December 5, 2006 12:54 PM PST

MySpace to Apple: Fix that worm

MySpace.com wants Apple Computer to update its QuickTime media player software so it can't be used in attacks on the social-networking site.

The request comes after a worm in the form of a rigged QuickTime movie crawled onto MySpace.com over the weekend, changing people's MySpace profiles. The worm spread because of QuickTime's support for JavaScript code, experts have said.

"When we learned about an issue that exploits a feature in QuickTime and unfortunately targets MySpace users, we immediately contacted Apple to engineer a fix," Hemanshu Nigam, chief security officer at MySpace, said in an e-mail statement Tuesday.

When viewed by a MySpace user in Internet Explorer or Firefox, the specially crafted QuickTime video added itself to the user's MySpace page and replaced the links on the user's profile with links to phishing Web sites. The malicious software, dubbed Quickspace by F-Secure, infected a large, but unspecified number of MySpace users, according to the Finnish security company.

Apple is working on a QuickTime fix, but has a temporary solution available Tuesday, company spokeswoman Lynn Fox said in an e-mail.

"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.

Apple said it has provided MySpace with the temporary fix. The computer company said it would be up to the social-networking site to offer it to users. MySpace has not responded to an inquiry from CNET News.com as to when the temporary solution would be available to users.

While waiting for Apple to release a final fix, MySpace has blocked the Web links that attempt to exploit the issue and is scrubbing them from profiles on the MySpace site, Nigam said. MySpace has also reported the incident to law enforcement, he said.

MySpace, owned by News Corp., is a popular social-networking site estimated to have more than 70 million registered users. The worm exploits MySpace functionality along with a feature called HREF track in QuickTime that has legitimate uses but can also be abused, experts have said.

"This particular attack is not working anymore because of filtering of URLs," said Mikko Hypponen, chief research officer at F-Secure. "But the actual vulnerability still exists in the system. The final fix needs people to update their personal QuickTime player."

The object of the Quickspace attack apparently was to get people to visit the fraudulent Web sites crafted to look like MySpace log-in pages. It is unclear what the miscreants would do with the log-in data. But it could be used, for example, to exploit the user's profiles for advertising.

See more CNET content tagged:
MySpace, Apple QuickTime, Hemanshu Nigam, worm, Apple Computer

88 comments

Join the conversation!
Add your comment
Here's a novel idea:
DON'T ALLOW CRAP LIKE THAT ON YOUR SITE TO BEGIN WITH!
Posted by `WarpKat (275 comments )
Reply Link Flag
It must be Myspace's fault
Apple only makes superior products with no exploits or problems. ;). And if by some chance there might be one they fix the problem before anything happens so that it really wasn't an issue to begin with. I hope everyone realizes I am being sarcastic. Let the fanboys try and explain this away as a non-issue that isn't AppHell's fault.
Posted by afriendof77 (21 comments )
Link Flag
Grow Up
How about you ALL stop complaining!? It's THEIR website, if you don't like it, don't be a part of it!
Posted by lal27 (1 comment )
Link Flag
And now Apple will blame Microsoft....
just like it did for the virus it shipped with video ipod
Posted by cary1 (924 comments )
Reply Link Flag
It's Microsoft IE problem based on a Myspace flaw
How is it Apple's fault if it only afflicts the world's worst browser and operating system?

Apple users using myspace aren't affected.
Posted by TigerG (22 comments )
Link Flag
me to myspace: disable quicktime
disable quicktime on your site... simple ;-)
Posted by sea_net (8 comments )
Reply Link Flag
BREAKING NEWS: MYSPACE ARE OFFERING PATCH
"Tom
Latest Update:



Hey, you're seeing this message because we detected that you have Quicktime on your system.

Quicktime lets you watch movies on your computer.

There's been a security problem with Quicktime this weekend and bad guys have been trying to phish accounts exploiting the security hole.

You can protect yourself by downloading this patch to your Quicktime--it only takes 30 seconds. - Tom

<a class="jive-link-external" href="http://vids.myspace.com/quicktime/upgrade.cfm" target="_newWindow">http://vids.myspace.com/quicktime/upgrade.cfm</a>
Posted by sea_net (8 comments )
Reply Link Flag
So anxious to get the holy war going that you messed up the title...
"MySpace to Apple: Fix that worm"??

Apple probably didn't MAKE the worm. But you'll get the desired page views...
Posted by M C (598 comments )
Reply Link Flag
not necessarily...
I don't automatically assume that if I see a title that says "Windows Virus" that Microsoft MADE the virus. I think it's pretty well understood that it is a virus exploiting Windows. Besides which, titles are by nature designed for brevity. Otherwise we'd call them articles.
Posted by jspencer09 (64 comments )
Link Flag
Work-around: uninstall QuickTime for good
This unsafe QuickTime "feature" -- support for embedded links in movie files and for automatic execution of JavaScript code, with no direct way for the user to control or disable the behavior -- is the last straw.

QuickTime for Windows was always intrusive, nominating itself as the default player for non-QuickTime media files, changing icons for non-QuickTime media files, displaying annoying advertising pop-ups for the paid "QuickTime Pro" product, and regularly phoning home to Apple (I'll download add-ons and updates myself, thank you very much).

I have just applied a successful work-around to all of my Windows systems:

Start &gt; Programs &gt; QuickTime &gt; Uninstall QuickTime

I am very happy with the results.

For more information about the QuickTime security risk, see:

1. <a class="jive-link-external" href="http://www.websense.com/securitylabs/alerts/alert.php?AlertID=708" target="_newWindow">http://www.websense.com/securitylabs/alerts/alert.php?AlertID=708</a>

2. <a class="jive-link-external" href="http://www.apple.com/quicktime/tutorials/hreftracks.html" target="_newWindow">http://www.apple.com/quicktime/tutorials/hreftracks.html</a>
Posted by rpms (96 comments )
Reply Link Flag
work-around
go ahead and go back to using windows media player your crappy windows computers still going to get hacked and infested with viruses no matter what, oh and by the way, i have quicktime on my parents compaq laptop and its so not intrusive, plus i have an option of making it the default media player if i so want to.
Posted by lordfanatic (2 comments )
Link Flag
Have your laughs but consider what's happening...
Some of the people screaming here about this issue are the
same who wring their hands over our "lost" freedoms because of
the age of terrorism. Think about it. The internet is slowly but
surely losing functionality because the bad guys are exploiting
legitimate features in software. Even the experts say the
Quicktime feature that allows javascript to be imbedded has
legitimate uses. Now, of course, that feature will be turned off.
How many other useful, legitimate features have been deleted or
turned off in Windows, OS X, Linux, etc. because the bad guys
exploit them.

Why aren't we going after the bad guys with really serious prison
sentences in an attempt to retain our internet freedoms? Why are
we allowing these scum bags to dictate to us how we will use the
internet? Why do Microsoft and Apple have to cripple technology
that makes our online experiences richer? Why do we need
protection from the slimy slugs that inhabit the internet instead
of stringing them up by their virtual necks?

Serious jail time, HUGE fines. That's what I want to see, not
legitimate features turned off.
Posted by lkrupp (1608 comments )
Reply Link Flag
Looking for a clue here
So I'll bite - what specific legitimate reason might that be? The oh so 90's ideal of watching a BMW video and clicking on it to buy one? I thought that nonsense died when boo.com died.

If you want something to be interactive, use Flash. If you want to watch a movie use wmv. If you want --- can't think of a reason to use QT
Posted by gggg sssss (2285 comments )
Link Flag
Lack of warnings/control makes QuickTime unsafe
This was a very thoughtful post. In the general case, you're right that abuse is leading to reduction of useful features.

"Even the experts say the Quicktime feature that allows javascript to be imbedded has legitimate uses."

However, in the specific case of QuickTime for Windows, what's missing is (1) a warning to end-users that the software will follow embedded links and automatically execute JavaScript, and (2) a way for users to control or restrict this behavior.
Posted by rpms (96 comments )
Link Flag
Calling the kettle black
So what. A patch to fix this is now out. Security exploits are
always out there.

Is the Windows Media Player expoit free?
Posted by jypeterson (181 comments )
Reply Link Flag
Yeah but
WMP, or in effect, Microsoft, doesn't claim to be virus proof. (Take a look at the mac commercials regarding this). If one of Apple's major hallmarks over other OS'es is security against virii, then they in turn have failed. However, Microsoft doesn't make "virus free" (for those who are too lazy to download antivirus/antispyware and click on the "free PS3 in your email" banners) one of their major selling points.
Posted by royal crown (1 comment )
Link Flag
QuickTime may change to eliminate javascript ... BUT
Look, the Javascript capability in QuickTime isn't really a bug. It
is how MySpace is designed. Eliminating the ability to use
QuickTime to execute the "malicious" javascript, does not
remove that problem from MySpace.

I find it very interesting that MySpace isn't addressing the
problem at it's root. But then, maybe they are, and just not
talking about. I sure hope so. Because if they are not, then the
problem still remains, and the author will simply find another
mechanism to run the code.

Proper problem determination is the key to finding proper
solutions. Pointing the finger at Apple, or Microsoft, will not
alleviate the design flaw in MySpace.
Posted by Thomas, David (1947 comments )
Reply Link Flag
heres an even more novel idea!
Don't us sexual predator ridden myspace period!
Posted by lordfanatic (2 comments )
Link Flag
More details?
This reminds me of some of the growing pains of eBay. They had to go through several redesigns of their web site as the implicit security holes were discovered and exploited.

Something that is not addressed in the article or replies is the question of whether this flaw also exists for someone using Safari on Mac OS X visiting MySpace. I went to the F-Secure article but it also did not shed light on this question.

I've always been concerned with the use of security defeating Javascript but if you turn it off in your browser there are too many sites that fail to work because of their dependence on Javascript.
Posted by Steve Bryan (92 comments )
Link Flag
BUT nothing
No, the Javascript capability in QuickTime isn't a bug, but the vulnerability it has is. Last time I checked, MySpace wasn't responsible for QuickTime, Apple is, so stop arranging excuses. MySpace doesn't have any problem, QuickTime does, and by having a problem it affects MySpace because MySpace plays QuickTime videos, it's not that tricky, is it?
No, pointing the finger at Apple, or Microsoft (you wanna see it's Microsoft's fault once again?), will not alleviate the design flaw in MySpace; asking the company responsible for the flawed software (Apple) to patch the vulnerability in its software will.
Posted by Ryo Hazuki (378 comments )
Link Flag
lies
any plugins that allow [script] tag is a potential danger. its not myspace's fault
Posted by nodeseven (1 comment )
Reply Link Flag
truth
Of course it is MySpace's fault. The exploit uses QT as a vehicle to take advantage of an already published flaw in MySpace's implementation.
In what way does this make this not their fault?

You might want to research the issue before you make such broad pronouncements.
Posted by DeusExMachina (516 comments )
Link Flag
Quicktime vs. Windows Media Player
Regardless of your OS of choice, QT has better codecs and the QT
player, as simple as it is, is a better interface than WMP. So the
answer of un-installing QT is pretty lame. Let them fix the
problem, then un-install WMP if you want to free up some drive
space.
Posted by sandsunsurf (10 comments )
Reply Link Flag
You can't
In typical stupid MS fashion, the OS is dependent on a media player, consider that for a while and try not to laugh at the incompetence of MS.

You can NOT uninstall WMP. All the uninstaller does is remove shortcuts.
Posted by qwerty75 (1164 comments )
Link Flag
Better Codecs?
Apple calls its codecs standards compliant when really, they are not the standards currently as no one except apple uses them. I prefer being able to do things in WMV like manage a library of music, video, and other things, unlike QT with its "better interface" that doesn't do anything.
Posted by ron williams (34 comments )
Link Flag
Patched ...
Quick comment on the actual situation ..

1) The exploit concerns ActiveX control under IE... Not Firefox
(default windows browser when using windows at all). (yes, Macs
do Windows we either call it Parrallels or Boot Camp).

2) If there was any way to Deactivate ActiveX at all in Windows
without breaking everything please see to post it since a LOAD
of the problems facing WinXP actually come from that spot.

Yours.
Posted by MacHeads (70 comments )
Reply Link Flag
Um, sorry, but...
You might start by reading about the issue first...

Many publishred reports say that this QuickTime for Windows issue manifests itself in Firefox as well as in Windows Internet Explorer. Since Firefox doesn't support ActiveX, you definitely can't blame this one on ActiveX.

To address the second part of your comment, about turning off ActiveX...

Unlike other browsers, Windows Internet Explorer gives you very fine-grained control over active content. It's easy to restrict access to ActiveX (and other forms of active content, since JavaScript, Java and plug-ins also pose risks) without "breaking everything". Here's how:

<a class="jive-link-external" href="http://www.microsoft.com/windows/ie/ie6/using/howto/security/settings.mspx" target="_newWindow">http://www.microsoft.com/windows/ie/ie6/using/howto/security/settings.mspx</a>

Of course, you won't bother with this information, because your point is probably to bash Microsoft and laud Apple, instead of helping ordinary computer users secure their systems.
Posted by rpms (96 comments )
Link Flag
That's just Nutty...
Quicktime is the best piece of software you can have on your computer.

If you take it off what solid as a rock security wise media player will you replace it with Windows Media? haha!
Posted by TigerG (22 comments )
Reply Link Flag
another clue
No need to replace it - WMP is always there. It is that QT POS that is the kludge bolted onto the side of the system.

Solid? Just tried to play a QT someone sent me - ended up with a message like " Quicktime needs a file that is not avaiable..."

Myspace would have been better off with Flash video like youtube and google. After all, how many of their users are Mac users anyway? 2 percent?
Posted by gggg sssss (2285 comments )
Link Flag
Myspace is lame
They could fix this in 15 minutes, instead of placing the blame on apple. I've seen this running rampant in the last 24 hours... if you use myspace, look for the word "test" in your "interests" and the embed tag with the quicktime movie URL in the "movies" section. Because it's so targeted, myspace could easily fix this in no time. Lame on them.
Posted by jcastanza (7 comments )
Reply Link Flag
I warned them weeks ago
Somebody with a QT hack requested I "add them" as a friend. The QT was attempting to use Javascript to redirect to a page that was phishing.

I use Firefox and NoScript (which blocks Javascript on a site by site basis). So the Javascript didn't work but I could identify which site was attempting access. I went to the site and copied the URLs from the source code and then sent ALL of this info to MySpace.

I took the time to show them what was going on and apparently they didn't take the time to investigate it. It's a shame because it's a site that I've gotten a lot of value from - but if they aren't more vigilant it's going to continue to have these PR problems (and eventually a big enough hack to turn people away).

C'mon Murdoch, spent the $$$ to get decent customer service &#38; tech support. These problems shouldn't go unresolved after they've been reported!

(shame shame shame on you!)
Posted by drew30319 (13 comments )
Reply Link Flag
Along the same vein
I have been warning them for YEARS that they need a spam/abuse button on their friend request pages. While they DO have one in their e-mail pages, it is totally useless there, since people who send you e-mail have already been approved by you! The only place it makes sense, where unknown people contact you, is in the friends request page, where there isn't one. So the spam profiles proliferate.
I just don't think they really care about spamming too much.
Posted by DeusExMachina (516 comments )
Link Flag
My account was hacked, they are of no help
I have literally written to myspace six times, their answer is a form email telling me to "check my user id and password" They need to own up and hire some real customer service people.
Posted by jolietgeorge (6 comments )
Reply Link Flag
Ha I dont get this
Download Google toolbar, it tells you automatically if the site is real... and then blocks it or zonealarm will trigger the block.
Posted by kaorichan2 (2 comments )
Reply Link Flag
Ha you sure don't
As this exploit uses actual MySpace pages, what do you propose using google tool bar is going to do?
Posted by DeusExMachina (516 comments )
Link Flag
well it got me
well my profile got hack into and somethinf is leaving message's on my bulletin bored onder my name for stupid webs site that don't even mattter
Posted by missy&kadie (1 comment )
Reply Link Flag
Fix that problem
Well it got me too. I can't even get into my friends profiles. I can't do anything in myspace.
Please, fix the problem.
Posted by robinduhe (2 comments )
Reply Link Flag
Fix that problem
Well it got me too. I can't even get into my friends profiles. I can't do anything in myspace.
Please, fix the problem.
Posted by robinduhe (2 comments )
Reply Link Flag
MySpace
Do you know why myspace is down. Please help.
Posted by debandwalt (1 comment )
Reply Link Flag
myspace...
myspace keeps giving me errors when i go to the site, the web
address changes constantly. i ask my friends on windows and they
said myspace worked fine...so im guessing this an an apple
glitch???
Posted by dingudi (1 comment )
Link Flag
mine also
whats going on i cant even get the site up at all
Posted by sneackers (3 comments )
Link Flag
mine also
whats going on i cant even get the site up at all
Posted by sneackers (3 comments )
Link Flag
myspace aint up in moreno valley, ca
i cant even get in my profile whats going on with the web i thought it was my computer had a technician out but working fine she said so whats up can some please help, moreno valley,ca
Posted by sneackers (3 comments )
Reply Link Flag
I can't even get on myspace,don't know why??
I haven't even been able to get on myspace and don't know why.Each time I put the url in it shows like the page is down or not there anymore.I can put the url of my profile on but can not post or send a message to anyone.I have tried to find away to get a hold of myspace but don't know how.Is there anyone who can help me with this?? Could I have a Worm and not know it?I have called my phone company that I have the internet with and we can't find out why I can't get onto myspace it is the only thing that I can not get on to,so if there is anyone who can help me with this please do..Jo Ann
Posted by joann1965 (1 comment )
Reply Link Flag
Myspace...possible crash? Maybe server is whacked out?
I'm also unable to get into myspace. I either get a message that says "redirection limit exceeded for this URL" or "Firefox has detected that the server is redirecting the request for this address in a way that will never complete." Basically it's redirecting in some kind of loop, and I haven't a clue how to deal with it. It happens no matter which comp I use, so i'm suspecting that it's a problem on the Myspace end of things. and help would be greatly appreciated.
Posted by Bastets Wicked Fury (1 comment )
Link Flag
you have the myspace worm
people have been using ads to spread a myspace worm if you clicked on one of those ads you have gotten the worm and right now they do not have a cure for it. i got it too
Posted by serious14u (1 comment )
Link Flag
Try to use a proxy if you can't login myspace
Try to use a proxy if you can't get on myspace. There are lots of proxies at <a class="jive-link-external" href="http://www.aplusproxy.com" target="_newWindow">http://www.aplusproxy.com</a>.
Posted by qiuzhi123 (1 comment )
Link Flag
i cant loggin on myspace
how do i log in on myspace. i really would like to check it but the first time i went to the page to log in, it goes through then says the page is unavailable. please someone tell me how i can fix this problem.
Posted by x3tlsmith (1 comment )
Reply Link Flag
myspace
**** i cant get 0n myspace :[
why?????????????
Posted by travieza619 (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.