MySpace to Apple: Fix that worm

MySpace.com wants Apple Computer to update its QuickTime media player software so it can't be used in attacks on the social-networking site.

The request comes after a worm in the form of a rigged QuickTime movie crawled onto MySpace.com over the weekend, changing people's MySpace profiles. The worm spread because of QuickTime's support for JavaScript code, experts have said.

"When we learned about an issue that exploits a feature in QuickTime and unfortunately targets MySpace users, we immediately contacted Apple to engineer a fix," Hemanshu Nigam, chief security officer at MySpace, said in an e-mail statement Tuesday.

When viewed by a MySpace user in Internet Explorer or Firefox, the specially crafted QuickTime video added itself to the user's MySpace page and replaced the links on the user's profile with links to phishing Web sites. The malicious software, dubbed Quickspace by F-Secure, infected a large, but unspecified number of MySpace users, according to the Finnish security company.

Apple is working on a QuickTime fix, but has a temporary solution available Tuesday, company spokeswoman Lynn Fox said in an e-mail.

"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.

Apple said it has provided MySpace with the temporary fix. The computer company said it would be up to the social-networking site to offer it to users. MySpace has not responded to an inquiry from CNET News.com as to when the temporary solution would be available to users.

While waiting for Apple to release a final fix, MySpace has blocked the Web links that attempt to exploit the issue and is scrubbing them from profiles on the MySpace site, Nigam said. MySpace has also reported the incident to law enforcement, he said.

MySpace, owned by News Corp., is a popular social-networking site estimated to have more than 70 million registered users. The worm exploits MySpace functionality along with a feature called HREF track in QuickTime that has legitimate uses but can also be abused, experts have said.

"This particular attack is not working anymore because of filtering of URLs," said Mikko Hypponen, chief research officer at F-Secure. "But the actual vulnerability still exists in the system. The final fix needs people to update their personal QuickTime player."

The object of the Quickspace attack apparently was to get people to visit the fraudulent Web sites crafted to look like MySpace log-in pages. It is unclear what the miscreants would do with the log-in data. But it could be used, for example, to exploit the user's profiles for advertising.

[`WarpKat]

Here's a novel idea:

DON'T ALLOW CRAP LIKE THAT ON YOUR SITE TO BEGIN WITH!

[afriendof77]

It must be Myspace's fault

Apple only makes superior products with no exploits or problems. ;). And if by some chance there might be one they fix the problem before anything happens so that it really wasn't an issue to begin with. I hope everyone realizes I am being sarcastic. Let the fanboys try and explain this away as a non-issue that isn't AppHell's fault.

[lal27]

Grow Up

How about you ALL stop complaining!? It's THEIR website, if you don't like it, don't be a part of it!

[cary1]

And now Apple will blame Microsoft....

just like it did for the virus it shipped with video ipod

[TigerG]

It's Microsoft IE problem based on a Myspace flaw

How is it Apple's fault if it only afflicts the world's worst browser and operating system?

Apple users using myspace aren't affected.

[sea_net]

me to myspace: disable quicktime

disable quicktime on your site... simple ;-)

[sea_net]

BREAKING NEWS: MYSPACE ARE OFFERING PATCH

"Tom
Latest Update:



Hey, you're seeing this message because we detected that you have Quicktime on your system.

Quicktime lets you watch movies on your computer.

There's been a security problem with Quicktime this weekend and bad guys have been trying to phish accounts exploiting the security hole.

You can protect yourself by downloading this patch to your Quicktime--it only takes 30 seconds. - Tom

http://vids.myspace.com/quicktime/upgrade.cfm

[M C]

So anxious to get the holy war going that you messed up the title...

"MySpace to Apple: Fix that worm"??

Apple probably didn't MAKE the worm. But you'll get the desired page views...

[jspencer09]

not necessarily...

I don't automatically assume that if I see a title that says "Windows Virus" that Microsoft MADE the virus. I think it's pretty well understood that it is a virus exploiting Windows. Besides which, titles are by nature designed for brevity. Otherwise we'd call them articles.

[rpms]

Work-around: uninstall QuickTime for good

This unsafe QuickTime "feature" -- support for embedded links in movie files and for automatic execution of JavaScript code, with no direct way for the user to control or disable the behavior -- is the last straw.

QuickTime for Windows was always intrusive, nominating itself as the default player for non-QuickTime media files, changing icons for non-QuickTime media files, displaying annoying advertising pop-ups for the paid "QuickTime Pro" product, and regularly phoning home to Apple (I'll download add-ons and updates myself, thank you very much).

I have just applied a successful work-around to all of my Windows systems:

Start > Programs > QuickTime > Uninstall QuickTime

I am very happy with the results.

For more information about the QuickTime security risk, see:

1. http://www.websense.com/securitylabs/alerts/alert.php?AlertID=708

2. http://www.apple.com/quicktime/tutorials/hreftracks.html

[lordfanatic]

work-around

go ahead and go back to using windows media player your crappy windows computers still going to get hacked and infested with viruses no matter what, oh and by the way, i have quicktime on my parents compaq laptop and its so not intrusive, plus i have an option of making it the default media player if i so want to.

[lkrupp]

Have your laughs but consider what's happening...

Some of the people screaming here about this issue are the
same who wring their hands over our "lost" freedoms because of
the age of terrorism. Think about it. The internet is slowly but
surely losing functionality because the bad guys are exploiting
legitimate features in software. Even the experts say the
Quicktime feature that allows javascript to be imbedded has
legitimate uses. Now, of course, that feature will be turned off.
How many other useful, legitimate features have been deleted or
turned off in Windows, OS X, Linux, etc. because the bad guys
exploit them.

Why aren't we going after the bad guys with really serious prison
sentences in an attempt to retain our internet freedoms? Why are
we allowing these scum bags to dictate to us how we will use the
internet? Why do Microsoft and Apple have to cripple technology
that makes our online experiences richer? Why do we need
protection from the slimy slugs that inhabit the internet instead
of stringing them up by their virtual necks?

Serious jail time, HUGE fines. That's what I want to see, not
legitimate features turned off.

[gggg sssss]

Looking for a clue here

So I'll bite - what specific legitimate reason might that be? The oh so 90's ideal of watching a BMW video and clicking on it to buy one? I thought that nonsense died when boo.com died.

If you want something to be interactive, use Flash. If you want to watch a movie use wmv. If you want --- can't think of a reason to use QT

[rpms]

Lack of warnings/control makes QuickTime unsafe

This was a very thoughtful post. In the general case, you're right that abuse is leading to reduction of useful features.

"Even the experts say the Quicktime feature that allows javascript to be imbedded has legitimate uses."

However, in the specific case of QuickTime for Windows, what's missing is (1) a warning to end-users that the software will follow embedded links and automatically execute JavaScript, and (2) a way for users to control or restrict this behavior.

[jypeterson]

Calling the kettle black

So what. A patch to fix this is now out. Security exploits are
always out there.

Is the Windows Media Player expoit free?

[royal crown]

Yeah but

WMP, or in effect, Microsoft, doesn't claim to be virus proof. (Take a look at the mac commercials regarding this). If one of Apple's major hallmarks over other OS'es is security against virii, then they in turn have failed. However, Microsoft doesn't make "virus free" (for those who are too lazy to download antivirus/antispyware and click on the "free PS3 in your email" banners) one of their major selling points.

[Thomas, David]

QuickTime may change to eliminate javascript ... BUT

Look, the Javascript capability in QuickTime isn't really a bug. It
is how MySpace is designed. Eliminating the ability to use
QuickTime to execute the "malicious" javascript, does not
remove that problem from MySpace.

I find it very interesting that MySpace isn't addressing the
problem at it's root. But then, maybe they are, and just not
talking about. I sure hope so. Because if they are not, then the
problem still remains, and the author will simply find another
mechanism to run the code.

Proper problem determination is the key to finding proper
solutions. Pointing the finger at Apple, or Microsoft, will not
alleviate the design flaw in MySpace.

[lordfanatic]

heres an even more novel idea!

Don't us sexual predator ridden myspace period!

[Steve Bryan]

More details?

This reminds me of some of the growing pains of eBay. They had to go through several redesigns of their web site as the implicit security holes were discovered and exploited.

Something that is not addressed in the article or replies is the question of whether this flaw also exists for someone using Safari on Mac OS X visiting MySpace. I went to the F-Secure article but it also did not shed light on this question.

I've always been concerned with the use of security defeating Javascript but if you turn it off in your browser there are too many sites that fail to work because of their dependence on Javascript.

[Ryo Hazuki]

BUT nothing

No, the Javascript capability in QuickTime isn't a bug, but the vulnerability it has is. Last time I checked, MySpace wasn't responsible for QuickTime, Apple is, so stop arranging excuses. MySpace doesn't have any problem, QuickTime does, and by having a problem it affects MySpace because MySpace plays QuickTime videos, it's not that tricky, is it?
No, pointing the finger at Apple, or Microsoft (you wanna see it's Microsoft's fault once again?), will not alleviate the design flaw in MySpace; asking the company responsible for the flawed software (Apple) to patch the vulnerability in its software will.

[nodeseven]

lies

any plugins that allow [script] tag is a potential danger. its not myspace's fault

[DeusExMachina]

truth

Of course it is MySpace's fault. The exploit uses QT as a vehicle to take advantage of an already published flaw in MySpace's implementation.
In what way does this make this not their fault?

You might want to research the issue before you make such broad pronouncements.

[sandsunsurf]

Quicktime vs. Windows Media Player

Regardless of your OS of choice, QT has better codecs and the QT
player, as simple as it is, is a better interface than WMP. So the
answer of un-installing QT is pretty lame. Let them fix the
problem, then un-install WMP if you want to free up some drive
space.

[qwerty75]

You can't

In typical stupid MS fashion, the OS is dependent on a media player, consider that for a while and try not to laugh at the incompetence of MS.

You can NOT uninstall WMP. All the uninstaller does is remove shortcuts.

[ron williams]

Better Codecs?

Apple calls its codecs standards compliant when really, they are not the standards currently as no one except apple uses them. I prefer being able to do things in WMV like manage a library of music, video, and other things, unlike QT with its "better interface" that doesn't do anything.

[MacHeads]

Patched ...

Quick comment on the actual situation ..

1) The exploit concerns ActiveX control under IE... Not Firefox
(default windows browser when using windows at all). (yes, Macs
do Windows we either call it Parrallels or Boot Camp).

2) If there was any way to Deactivate ActiveX at all in Windows
without breaking everything please see to post it since a LOAD
of the problems facing WinXP actually come from that spot.

Yours.

[rpms]

Um, sorry, but...

You might start by reading about the issue first...

Many publishred reports say that this QuickTime for Windows issue manifests itself in Firefox as well as in Windows Internet Explorer. Since Firefox doesn't support ActiveX, you definitely can't blame this one on ActiveX.

To address the second part of your comment, about turning off ActiveX...

Unlike other browsers, Windows Internet Explorer gives you very fine-grained control over active content. It's easy to restrict access to ActiveX (and other forms of active content, since JavaScript, Java and plug-ins also pose risks) without "breaking everything". Here's how:

http://www.microsoft.com/windows/ie/ie6/using/howto/security/settings.mspx

Of course, you won't bother with this information, because your point is probably to bash Microsoft and laud Apple, instead of helping ordinary computer users secure their systems.

[TigerG]

That's just Nutty...

Quicktime is the best piece of software you can have on your computer.

If you take it off what solid as a rock security wise media player will you replace it with Windows Media? haha!

[gggg sssss]

another clue

No need to replace it - WMP is always there. It is that QT POS that is the kludge bolted onto the side of the system.

Solid? Just tried to play a QT someone sent me - ended up with a message like " Quicktime needs a file that is not avaiable..."

Myspace would have been better off with Flash video like youtube and google. After all, how many of their users are Mac users anyway? 2 percent?

[jcastanza]

Myspace is lame

They could fix this in 15 minutes, instead of placing the blame on apple. I've seen this running rampant in the last 24 hours... if you use myspace, look for the word "test" in your "interests" and the embed tag with the quicktime movie URL in the "movies" section. Because it's so targeted, myspace could easily fix this in no time. Lame on them.

[drew30319]

I warned them weeks ago

Somebody with a QT hack requested I "add them" as a friend. The QT was attempting to use Javascript to redirect to a page that was phishing.

I use Firefox and NoScript (which blocks Javascript on a site by site basis). So the Javascript didn't work but I could identify which site was attempting access. I went to the site and copied the URLs from the source code and then sent ALL of this info to MySpace.

I took the time to show them what was going on and apparently they didn't take the time to investigate it. It's a shame because it's a site that I've gotten a lot of value from - but if they aren't more vigilant it's going to continue to have these PR problems (and eventually a big enough hack to turn people away).

C'mon Murdoch, spent the $$$ to get decent customer service & tech support. These problems shouldn't go unresolved after they've been reported!

(shame shame shame on you!)

[DeusExMachina]

Along the same vein

I have been warning them for YEARS that they need a spam/abuse button on their friend request pages. While they DO have one in their e-mail pages, it is totally useless there, since people who send you e-mail have already been approved by you! The only place it makes sense, where unknown people contact you, is in the friends request page, where there isn't one. So the spam profiles proliferate.
I just don't think they really care about spamming too much.

[jolietgeorge]

My account was hacked, they are of no help

I have literally written to myspace six times, their answer is a form email telling me to "check my user id and password" They need to own up and hire some real customer service people.

[kaorichan2]

Ha I dont get this

Download Google toolbar, it tells you automatically if the site is real... and then blocks it or zonealarm will trigger the block.

[DeusExMachina]

Ha you sure don't

As this exploit uses actual MySpace pages, what do you propose using google tool bar is going to do?

[missy&kadie]

well it got me

well my profile got hack into and somethinf is leaving message's on my bulletin bored onder my name for stupid webs site that don't even mattter

[robinduhe]

Fix that problem

Well it got me too. I can't even get into my friends profiles. I can't do anything in myspace.
Please, fix the problem.

[robinduhe]

Fix that problem

Well it got me too. I can't even get into my friends profiles. I can't do anything in myspace.
Please, fix the problem.