Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MySpace Demands Apple Change Quicktime To Fix MySpace Worm

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
67,504
37,790


According to News.com, MySpace.com is demanding that Apple change its Quicktime player software to address an issue that occurred recently when the popular social networking website was attacked by a phishing/worm attack that used embedded Quicktime movies to propagate.

The worm exploits a common type of Web vulnerability called a cross-site scripting flaw in the site along with a feature called HREF track in QuickTime that has legitimate uses but can also be abused, experts said.
Click to expand...

Nevertheless, Apple is obliging.

Apple is working on a QuickTime fix, but has a temporary solution available Tuesday, company spokeswoman Lynn Fox said in an e-mail.

"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.

Apple said it has provided MySpace with the temporary fix. The computer company said it would be up to the social-networking site to offer it to users. MySpace has not responded to an inquiry from CNET News.com as to when the temporary solution would be available to users.
Click to expand...

It remains unclear how the temporary solution will be distributed. Also, while MySpace had temporarily blocked the web links in question while waiting for Apple's response, MacRumors is unaware of any attempts by the company to address the root cross-scripting vulnerability that may still be potentially be exploited via other yet-unknown means.
 
Article Link
https://www.macrumors.com/2006/12/06/myspace-demands-apple-change-quicktime-to-fix-myspace-worm/
Myspace really is a crock. My band's account got compromised the other day, which was irritating.

And why on earth do people put that ridiculous transparency effect on their pages? Crashes Safari every time.
 
This is potentially much more harmful to Apple from a PR standpoint than last week's Nike+iPod "stalking" story. Let's see what the press does with this one.
 
Well, bitching about MySpace aside, there is a vulnerability in Quicktime. Which is bad. But Apple is fixing it, which is good. I can live with that, I guess.
 
Isn't Myspace run by a (former) notorious spammer? That says something about their credibility.
 
"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.


maybe it is just me, does it only happen with IE users? if so, why is this solely Apple's problem?
 
redAPPLE said:
maybe it is just me, does it only happen with IE users? if so, why is this solely Apple's problem?
Click to expand...

It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".
 
So is this a problem that has always been around and was just now brought to attention because of myspace's popularity or is this a totally new issue?
 
Westside guy said:
It is a bug in Quicktime, not in IE. And given that it's a Javascript exploit, it can conceivably be used to target other browsers as well. I imagine that the active exploit is targeting an IE vulnerability, which is why that's what they've worked around.

There's no real detail in that report, though. It just says "there's a flaw, it involves Quicktime's Javascript support, we're working on it".
Click to expand...
If I understand the article and the background information correctly, the bug is actually in the MySpace website, and a feature of Quicktime is one means by which the bug can be exploited. So MySpace's complaint is like blaming the manufacturer of a mouse if a hacker uses the mouse to reformat your hard drive. Apple's response to MySpace's demand is for PR purposes, and it certainly demonstrates that Apple has a greater concern for MySpace users that MySpace itself does. MySpace's real focus should be to fix its own bugs, because I'm sure that hackers will find other ways to exploit them, once the Quicktime features are disabled.
 
Myspace is so *****ty it's not even funny. It's the slowest running web site on the internet, and it's always down.

They should resolve some of their own issues before they go and tell Apple what to do...
 
kenzbud said:
So is this a problem that has always been around and was just now brought to attention because of myspace's popularity or is this a totally new issue?
Click to expand...

It appears to have been an unknown vulnerability in QT that has been around for some time....

However, it's important to note I think that QT is the VECTOR. That is, it delivers the exploit, but the exploit itself seems to be a Windows exploit... as far as I know there isn't any evidence of MacOS spyware related to this... just Windows?

Nonetheless, if this impacts OS X as a vector, it's a missing link, because there's never really been an exploited vulnerability in OS X that allowed software to be installed without user intervention before.
 
Fixing vuneralbilities is a good thing. Shame it came to light because of myspace. Yuck
 
MacinDoc said:
If I understand the article and the background information correctly, the bug is actually in the MySpace website, and a feature of Quicktime is one means by which the bug can be exploited.
Click to expand...

This generally concurs with my understanding of the issue (still trying to dig up more specifics on it).

Basically an interactivity feature of QuickTime (exists for various good reasons) is being leveraged to bring up a spoofed login page attempting to trick a myspace user to provide their login information. If they do that then javascript in the spoofed webpage then walks their myspace site attempting to inject links to a fishing site and add the QuickTime movie to the users site.

So I really don't see the vulnerability existing in QuickTime... any number of other methods could be used to attempt similar trickery (flash can do similar things). All I can see Apple doing is providing a way for a hosting site to disable this feature for all movies downloaded from its site (likely strip the track).

...welcome to wonderful world of cross-site scripting attacks.
 
I'd like to know if it's technically a feature of QuickTime, a vulnerability of QuickTime, or a bug in QuickTime. The choice might involve semantics, but it's also a technical distinction.

Is a feature being removed?
 
Doctor Q said:
I'd like to know if it's technically a feature of QuickTime, a vulnerability of QuickTime, or a bug in QuickTime. The choice might involve semantics, but it's also a technical distinction.

Is a feature being removed?
Click to expand...

That's a good question...although, I would tend to think that if whatever is involved here was being used frequently, this exploit would have been identified already. But then you never know.
 
Well, maybe if the worm actual only effected the MySpace users seen on DateLine's "To Catch a Predator", it would be a good thing.:D

Actually...aren't most....nahhy, I won't go there.:rolleyes:

Kudos for Apple to step up even if is is a combination of issues with QT and MySpace and IE.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back