MySpace is “distributing a temporary fix for an Apple QuickTime vulnerability affecting users of the popular social networking site,” Dan Kaplan reports for SC Magazine.
Kaplan reports, “The patch, not hosted by Apple, addresses a flaw related to JavaScript support functionality in the QuickTime video player. Attackers can exploit the feature to launch a blended cross-site scripting attack that, if successful, steals users’ log-in credentials and installs adware on their machines.”
“According to published reports, Apple is working on a permanent fix for the problem. A company spokesperson could not immediately be reached for comment today to explain why MySpace was charged with releasing the temporary patch,” Kaplan reports.
More info in the full article here.
Related MacDailyNews articles:
Apple working with MySpace on QuickTime JavaScript worm fix – December 05, 2006
QuickTime JavaScript worm spreads via MySpace – December 04, 2006
Does this vulnerability affect Macs, too, or just Windows?
So, does this mean we’ve now seen the first documented cases of Mac malware infestation? Huh? Someone???
P.S. It would be interesting to understand a bit better why the article suggests that vulnerable users are running Quicktime and Internet Explorer…
From what I understand about this, its not a flaw with Quicktime, its a flaw with MySpace. Quicktime has had the ability to embed JavaScript for years. Its the interaction of that JavaScript with MySpace that is the problem, not Quicktime’s ability to use JavaScript. That’s why it is MySpace’s responsibility to safeguard its users against the threat of a JavaScript attack.
Voice of Reason…EXACTLY…it’s a MySpace problem. They’re just trying to blame Quicktime to save their own jobs for even having the vulnerability.
Yes, apparently MySpace is too busy swimming in money to fix their own pages, so they’re going after Apple to cripple QuickTime.
THANK GOD! I’ve been unable to sleep since this happened.
MySpace has always been and will always be a poorly implemented and designed site. I’m surprised more MySpace vulnerabilities haven’t been exploited.
The vulnerability affects MySpace. Not Macs, not Windows. It’s javaScript writing to MySpace profile’s server.
That’s why you haven’t seen the PC press go wild over a “Mac attack.”
It’s already been reported as a flaw in MySpace, and simply an exploitation of QT’s support of Javascript…. how sad that they put the spin on it that it’s a flaw with QT.
Myspace sucks camel butt, always has. It’s a teen site. For teens with no in person social skills. Sad really.
“It’s already been reported as a flaw in MySpace, and simply an exploitation of QT’s support of Javascript…. how sad that they put the spin on it that it’s a flaw with QT.”
Any Windows application macro viruse simply “exploits” tha macro capability of the app. Sorry guys, Building in the capability into QT to run unsafe code on your PC without asking is a QT problem. Today MySpace. Tomorrow the world.
You guys aren’t very bright. It IS a quicktime exploit. Coupled with xss on myspace it can be used to compromise profiles. Actually do your research before you try to blame myspace! It’s not all their fault, only halfway… Apple is totally to blame.