MySpace to Apple: Fix that worm

After worm spreads on social-networking site, MySpace asks Apple to update its QuickTime media player.

By Joris Evers
Staff Writer, CNET News.com

Published: December 5, 2006, 12:54 PM PST

Story Tools

TalkBack E-mail Print del.icio.us Digg this

MySpace.com wants Apple Computer to update its QuickTime media player software so it can't be used in attacks on the social-networking site.

The request comes after a worm in the form of a rigged QuickTime movie crawled onto MySpace.com over the weekend, changing people's MySpace profiles. The worm spread because of QuickTime's support for JavaScript code, experts have said.

"When we learned about an issue that exploits a feature in QuickTime and unfortunately targets MySpace users, we immediately contacted Apple to engineer a fix," Hemanshu Nigam, chief security officer at MySpace, said in an e-mail statement Tuesday.

When viewed by a MySpace user in Internet Explorer or Firefox, the specially crafted QuickTime video added itself to the user's MySpace page and replaced the links on the user's profile with links to phishing Web sites. The malicious software, dubbed Quickspace by F-Secure, infected a large, but unspecified number of MySpace users, according to the Finnish security company.

Apple is working on a QuickTime fix, but has a temporary solution available Tuesday, company spokeswoman Lynn Fox said in an e-mail.

"Recently we learned about an issue that exploits a feature in QuickTime used to target MySpace users. We have devised a way to disable this QuickTime feature for those who use Internet Explorer. We are working on a broader solution for all other users as well," Fox said in the e-mail.

Apple said it has provided MySpace with the temporary fix. The computer company said it would be up to the social-networking site to offer it to users. MySpace has not responded to an inquiry from CNET News.com as to when the temporary solution would be available to users.

While waiting for Apple to release a final fix, MySpace has blocked the Web links that attempt to exploit the issue and is scrubbing them from profiles on the MySpace site, Nigam said. MySpace has also reported the incident to law enforcement, he said.

MySpace, owned by News Corp., is a popular social-networking site estimated to have more than 70 million registered users. The worm exploits MySpace functionality along with a feature called HREF track in QuickTime that has legitimate uses but can also be abused, experts have said.

"This particular attack is not working anymore because of filtering of URLs," said Mikko Hypponen, chief research officer at F-Secure. "But the actual vulnerability still exists in the system. The final fix needs people to update their personal QuickTime player."

The object of the Quickspace attack apparently was to get people to visit the fraudulent Web sites crafted to look like MySpace log-in pages. It is unclear what the miscreants would do with the log-in data. But it could be used, for example, to exploit the user's profiles for advertising.