Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MySpace Demands Apple Change Quicktime To Fix MySpace Worm
- Thread starter MacRumors
- Start date
- Sort by reaction score
For those confused about "where the bug lies"... It is a two-edged sword. The root-cause is in a cross-site scripting vulnerability on MySpace's website. This is then exploited by a "feature" that can be abused in Quicktime.
Honestly, I'm regurgitating a lot of that, and I'd certainly like to know someone who has actually developed using quicktime before and has used the HREF track feature that is in question. But this is certainly not all Apple's fault like MySpace seems to be indicating. If MySpace doesn't address the root cause of the problem, they are going to get more of these attacks.
Honestly, I'm regurgitating a lot of that, and I'd certainly like to know someone who has actually developed using quicktime before and has used the HREF track feature that is in question. But this is certainly not all Apple's fault like MySpace seems to be indicating. If MySpace doesn't address the root cause of the problem, they are going to get more of these attacks.
Example use of HREF track... watching a training video and as the video plays related web content is changed in sync with the current topic of the video.
What exactly does it mean for a *website* to have a cross-scripting vulnerability? The javascript in QT is client side, is it not? So if there is a JScript vulnerability, doesn't it have to occur at the browser level? Or does the JScript somehow make a request of MySpace's web server that gets bounced to an outside server by MySpace, which should not be allowed?
It's not a bug in QuickTime. It's a bug in MySpace. Check out this post for a pretty direct explanation of exactly how this hack works. QuickTime is just the platform.
MySpace filth should be left off the front page. They make me sick. 
I want to throw up in their mouths a little bit. No, scratch that. A lot.
I want to throw up in their mouths a little bit. No, scratch that. A lot.Not... well it is client side but the script isn't in the QT movie. All QuickTime can do is call a javascript function of the page it is hosted in. Note that QT can provide data to the javascript functions it calls (which makes sense).
I haven't see a good description of exactly what happens in this exploit but it sounds like that when a user visits a web-page with crafted QT movie and views that movie it either brings up a another page that shows a fake myspace login page and/or it calls a javascript function found in the hosting web-page. If the later then the hosting web-page would be a myspace page and hence could be using myspace javascript code against itself.
UPDATE... ah after looking at the link godrifle provided it looks like that a QT movie is being used to call a javascript function that exists in myspace pages. This function is provided by myspace developers and it is being used to rewrite a part of the web-page (MySpace menu) using a vulnerability in MySpace (CSS can be used to modify the look of the MySpace page so as to hide elements allowing replacement with others). This allows it to hijack the menu for its fishing purposes.
A feature in QuickTime, being used to exploit a vulnerability to a simple CSS hack in MySpace, employing Javascript.
1) Who the hell is myspace to demand anything? This is their problem and they're blaming someone else.
2) The report says that this worm is affecting IE users. Isn't that a Microsoft problem?
3) Myspace.com sucks.
2) The report says that this worm is affecting IE users. Isn't that a Microsoft problem?
3) Myspace.com sucks.
Saw that story in the Metro today, it didn't mention the distance thing though, also apparently you need to spend £150 to get the scanner for the Nike+iPod thing, last time I looked eyes were free, and can see further too.
haha, who in the heck is myspace to demand anything? there two bit half coded POS crashes on average 50% of the time no matter what browser I use.
like someone else said I demand they crack down on pedophiles, learn how to write successful code, and until they are anything more than a popular hangout for kids they don't get much respect in my book.
like someone else said I demand they crack down on pedophiles, learn how to write successful code, and until they are anything more than a popular hangout for kids they don't get much respect in my book.
Of course, there's also the age-old "following" hack that impacts all users of Nike shoes.
That is why Nike is recommending that all users of Nike shoes disable their walking and running features so they can avoid being followed or otherwise tracked in public.Of course, there's also the age-old "following" hack that impacts all users of Nike shoes.
Is it wrong of me to get a good chuckle from this story?
For the love of God, anyone who visits MySpace deserves to have their computer compromised... preferably compromised by throwing it down a flight of stairs.
Nope, I do not mean Rupert Murdoch, obviously. I didn't know he owned Myspace. And I didn't know about his Nigerian Bank Account schemes...
I actually meant the founding of Myspace as a spam delivery system http://www.valleywag.com/tech/myspace/myspace-the-business-of-spam-20-exhaustive-edition-199924.php and I thought the original founders still owned Myspace, my mistake.
It is amazing how polarizing myspace can be.
It is probably one of the most popular sites on the internet yet nearly every post here slams it.
Interesting dont you think?
I agree that one: Apple are being super stand up with their response but that they should also make sure the world knows this is a myspace issue.
Two: myspace should not be demanding anything.
Three: the site and social concept sucks. This is singularly one of the worst things to have come out of the internet and it is having a dramatic effect on our children....a very bad effect.
Just another Rupert Murdoch pile of c**p.
Yep....very polarizing
It is probably one of the most popular sites on the internet yet nearly every post here slams it.
Interesting dont you think?
I agree that one: Apple are being super stand up with their response but that they should also make sure the world knows this is a myspace issue.
Two: myspace should not be demanding anything.
Three: the site and social concept sucks. This is singularly one of the worst things to have come out of the internet and it is having a dramatic effect on our children....a very bad effect.
Just another Rupert Murdoch pile of c**p.
Yep....very polarizing
Windows is the most popular OS and nearly every post here slams it. Mac users just don't like MySpace for some reason. Social networking sites are cool; I had a profile on Xanga and later moved over to Facebook.
I prefer Facebook over MySpace. MySpace is too smutty. It's just trashy all around. Facebook has a much cleaner look and the content is usually higher class.
Windows is the most popular OS and nearly every post here slams it. Mac users just don't like MySpace for some reason. Social networking sites are cool; I had a profile on Xanga and later moved over to Facebook.
Besides this, who cares if people hate MySpace? This news still identifies a vulnerability related to Quicktime. And there doesn't seem to be any evidence that the vulnerability is purely limited to MySpace, even though it only appears to be exploited there. So it should be of importance regardless of one's views on MySpace....
MySpace is pretty crappy looking, but the truth is, for whatever reason, it's probably the most popular site of its kind on the 'net.
If QuickTime has a 'feature' that can be exploited and used for evil, that's a security issue and should be fixed by Apple.
If QuickTime has a 'feature' that can be exploited and used for evil, that's a security issue and should be fixed by Apple.
Just to be clear, this DOES NOT affect Macs and OS X...thanks again, Apple, for giving us the best and safest OS in the world...