Network News

X My Profile
View More Activity

How Not to Distribute Security Patches

Over the weekend MySpace was hit by a password-stealing computer worm that took advantage of a weakness in Apple's QuickTime media player to spread rapidly among the online community's users. On Tuesday, MySpace administrators sent around a memo urging millions of users to download and install a new Apple patch to prevent future copycat attacks.

I think MySpace and Apple deserve credit for a prompt response to an obvious and serious security problem. That said, it appears as though both sides completely fumbled this patch rollout.

The memo, from MySpace's ubiquitous employee "Tom," says: "Hey, you're seeing this message because we detected that you have Quicktime on your system. Quicktime lets you watch movies on your computer. There's been a security problem with Quicktime this weekend and bad guys have been trying to phish accounts exploiting the security hole. You can protect yourself by downloading this patch to your Quicktime--it only takes 30 seconds. - Tom"

This was a genuine message sent by MySpace admins urging certain users to apply a patch that was just released (well, sort of...more on that later). But you could almost see the blank stares from the wary MySpace users who were puzzled and understandably paranoid. Check out some of the questions and comments on just one of several MySpace user forum threads from puzzled users.

According to this story, Apple was expected on Tuesday to release a patch (as requested by the folks at MySpace), but that MySpace would be responsible for distributing the update.

Come again?

To put this in perspective, when was the last time you saw Microsoft letting anyone else distribute its patches? The simple answer is that you do not. Why is that? Because the bad guys are constantly trying to get people to install all kinds of nasty and malicious software by disguising it as an official-looking "security update."

Likewise, Apple should not let social-networking sites distribute its patches, even if it turns out to be some kind of custom-made-for-MySpace-users patch, which I seriously doubt. Apple should host its own software fixes on its own servers, period. And MySpace should simply suck it up and disable QuickTime videos until Apple is ready to host an update; people still running the older version of QuickTime could be prompted to fetch the patch directly from Apple's site.

Another issue is that the MySpace worm either exploited a security flaw in QuickTime or it took advantage of an ill-advised feature deliberately built into the software. If it is a flaw, when can the rest of the planet expect a QuickTime patch? And if it is indeed a feature intentionally built into the media player, can non-MySpace users get a copy of QuickTime without said feature? I put a query in to Apple, and will update this blog when I receive more information.

Finally, the MySpace memo urged users to click on an exceptionally long link that appears to have several layers of encoding in it -- making it unclear where the user will end up after clicking (hover over the link included in Tom's message above to see what I mean). MySpace admins grooming the masses to install patches by clicking on seemingly random links in messages is an unfortunate kind of conditioning that may well encourage further attacks against MySpace users.

By Brian Krebs  |  December 6, 2006; 9:07 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: MySpace Video Worm Pimps Adult Content
Next: Microsoft: Attacks Targeting Unpatched Word Flaw


I'm not so sure that Microsoft should be praised for having an efficient security path distribution system. Each of those patches represents a failure to catch a bug before the software shipped.

Posted by: Jason | December 6, 2006 11:34 AM | Report abuse

A month, I read on the blogs that there was a password-stealing worm that directly attacks Firefox 2.0; I've disabled my password program, gone to the Firefox and Mozilla web site and blogs, sent emails, as well as checked for updates. They acknowledge it, but nothing has happened since Nov.

Can you do anything or find out more?

Posted by: SPENCER ADAMS | December 6, 2006 12:56 PM | Report abuse


Yes, good point, most everyone who has a clue knows that current software development practices leave a lot to be desired. That being said, Microsoft has managed to put together an arguably efficient and supposedly non-invasive process (although I don't use it, except notification of updates...I don't want anything being installed that I haven't explicitly agreed to).

As far as MySpace' handling this, it is just plain ludicrous at best, downright negligent at worst. Do they have any actual security people on staff at MySpace? Someone who knows about the practices? Did they consult legal before agreeing with Apple to go this route (and Apple... *FOR SHAME*. They DO know better.)

This is pretty pathetic on the whole.

Posted by: Jeff Pettorino | December 6, 2006 1:22 PM | Report abuse

I just wanted to say thank you for this post. Guess how I find out your blog? Searching on Google about the legitimacy of this oddly released patch. Everything seemed legitimate to me but, for the reasons stated in your blog, there was a little voice in my head that was saying: Don't Touch This!

Posted by: Jack | December 6, 2006 4:45 PM | Report abuse

Apple is most likely stuck with an application servicing model problem. In order for Apple to automatically update this application, the application would need to 'phone home' every time it started up to check for updates. This logic can be very difficult to put into every released application.

Microsoft has Windows Update, which is a application independent service which will scan your Windows machine and detect that that you are running older/insecure versions of the software. Using this servicing model, the application will never need to 'phone home' as Windows Update will service it.

Apple cannot post their updated software to Windows Update. Their application probably does not check for updates on every startup either. This leaves the site admins (like Myspace) in a position of pushing the users to a fix.

Microsoft will run into the same problem for MS applications running on the Mac OS.

Posted by: Timothy Davis (MSFT) | December 6, 2006 8:08 PM | Report abuse

Timothy -- I was using Microsoft as an example of why you do not want to do what Myspace and Apple have done in this case.

This has nothing to do with Microsoft Update. From Myspace's initial e-mail, it is clear that Myspace admins have the ability to see whether users have QuickTime installed. So, after alerting users that an update is available, provide them with a plain link to Apple's site, where they can upgrade the software on their own.

If need be, Myspace could require that people upgrade to the latest version of QuickTime before letting them resume embedding or viewing QuickTime files on Myspace.

Posted by: Bk | December 6, 2006 9:57 PM | Report abuse

Myspace and Apple should be taken out to the wood shed for such shoddy security practices. In today's threat landscape, you would expect much more from major players like these.

Just goes to show how far many organizations still need to go in order to play the game correctly.

As BK has mentioned, Microsoft has learned from this and as such has a software distribution method in place and has tried to educate us to only trust patches obtained directly from them. So, you have to give credit where credit is due.

In regard to Jason's comments, all software has vulnerabilities, so to bad mouth Microsoft only is a disservice to all.

Posted by: TJ | December 7, 2006 12:06 PM | Report abuse

Brian you don't specifically mention which platform is affected? I use a pc at work and bought a mac for home. At home I have Quicktime professional. Apple does update its software automatically. I don't use and don't even intend to use MySpace.

In addition to better ways to update and upgrade software, the user has to become smarter. I wouldn't even consider updating iTunes on the pc at work. I simply delete it and download the newest version.

And to Timothy: I do have MS OFFICE 2004 on the mac. In addition to reading Brian's column, I occasionally click the update link just to see what's available. It's like having a car; I don't need a letter, email, phone call or the vehicle to remind me to change the oil. The sticker inside the car does the trick! But again, the user needs to start taking steps to find out what's available in the way of updates or upgrades. Obviously, bad people will affect the Internet for years to come. At work I had to delete IE7. It caused my machine to run too slowly, so now I am back to reading Brian and checking for patches. I don't really use IE6 much, but since I can't permanently delete it...

Microsoft credit for hammering out a patch upgrade system? Yeah, right!

Posted by: dh | December 7, 2006 1:13 PM | Report abuse

I have quicktime pro (paid) and myspace i dont use quicktime in myspace. I saw the notice for a download patch and didn't trust it. I wrote to myspace asking if it was real or not. I called apple and they said that they didn't know anything about it, that i should contact myspace. I again contacted myspace and yesterday I did recieve an email from myspace that said "we are working on it, be patient" thats all i've heard. The supposed "patch" is still on my page for me to click on. Nobody has done anything i got the bad code out myself.

Posted by: rlk | December 7, 2006 10:52 PM | Report abuse

Hi Dh -- I wish I had more info for you. Apple hasn't responded yet to any of my inquiries. Since the QT feature that was abused was Javascript, it's possible that it wouldn't matter what OS you are using in the context of this attack. We just don't know enough yet about what -- if anything - Apple is going to change about QT to address this.

Posted by: Bk | December 7, 2006 11:02 PM | Report abuse

"In order for Apple to automatically update this application, the application would need to 'phone home' every time it started up to check for updates. This logic can be very difficult to put into every released application."

iTunes phones home all the time. This could be moved up to Quicktime (iTunes has QuickTime as a dependency). Better yet, application updating could be migrated to a generic component that each of the Apple application teams can add to their code.

Even Ubuntu Linux has an OS and application update system, and that's produced by a company with shallower pockets than either Microsoft or Apple, so excuses for poor application updating schemes are wearing thin at this point.

Posted by: Jason | December 8, 2006 5:03 PM | Report abuse


Mozilla has a bug database which is publicly accessible here:

You can probably find the issue in there and keep up to date on when and how it will be fixed.

Posted by: Jason | December 8, 2006 5:17 PM | Report abuse

For once I agree with Mr. Krebs. And, yes, iTunes uses QuickTime, making it a vector for attack. The attack can be done on MS or MAC systems . Unfortunately, this worm is not nice, and more unfortunately, we all are seeing just now seeing how vulnerable other systems are now that MS is doing a good job of protecting their customers. Heed strong advice: Use a Hardware firewall - properly configured, a software firewall - properly configured, strong Anti-Virus and Anti-Spy programs - all up to date - this is what is needed for all internet users today. What "they" don't tell you in the headlines is that the threats are mitigated by what I suggest. Just do it. For more information on how to "harden" your computers or networks from such attacks, please ask a geek or view security pages online such as SANS: - if you read only the headlines or only the 2 second articles like above you may be disillusioned by the internet. If you review the articles and their links, over time you will know what to do and more importantly what not to do to be safe online.

Posted by: MG | December 8, 2006 9:24 PM | Report abuse

I can not log into my myspace account. I use to just put in my address box. and go to my page and if i wanted to go futher then i would log in. When i went to put in my information in the address box my page came up with somebody elses information but my name in the address box still. a whole page full of cramp and people. I have tried to contact myspace six times now with no response. I finally got a response with told me to make sure that i am putting in my correct password. I know i password and even requested that it be sent to me again just incase. they emailed me my same password that i have been putting in so i know that my account is still active so who is using my account and blocking me from logging in? I even tried to set up a new account and can not even do that. It keeps telling me error with my password when i sign into my account which only means that someone is using my account and has changed my password but not my screen name and put their profile in my place. I do not know what to do now. and you can not contact anyone from myspace. I need help and i think that myspace should be held responsible for this sort of thing.
I have sent them emails already still no luck and i can not use my account. This is a crime being commited here and something legal needs to done to myspace and the people using my account. I have saved all the information from the false webpage that is being shown uder my name. I also emailed it to

Posted by: Sharon | December 9, 2006 1:53 PM | Report abuse

THANK YOU ! for your awareness and prompt response. I appreciate it! It prevented me from downloading this "patch",,, who is "TOM" anyway, and how can I get him OFF my myspace "friends" listing ?

Posted by: Chuck | January 1, 2007 10:27 AM | Report abuse

Nothing new, but it's nice to see things continue to go their way texas payday law [URL=] texas payday law[/URL]

Posted by: texas payday law | January 2, 2007 3:47 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company