Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MySpace Demands Apple Change Quicktime To Fix MySpace Worm
- Thread starter MacRumors
- Start date
- Sort by reaction score
Info
To add a little bit to the discussion:
This isn't really a security flaw in Quicktime. This is a feature. However, in an untrusted environment, this feature can be compromised. There have been so many JavaScript related attacks (in which some user posts JavaScript to a MySpace page, and this JavaScript then does something malicious to other logged-in users when they visited the page) on MySpace that MySpace wants to disable JavaScript on all user input. Ok, so far so good. However, Flash and Quicktime both have the ability to do some rudimentary JavaScript. MySpace yells at Adobe, who implement some undocumented features in flash player 9, at MySpace's request. These are essentially plugin parameters; they didn't remove the ability for the flash player to work with JavaScript, they added some parameters that MySpace can append to all submitted <embed> tags, that will disable any JavaScript within the flash movie.
I imagine they'd like Apple to adopt a similar parameter for their Quicktime player. So what they're really asking for is an additional feature to Quicktime, not a bug fix.
Oh, and I like MySpace, as a means to an end - but it really does lower your estimation of the average person.
To add a little bit to the discussion:
This isn't really a security flaw in Quicktime. This is a feature. However, in an untrusted environment, this feature can be compromised. There have been so many JavaScript related attacks (in which some user posts JavaScript to a MySpace page, and this JavaScript then does something malicious to other logged-in users when they visited the page) on MySpace that MySpace wants to disable JavaScript on all user input. Ok, so far so good. However, Flash and Quicktime both have the ability to do some rudimentary JavaScript. MySpace yells at Adobe, who implement some undocumented features in flash player 9, at MySpace's request. These are essentially plugin parameters; they didn't remove the ability for the flash player to work with JavaScript, they added some parameters that MySpace can append to all submitted <embed> tags, that will disable any JavaScript within the flash movie.
I imagine they'd like Apple to adopt a similar parameter for their Quicktime player. So what they're really asking for is an additional feature to Quicktime, not a bug fix.
Oh, and I like MySpace, as a means to an end - but it really does lower your estimation of the average person.
Hi
This is pretty easily handled by MySpace by sending out an email to members warning of phishing attempts or even just the users by only logging in at the main site ( http://www.myspace.com ), if logging in is necessary ( time outs, logouts ). Another method may be to have a digitally signed ( protected ) login procedure.
Exactly! This is more of a trojan if anything of the sort. It requires the use of a less intelligent or less alert victim to actually do any harm. The "worm" itself just directs users to a phony login page, a very regular phishing technique, and that's where the information is actually harvested and than the harvested account is abused.
This is pretty easily handled by MySpace by sending out an email to members warning of phishing attempts or even just the users by only logging in at the main site ( http://www.myspace.com ), if logging in is necessary ( time outs, logouts ). Another method may be to have a digitally signed ( protected ) login procedure.
One more time, this IS NOT a bug or vulnerability in QT. It's an XSS vulnerability in MySpace that can be exploited using a documented QT feature. If the MySpace javascript was coded properly this wouldn't be an issue. This is solely the responsibility of of MySpace, the fact that Apple's willing to help solve the problem is a great PR move.
Ah, I see. That article's ben disputed, but I don't think any official link has been revealed.
In any case, I do agree that MySpace has always been a little fishy.
As for their corporate history, the site was only independently owned for about a year, at which point a company called Intermix purchased a majority stake.
Intermix sold their assets to NewsCorp last year for many, many times their market value, and they and the MySpace founders made out like bandits!
Tom has been attempting to warn people for 3 weeks or so and apparently, it continues to happen. That doesn't surprise me somehow. It's pretty simple to pay attention and to know where you are at all times, but most people believe that's it's possible to drive correctly and talk on the phone at the same time.
If their own profiles are compromised because they don't take care of things properly, why is it Apple's problem at all? People take advantage of other people. They should be going after them instead of blaming it on a feature of QuickTime.
No. While MySpace's coding is poorly thought out, it is a cross-site scripting vulnerability in QuickTime that allows this to happen. These sorts of things used to be a big problem in web server software like Apache and IIS. Now that tools like Quicktime and Flash are becoming more sophisticated, they're being exploited too.
Whether or not MySpace should allow users to modify CSS is a separate argument. In my opinion it's extremely stupid of them to do it - this has made it extremely easy for bad guys to exploit an open Firefox flaw and now this Quicktime flaw. But, in the end, they ARE flaws in Firefox and in Quicktime (matter of fact, the Quicktime flaw is rather similar to the Firefox flaw).
Actually it looks like HREF tracks can indeed include simple javascript command sequences... however I don't think it can include decision logic. It is more of command one, command two, etc. not if this do that type of scripting.
It isn't clear to me yet who would/should do the validation of the context of the javascript command in relation to the domain of the site hosting the video (the QT plugin or say IE).
It isn't clear to me yet who would/should do the validation of the context of the javascript command in relation to the domain of the site hosting the video (the QT plugin or say IE).
Mac users just don't like MySpace for some reason. Social networking sites are cool; I had a profile on Xanga and later moved over to Facebook.
Social networking is great, but MySpace just sucks.
I have to agree with 1 & 3. Where exactly does myspace get the balls to "demand" that apple do anything at all? Does it think its user base of teen emo kids give them powers to boss around corporations that actually provide decent products?
But I digress...
Wow... lots of bitterness against MySpace... how come?
Just curious... I mean, 30 gazillion users can't be *that* wrong, can they? Although, yeah, MySpace has more errors and crashes than a PC.
Almost.
Just curious... I mean, 30 gazillion users can't be *that* wrong, can they? Although, yeah, MySpace has more errors and crashes than a PC.
Almost.
Okay, I think it's obvious (even by reading a few paragraphs of the article) that this guy is a paranoid liberal extremist. Yes, Facebook might have tons of information in a database but that doesn't make it Big Brother. Big Brother implies direct governmental control and monitoring. Facebook is commercial. And it's volunteer.
And trust me: I bash Bush with the rest of 'em, but anyone who refers to the Bush Administration as a "regime" has issues. That article should DEFINITELY be taken with a grain of salt.
And lastly, as a member of both, I can vouch for mozmac and say that MySpace is scummy and Facebook is clean, refined, and safe. At anytime, if I do not want to receive messages from a person or group, I can block it. The same is not true for MySpace.
MySpace = Spam Nation. I will soon go out in a ball of flames, posting messages to everyone I know and don't know, telling of the evils which lie within. I will be a Facebook crusader until MySpace bans me.
-Clive
Screw myspace. Myspace is just a place for guys to find chicks to do, and is a place for girls to slut them selves out (no offense to the normal users out there)
Except that it is NOT a vulnerability, security flaw, or any other bad thing on the part of Apple, as you imply. This is a legitimate, useful feature that will now be disabled because MySpace has a problem.
The bad guys are slowly but surely dictating to us how we will use the internet. How many other legitimate, useful, features will, or have already been, disabled by Apple or Microsoft so the bad guys can't exploit them while we meekly stand by and let the scum bags tell us which features we can enjoy or not? This whole thing sucks.
This is kinda the way of the world though.. I mean how many things do we have to no just because thieves and crooks have stopped us from living a normal simple life... Sucks but just a way of the world...
What an absolute horrible world this person has to live in due to his/her imagination. I can't imagine the burden of paranoia this individual has to carry every day.
It would not be to hard to imagine this individual wearing disguises as he or she interacts with real people in the real world.
I'm not sure of his/her gender, because I am convinced he/she would lie about it, so as not to reveal anything about himself/herself.
It is really quite sad. I really wish this person could just take a month, stay away from the internet and college campuses, go out into the real world and enjoy life. This burden is too much to carry for very long.
This is that part that I admitted I do not fully understand. But I don't buy into your perspective just yet, either. Lots of vulnerabilities are part of features that have legitimate usage.
Where is the XSS interpreted? If it is interpreted on the client side, I stick to the belief that this is fundamentally a client-side issue and not a MySpace issue. The problem lays with the browser Javascript engine and/or QT. But if the script is being executed on the server, certainly it's a MySpace issue.
The end result of this vulnerability though, is malicious code is run through a browser window on the client computer. That's a client-side issue to me. Not a MySpace issue. Even if MySpace fixes their implementation to prevent this, there's no preventing the same exploit from being embedded in someone else's website.
Imo
Anything that screws MySpace is good!
Those social networking megasites like MySpace, hi5 and Friendster are bound to die anyway, smaller "community specific" social networking services will prevail. And I base that comment on my incredibly awesome insight.
Anything that screws MySpace is good!
Those social networking megasites like MySpace, hi5 and Friendster are bound to die anyway, smaller "community specific" social networking services will prevail. And I base that comment on my incredibly awesome insight.