How Not to Distribute Security Patches
Over the weekend MySpace was hit by a password-stealing computer worm that took advantage of a weakness in Apple's QuickTime media player to spread rapidly among the online community's users. On Tuesday, MySpace administrators sent around a memo urging millions of users to download and install a new Apple patch to prevent future copycat attacks.
I think MySpace and Apple deserve credit for a prompt response to an obvious and serious security problem. That said, it appears as though both sides completely fumbled this patch rollout.
The memo, from MySpace's ubiquitous employee "Tom," says: "Hey, you're seeing this message because we detected that you have Quicktime on your system. Quicktime lets you watch movies on your computer. There's been a security problem with Quicktime this weekend and bad guys have been trying to phish accounts exploiting the security hole. You can protect yourself by downloading this patch to your Quicktime--it only takes 30 seconds. - Tom"
This was a genuine message sent by MySpace admins urging certain users to apply a patch that was just released (well, sort of...more on that later). But you could almost see the blank stares from the wary MySpace users who were puzzled and understandably paranoid. Check out some of the questions and comments on just one of several MySpace user forum threads from puzzled users.
According to this CNet.com story, Apple was expected on Tuesday to release a patch (as requested by the folks at MySpace), but that MySpace would be responsible for distributing the update.
To put this in perspective, when was the last time you saw Microsoft letting anyone else distribute its patches? The simple answer is that you do not. Why is that? Because the bad guys are constantly trying to get people to install all kinds of nasty and malicious software by disguising it as an official-looking "security update."
Likewise, Apple should not let social-networking sites distribute its patches, even if it turns out to be some kind of custom-made-for-MySpace-users patch, which I seriously doubt. Apple should host its own software fixes on its own servers, period. And MySpace should simply suck it up and disable QuickTime videos until Apple is ready to host an update; people still running the older version of QuickTime could be prompted to fetch the patch directly from Apple's site.
Another issue is that the MySpace worm either exploited a security flaw in QuickTime or it took advantage of an ill-advised feature deliberately built into the software. If it is a flaw, when can the rest of the planet expect a QuickTime patch? And if it is indeed a feature intentionally built into the media player, can non-MySpace users get a copy of QuickTime without said feature? I put a query in to Apple, and will update this blog when I receive more information.
Finally, the MySpace memo urged users to click on an exceptionally long link that appears to have several layers of encoding in it -- making it unclear where the user will end up after clicking (hover over the link included in Tom's message above to see what I mean). MySpace admins grooming the masses to install patches by clicking on seemingly random links in messages is an unfortunate kind of conditioning that may well encourage further attacks against MySpace users.
December 6, 2006; 9:07 AM ET
Categories: Fraud , From the Bunker , Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: MySpace Video Worm Pimps Adult Content
Next: Microsoft: Attacks Targeting Unpatched Word Flaw
Posted by: Jason | December 6, 2006 11:34 AM | Report abuse
Posted by: SPENCER ADAMS | December 6, 2006 12:56 PM | Report abuse
Posted by: Jeff Pettorino | December 6, 2006 1:22 PM | Report abuse
Posted by: Jack | December 6, 2006 4:45 PM | Report abuse
Posted by: Timothy Davis (MSFT) | December 6, 2006 8:08 PM | Report abuse
Posted by: Bk | December 6, 2006 9:57 PM | Report abuse
Posted by: TJ | December 7, 2006 12:06 PM | Report abuse
Posted by: dh | December 7, 2006 1:13 PM | Report abuse
Posted by: rlk | December 7, 2006 10:52 PM | Report abuse
Posted by: Bk | December 7, 2006 11:02 PM | Report abuse
Posted by: Jason | December 8, 2006 5:03 PM | Report abuse
Posted by: Jason | December 8, 2006 5:17 PM | Report abuse
Posted by: MG | December 8, 2006 9:24 PM | Report abuse
Posted by: Sharon | December 9, 2006 1:53 PM | Report abuse
Posted by: Chuck | January 1, 2007 10:27 AM | Report abuse
Posted by: texas payday law | January 2, 2007 3:47 AM | Report abuse
The comments to this entry are closed.