MySpace gets into Apple patch pickle

MySpace.com and Apple Computer are demonstrating how not to deliver security fixes.

In response to a worm attack that hit the social-networking site over the weekend, MySpace has made available a security update to Apple Computer's QuickTime media player. Users who might need the fix are being told to go to a special MySpace.com page via a message that appears on their MySpace home page from Tom, the company's co-founder and everybody's first "friend" on the site.

On that special page, MySpace instructs its users to ignore an Internet Explorer security warning and install "QuickTime" from "Apple Computer, Inc." The MySpace QuickTime update page looks like any other page on the social-networking site; there is no special security section on MySpace.

This is causing confusion among MySpace users, who rightfully question whether the update is legitimate. After all, security updates for QuickTime should come from Apple, not from MySpace. Many Internet users know of the scams on the Net that take the guise of security updates but are in fact malicious programs.

"I got this announcement on my front page and it struck me as odd immediately," writes one MySpace user on a MySpace bulletin board about the message from Tom. Others also wonder whether the note is legitimate. "There's been way too much craziness on here lately," writes another MySpace user.

MySpace, though, insists on teaching Internet users bad habits.

The company responded to the confusion on Tom's blog. "Yes the link/update is legit, and yes the message about it on your homepage is really from me," Tom writes. "You cannot get the update from QuickTime's Web site yet. Get it here." The blog also instructs people to click through the security Internet Explorer security warnings.

Brian Krebs at The Washington Post also criticizes MySpace and Apple for a "completely fumbled" patch rollout.

MySpace on Tuesday asked Apple to update its QuickTime media player software so it can't be used in attacks on the site. The request came after a worm in the form of a rigged QuickTime movie crawled onto MySpace.com over the weekend, changing people's MySpace profiles. The worm spread because of QuickTime's support for JavaScript code.

Apple provided MySpace with a temporary fix and said it would be up to the social-networking site to offer it to users. Initially MySpace did not respond to an inquiry from CNET News.com as to when the solution would be available to users, but later it appeared on the MySpace Web site.

The current fix appears to only work for IE users, while the problem can also affect users of other Web browsers. Apple has said it is working on a broader solution for all users, but has not said how that would be delivered.