What is Digg?98 Comments
- inactive, on 10/12/2007, -21/+87Apple actually do a rather good job with security, MySpace hasn't, doesn't, and won't.
- plarp, on 10/12/2007, -13/+78blame canada
- InsomniaSlim, on 10/12/2007, -8/+52MySpace lies CONSTANTLY about problems in its systems.
Whenever a bulletin gets posted "without the user's knowledge," they claim their password was stolen and their account was "hacked." In reality, there is no form post security, or even a captcha, to confirm a bulletin before post... So when they click a link in a bulletin, it just posts a form to the right URL and the bulletin gets posted.
MySpace is the place for spam... and I think they might be turning a blind eye to it for two reasons: 1. It would take effort on their part and 2. They were invented by spammers, so they may be allowing it to "partners."
MySpace is full of lies... I'm getting tired of them misinforming people b/c of their own inadequacies. - threepio, on 10/12/2007, -10/+35Quicktime is used in kiosks wherein executable Javascript makes a standalone, non-interactive video into an interactive display. Simply put, it adds the user into the equation for applications like this. We use it here and it's handy, not to mention incredibly lightweight.
So double dumbass on you, friend. Mayhaps a little ***** research would get you farther in the future, as opposed to just hollaring ***** and shooting your mouth off on topics where you clearly come to the discussion unequipped to add anything of value. - JeffH, on 10/12/2007, -25/+48Exactly. There's been lots of exploitable, major flaws in Quicktime over the past year, so why should I believe that Quicktime wasn't the problem?
Though I don't really care whose fault it is as long as MySpace dies a painful death via pissing all of it's users off. - pixelfox, on 10/12/2007, -11/+32Wha??? Quicktime hijacking your browser? How the ***** do you manage that?
- mcstewart37, on 10/12/2007, -5/+24http://www.apple.com/quicktime/tutorials/hreftracks.html
- toast1226, on 10/12/2007, -5/+20yet another reason not to use myspace
- JeffH, on 10/12/2007, -3/+17Quicktime allowing scripting has been "legit" for ages now. It's useful in some cases, but I don't recall the last time I have ever seen it been used for something good.
- BillGod, on 10/12/2007, -3/+16The problem with letting people run OSX on pc's is that Apple looses control over the hardware. They would have to support a thousand different motherboards and million different configurations. With that you then suffer from driver issues and all kinds of other things. Then you become unstable and end up with a rep like MS.
Just my 2 cents. - TiMMY8765, on 10/12/2007, -6/+19it's just as legit as .wmf files being able to run some code when opened
- paulmdx, on 10/12/2007, -10/+22According to the CNET article (linked from article above):
"The rigged QuickTime movie includes some JavaScript code that will be run automatically"
Personally I question that being a "legit" feature... - nstern2, on 10/12/2007, -5/+16Heres a pertinent solution. Don't use MySpace!
- HungryMedia, on 10/12/2007, -3/+14I thought Windows Media had this same "feature" ... no?
- uownedge, on 10/12/2007, -6/+15Ladies and gentlemen, I have found the solution.
Behold:
Don't use MySpace. - austindkelly, on 10/12/2007, -10/+19I agree that for some reason Apple is never to blame, but its MySpace, I mean come on, its the worst website on the internets!
- UltimaNut, on 10/12/2007, -7/+13"The iPod seems to have a myriad of problems, "
Ive had one of every generation of full size iPods with zero problems.
"the computers are too expensive"
Educate yourself. In a hardware to hardware comparison they actually cost lower then similar or equal systems
" It's an untapped market."
You are an idiot. If they let did this their hardware sales would shrink. - chedabob, on 10/12/2007, -10/+17Blame myspace. Not only do they allow javascript, their staff are so lazy. I rarely ever go on myspace, cos I can't even read my message(s) without getting tonnes of errors.
- andyduncan, on 10/12/2007, -4/+10@webwormex et al: if you read the linked, linked, linked page announcing the vulnerability (here: http://seclists.org/fulldisclosure/2006/Nov/0275.html) , you'd see that this IS in fact a myspace vulnerability (the ability for a user submit code that can alter the navigation links on their own header, links like 'login'). Someone is using a legitimate (although admittedly obscure) feature of quicktime to take advantage of the vulnerability, but quicktime is not the only potential vector. And it's not quite the same thing as the flash vulnerability.
- Rivetgeek, on 10/12/2007, -3/+9They don't allow javascript, but they can't control what is embedded in a quicktime file. Javascript is executed locally on your client not on the server. Before this there was flash hacks that used actionscripting to redirect the page and myspace complained to adobe and had the new version of flash come with a server side option to disallow actionscript redirects, which they now do.
- inactive, on 10/12/2007, -4/+10Samy is my Hero.
http://namb.la/popular/tech.html - inactive, on 10/12/2007, -4/+10@webwormx - Apple's fault for not following Adobe? lol, maybe its not a fault at all on anyone's part. MySpace is just a huge experiment and testing the security of all kinds of plugins and scripts. No one is at fault in this.
- webwormx, on 10/12/2007, -14/+19"it was a flaw of MySpace in combination with a legit feature of QuickTime that caused all the damage"
That quote is just stupid speculation from an author that doesn't know what he's talking about.
This is the exact same thing that happened with Flash 8 (And lower) getURL function that could be used by malicious movies to execute code with permissions on the domain they were hosted on. This was fixed in Flash 9 (using the allowscriptaccess="never" property) right after someone was able to demonstrate it on myspace. Because of this, myspace was forced to make all of it's users update to Flash 9.
This is 100% Apple's fault for not following in the steps of Adobe and fixing what appears to be the exact same problem -- Applets running on a domain should not assume the webmaster wants them to have script access (Through getURL) on the domain.
Sure, MySpace could disable Quicktime movies, they can then also disable Flash, then they might as well disable CSS (Although the inadequate CSS filtering leading to the Samy worm WAS their fault), then they should disable images (Wouldn't want another jpeg exploit). Aww hell, they should just shut down their site. - ThatBlokeRob, on 10/12/2007, -8/+13"too expensive" - Compare some prices (Dell vs Apple), you'll be surprised. I was.
- wild, on 10/12/2007, -3/+7No one wants to talk about that.
- finkployd, on 10/12/2007, -2/+6Shhh.
People don't like to talk about it because it's usually embedded in the porn they download off of Kazaa. - RoloTomasie, on 10/12/2007, -3/+7That sounds like the PERFECT plan.
- inactive, on 10/12/2007, -15/+19Gee it's kind of obvious. This is on the front page and it's under the Apple section. I agree with everyone else, myspace IS a flaw.
- inactive, on 10/12/2007, -5/+8you're drinking way too much of the M$ koolaid dude
- greymarketbrain, on 10/12/2007, -5/+8who cares what happens on/with myspace? It's like the nascar mentality of the net. And take about as much intelligence to use it as it does to watch stock car racing.
- lordTalus, on 10/12/2007, -2/+5Someone accept the blame and move the frack on. IT security concerns are prevalent...period. It's not a red headed step child, it's a fact of of life...or whatevs. Some jack ass is going to write some code that another jackass is going to exploit...so another jackass can fix it. It's the circle of life...
Passing blame is for whiny *****. - webwormx, on 10/12/2007, -2/+5@andyduncan
All that advisory says is that users are able to replace navigational elements on their profile with spoofed links.
Well......duh. That's the price myspace pays for allowing CSS. Yes, they could block CSS, but then they'd be taking away what appeals most to their users -- Customization.
But anyway, that advisory is rather stupid anyway. Even if myspace DID block css, people could still add links to their profile that tricked visitors to go to a malicious page.
This is what really bothers me about disclosure lists. They're full of so much stupid junk written by amateurs who want internet points that the real problems get burried.
----
Regardless, this Quicktime issue is unrelated to whether myspace allows CSS or not. Heck, even if myspace got rid of CSS, the quicktime bug could be used by a malicious applet to write whatever it wanted to the page (Through document.write, or innerHTML).
----
Now I've thought about my previous comment. In a way, yes, MySpace is to blame. But only because they didn't block quicktime movies from being put on profiles the second they found out about this issue.
In reality, any website that allows users to upload quicktime files could have been hit. MySpace was the primary target simply because of their size. NOT because they didn't code their website correctly. - zioxide, on 10/12/2007, -3/+6lmao
myspace is the most poorly coded website on the internet. - lhnz, on 10/12/2007, -2/+5What are you talking about?! Myspace don't allow javascript!
- vegasmacguy, on 10/12/2007, -2/+5Wow!!! I don't even know where to begin. First of all this exploit could've been done in WMV as well as RealPlayer. Both have the ability to embed code and call hrefs from a video. Second this exploit only worked on MICROSOFT IE and FIREFOX. Third Myspace has no way to control what Javascript is running from a media file.
While I don't agree that this is 100% Myspace's fault, I don't believe it is at all Apple's fault. This is a flaw in the structure of Myspace. Myspace allows users to post videos and embed flash and many other kinds of media. They also allow the use of HTML/CSS. However, they DO NOT allow javascript on their page. The only ways myspace could lock down every thing that gets posted is to disallow all linking and embedding and host the content on their servers so they can convert and clean the content of any malicious code, or scan every file that comes across in an EMBED tag for possible exploits. Maybe they were a little remiss in not doing either of those things, but what site does?
As for your idiotic remarks. Apple does have its flaws and security holes. This isn't one of them, and to date I have not heard of one being exploited before Apple released a patch. If you want to spout off about a company not taking security seriously you might want to look no further than your own desktop.
As for Quicktime sucking, once again you Windows fanboys don't actually use a product before saying it sucks. Give me some reasons and some backup as to why Quicktime sucks. Is it slow? Does it not handle large files? Does it drop frames like Windows Media Player? Is it unstable? I use Quicktime on a regular basis as I am a video editor. I find that quicktime is faster than the preview in my NLE software. I also find that it runs quickly, smoothly, doesn't drop frames and the video quality is the best of all the free players.
I know you won't respond because you're only on here to troll and piss people off. I hope you realize though that you're wasting your time on your little anti-Apple crusade and that nobody really listens to you or respects your opinion. - chedabob, on 10/12/2007, -9/+10Its a useful feature, its Myspace's fault for allowing javascript to be run.
- haiduz, on 10/12/2007, -1/+3@freff
Im glad you that at least you can see it. These apple fan boys cant handle the truth if it against apple in anywayThey remind me of the those Scientologists who try to censor those who speak out against them :) - brlittle, on 10/12/2007, -24/+26Too right.
I mean, MySpace has been totally honest and forthcoming about every issue with their service. Apple, on the other hand, is nothing but a bunch of security halfwits who never update their software or patch anything to repair problems.
I think my irony filter just overloaded. Jeebus.
@JeffH
C'mon, admit it. You only hang around Digg so you can piss down Apple's leg at every chance, right? - geekee, on 10/12/2007, -2/+4It seems to me Apple should prompt you before executing code from a movie off of the internet. Some feature.
- haiduz, on 10/12/2007, -1/+3and another thing...
Why doesnt quicktime have full screen video?!?!
I heard that the quicktime pro does but you have to pay 30 dollars for it.
Can you imagine the outcry and hated if Windows Media Player 12 would have a premium version that pays full screen, the but the free version would not.
...when apple does it no one has any problems.
1 more thing, Itunes is the least stable program on my comp, im sure that it runs perfectly on a mac but I also want to play FEAR and UT2k4 and UT2k7 with my ATI 1900 512 MB card.
1 more thing, the Ipod is the greatest invention known to man. (I call em like I see em) - ogre2112, on 10/12/2007, -0/+2The quality has the ability to be great. Go to apple.com/trailers and watch a movie clip.
Don't compress the movie all to hell, and the movie will look great, same as any other format. - inactive, on 10/12/2007, -8/+9-- digg down, mistake
- SirBotchness, on 10/12/2007, -1/+2Other than the fact it is being exploited. And boy, you defend it like you own it. doesn't matter if it is a feature, it matters that it is being exploited. Get over it, it has nothing to do with you, you don't program it, so get off your high horse.
- inactive, on 10/12/2007, -3/+4"Legit features" are not inherently secure. My understanding is that Quicktime allows code to be executed from a *.mov, which installs crap on the victim's machine. This should not be happening.
This is like saying the WMF vulnerability a while back was a legitimate feature. Even though it was intended as a feature, it was a stupid idea so it got patched. - h0dg3s, on 10/12/2007, -0/+1Blogspam. I don't want to read a paragraph where every other word is a ***** link either.
- Rivetgeek, on 10/12/2007, -7/+8@chedabob
"its Myspace's fault for allowing javascript to be run"
Newsflash sparky, javascript is interpreted on the client side, not the server side. Thanks for playing though. - diggaiden, on 10/12/2007, -0/+1Hmm, this sounds familiar...remember this "apology" from our favorite fruit company?
"As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it"
substitute Windows with Quicktime and viruses with exploits, and you could almost imagine MySpace making this statement:
"As you might imagine, we are upset at Quicktime for not being more hardy against such exploits, and even more upset with ourselves for not catching it"
Yeah, MySpace didn't *actually* make this statement, but it's kinda implied, isn't it? - EXreaction, on 10/12/2007, -8/+10He/she sorta contradicts their entire article in this sentence.
"Apple is reportedly working on a fix, but for now the two companies have ironed out some workarounds, such as blocking all the phishing URLs and scrubbing their network for compromised profiles."
If that is what is going on Apple already noticed it was a bug on their end and are fixing it.
I BURY BLOGSPAM! - rykachik, on 10/12/2007, -3/+4"Quicktime is used in kiosks wherein executable Javascript makes a standalone, non-interactive video into an interactive display. Simply put, it adds the user into the equation for applications like this. We use it here and it's handy, not to mention incredibly lightweight.
So double dumbass on you, friend. Mayhaps a little ***** research would get you farther in the future, as opposed to just hollaring ***** and shooting your mouth off on topics where you clearly come to the discussion unequipped to add anything of value."
QFT
Every single one of you ***** ***** tards should read this. It is a useful feature fnot only for video but also panoramic images, it allows hotspots and links and user interactivity. It is not a flaw in any way shape of form. Saying this is a flaw is like saying adobe is at fault for every single annoying flash banner w/sound. - inactive, on 10/12/2007, -2/+2WTF Their site "design" looks like horse *****!
-
Show 51 - 98 of 98 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is