MySpace on Tuesday night began distributing a temporary fix for an Apple QuickTime vulnerability affecting users of the popular social networking site.
The patch, not hosted by Apple, addresses a flaw related to JavaScript support functionality in the QuickTime video player. Attackers can exploit the feature to launch a blended cross-site scripting attack that, if successful, steals users' log-in credentials and installs adware on their machines.
Last night, MySpace members using Internet Explorer and running QuickTime received a message from the site's founder Tom Anderson. When users sign up, "Tom" automatically becomes their friend.
"Hey, you're seeing this message because we detected that you have QuickTime on your system," he said in the announcement, posted to users' profile pages. "QuickTime lets you watch movies on your computer. There's been a security problem with QuickTime this weekend and bad guys have been trying to phish accounts exploiting the security hole. You can protect yourself by downloading this patch to your QuickTime - it only takes 30 seconds."
According to published reports, Apple is working on a permanent fix for the problem. A company spokesperson could not immediately be reached for comment today to explain why MySpace was charged with releasing the temporary patch.
The worm attack is caused by malicious QuickTime files that trigger JavaScript coding, he said. Once users visit profile pages containing the infected QuickTime file, the file also is embedded on their page, which simultaneously is overlaid with a fake navigation bar. Should they click on that navigation bar, users will be asked to re-enter their username and password on a rogue page hosted on a hacked server.
Malicious attackers steal these credentials to spam "friends" of the victim in a section on MySpace pages that permit users to leave comments. The messages say generic things such as "what else is there to do on a Sunday" or "omg did you see this last nite." Below the text is a screenshot of a movie that is "spectacularly pornographic," according to Christopher Boyd, director of malware research for FaceTime Communications.
Should users click on the screenshot, they are directed to pornographic site called "Vidchicks" that contains Zango adware, he said. The site's webmaster profits each time someone installs the adware.
Hemanshu Nigam, MySpace's CSO, told SCMagazine.com last week that the site often relies on security from third-party application providers - in this case Apple. QuickTime now supports JavaScript, which allows users to "query and control QuickTime movies in a webpage," according to Apple's Developer Connection website.
Click here to email Dan Kaplan.