 2004
    Location:
    of my hand will get me slapped.
    #25
    I demand MySpace do more to make sure pedophiles stay out.
     

Share This Page