AT&T Tech Support 360
- Related Stories
-
Worm uses QuickTime to spread on MySpace
December 4, 2006 -
Phishers catch on to the Net's 'long tail'
September 12, 2006 -
FAQ: JavaScript insecurities
July 28, 2006 -
JavaScript opens doors to browser-based attacks
July 28, 2006 -
MySpace feels the heat
July 24, 2006 -
MySpace reaching out to parents
April 11, 2006
The request comes after a worm in the form of a rigged QuickTime movie crawled onto MySpace.com over the weekend, changing people's MySpace profiles. The worm spread because of QuickTime's support for JavaScript code, experts have said.
"When we learned about an issue that exploits a feature in QuickTime and unfortunately targets MySpace users, we immediately contacted Apple to engineer a fix," Hemanshu Nigam, chief security officer at MySpace, said in an e-mail statement Tuesday.
When viewed by a MySpace user in Internet Explorer or Firefox, the specially crafted QuickTime video added itself to the user's MySpace page and replaced the links on the user's profile with links to phishing Web sites. The malicious software, dubbed Quickspace by F-Secure, infected a large, but unspecified number of MySpace users, according to the Finnish security company.
Apple is working on a QuickTime fix, but has a temporary solution available Tuesday, company spokeswoman Lynn Fox said in an e-mail.
"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.
Apple said it has provided MySpace with the temporary fix. The computer company said it would be up to the social-networking site to offer it to users. MySpace has not responded to an inquiry from CNET News.com as to when the temporary solution would be available to users.
While waiting for Apple to release a final fix, MySpace has blocked the Web links that attempt to exploit the issue and is scrubbing them from profiles on the MySpace site, Nigam said. MySpace has also reported the incident to law enforcement, he said.
MySpace, owned by News Corp., is a popular social-networking site estimated to have more than 70 million registered users. The worm exploits MySpace functionality along with a feature called HREF track in QuickTime that has legitimate uses but can also be abused, experts have said.
"This particular attack is not working anymore because of filtering of URLs," said Mikko Hypponen, chief research officer at F-Secure. "But the actual vulnerability still exists in the system. The final fix needs people to update their personal QuickTime player."
The object of the Quickspace attack apparently was to get people to visit the fraudulent Web sites crafted to look like MySpace log-in pages. It is unclear what the miscreants would do with the log-in data. But it could be used, for example, to exploit the user's profiles for advertising.
See more CNET content tagged:
MySpace,
Apple QuickTime,
Hemanshu Nigam,
worm,
Apple Computer
Apple users using myspace aren't affected.
Latest Update:
Hey, you're seeing this message because we detected that you have Quicktime on your system.
Quicktime lets you watch movies on your computer.
There's been a security problem with Quicktime this weekend and bad guys have been trying to phish accounts exploiting the security hole.
You can protect yourself by downloading this patch to your Quicktime--it only takes 30 seconds. - Tom
http://vids.myspace.com/quicktime/upgrade.cfm
Apple probably didn't MAKE the worm. But you'll get the desired page views...
QuickTime for Windows was always intrusive, nominating itself as the default player for non-QuickTime media files, changing icons for non-QuickTime media files, displaying annoying advertising pop-ups for the paid "QuickTime Pro" product, and regularly phoning home to Apple (I'll download add-ons and updates myself, thank you very much).
I have just applied a successful work-around to all of my Windows systems:
Start > Programs > QuickTime > Uninstall QuickTime
I am very happy with the results.
For more information about the QuickTime security risk, see:
1. http://www.websense.com/securitylabs/alerts/alert.php?AlertID=708
2. http://www.apple.com/quicktime/tutorials/hreftracks.html
same who wring their hands over our "lost" freedoms because of
the age of terrorism. Think about it. The internet is slowly but
surely losing functionality because the bad guys are exploiting
legitimate features in software. Even the experts say the
Quicktime feature that allows javascript to be imbedded has
legitimate uses. Now, of course, that feature will be turned off.
How many other useful, legitimate features have been deleted or
turned off in Windows, OS X, Linux, etc. because the bad guys
exploit them.
Why aren't we going after the bad guys with really serious prison
sentences in an attempt to retain our internet freedoms? Why are
we allowing these scum bags to dictate to us how we will use the
internet? Why do Microsoft and Apple have to cripple technology
that makes our online experiences richer? Why do we need
protection from the slimy slugs that inhabit the internet instead
of stringing them up by their virtual necks?
Serious jail time, HUGE fines. That's what I want to see, not
legitimate features turned off.
If you want something to be interactive, use Flash. If you want to watch a movie use wmv. If you want --- can't think of a reason to use QT
"Even the experts say the Quicktime feature that allows javascript to be imbedded has legitimate uses."
However, in the specific case of QuickTime for Windows, what's missing is (1) a warning to end-users that the software will follow embedded links and automatically execute JavaScript, and (2) a way for users to control or restrict this behavior.
always out there.
Is the Windows Media Player expoit free?
is how MySpace is designed. Eliminating the ability to use
QuickTime to execute the "malicious" javascript, does not
remove that problem from MySpace.
I find it very interesting that MySpace isn't addressing the
problem at it's root. But then, maybe they are, and just not
talking about. I sure hope so. Because if they are not, then the
problem still remains, and the author will simply find another
mechanism to run the code.
Proper problem determination is the key to finding proper
solutions. Pointing the finger at Apple, or Microsoft, will not
alleviate the design flaw in MySpace.
Something that is not addressed in the article or replies is the question of whether this flaw also exists for someone using Safari on Mac OS X visiting MySpace. I went to the F-Secure article but it also did not shed light on this question.
I've always been concerned with the use of security defeating Javascript but if you turn it off in your browser there are too many sites that fail to work because of their dependence on Javascript.
No, pointing the finger at Apple, or Microsoft (you wanna see it's Microsoft's fault once again?), will not alleviate the design flaw in MySpace; asking the company responsible for the flawed software (Apple) to patch the vulnerability in its software will.
In what way does this make this not their fault?
You might want to research the issue before you make such broad pronouncements.
player, as simple as it is, is a better interface than WMP. So the
answer of un-installing QT is pretty lame. Let them fix the
problem, then un-install WMP if you want to free up some drive
space.
You can NOT uninstall WMP. All the uninstaller does is remove shortcuts.
1) The exploit concerns ActiveX control under IE... Not Firefox
(default windows browser when using windows at all). (yes, Macs
do Windows we either call it Parrallels or Boot Camp).
2) If there was any way to Deactivate ActiveX at all in Windows
without breaking everything please see to post it since a LOAD
of the problems facing WinXP actually come from that spot.
Yours.
Many publishred reports say that this QuickTime for Windows issue manifests itself in Firefox as well as in Windows Internet Explorer. Since Firefox doesn't support ActiveX, you definitely can't blame this one on ActiveX.
To address the second part of your comment, about turning off ActiveX...
Unlike other browsers, Windows Internet Explorer gives you very fine-grained control over active content. It's easy to restrict access to ActiveX (and other forms of active content, since JavaScript, Java and plug-ins also pose risks) without "breaking everything". Here's how:
http://www.microsoft.com/windows/ie/ie6/using/howto/security/settings.mspx
Of course, you won't bother with this information, because your point is probably to bash Microsoft and laud Apple, instead of helping ordinary computer users secure their systems.
If you take it off what solid as a rock security wise media player will you replace it with Windows Media? haha!
Solid? Just tried to play a QT someone sent me - ended up with a message like " Quicktime needs a file that is not avaiable..."
Myspace would have been better off with Flash video like youtube and google. After all, how many of their users are Mac users anyway? 2 percent?
I use Firefox and NoScript (which blocks Javascript on a site by site basis). So the Javascript didn't work but I could identify which site was attempting access. I went to the site and copied the URLs from the source code and then sent ALL of this info to MySpace.
I took the time to show them what was going on and apparently they didn't take the time to investigate it. It's a shame because it's a site that I've gotten a lot of value from - but if they aren't more vigilant it's going to continue to have these PR problems (and eventually a big enough hack to turn people away).
C'mon Murdoch, spent the $$$ to get decent customer service & tech support. These problems shouldn't go unresolved after they've been reported!
(shame shame shame on you!)
I just don't think they really care about spamming too much.
Please, fix the problem.
- Fix that problem
-
by robinduhe
January 8, 2007 8:01 AM PST
- Well it got me too. I can't even get into my friends profiles. I can't do anything in myspace.
-
Reply to this comment
-
See all 88 Comments >>Please, fix the problem.