QuickTime flaw could download spyware
By Rene Millman,
A flaw in Apple's QuickTime file format could allow spyware to be downloaded to collect personal information from users.
According to Didier Stevens, who works as an independent security researcher, the flaw can allow a QuickTime movie to execute a piece of Javascript code that in turn downloads spyware onto a victim's computer.
He said that at present a French rock band is using the technique to find out information about users visiting the band's MySpace page. On the page is embedded an invisible QuickTime video which uses the software's HREF function to run the script.
"It will automatically execute JavaScript code when the movie is played - since there is no timestamp, the script executes immediately," said Stevens.
The data unearthed by the script is uploaded to a server at profileawareness.com which is a website that tracks people visiting MySpace pages.
He said the script is detected by McAfee's anti-virus product and this was the only one to do so at the time of writing his blog. Its software detects the spyware as a JS/SpaceTalk trojan.
"The QuickTime movie is what is known as a downloader, but anti-virus programs do not detect it," he said. "The downloaded script is just spyware, it will collect data about the Myspace user viewing the page and upload it to a server."
According to Apple, a patch for the flaw was released in its last security update that fixed both OS X and Windows versions of the software.
advertisement
Latest Security Features
Who should be Britain’s cyber security czar?
Experts reveal what a UK head of cyber security would need to do, while we put forward possible candidates for the role.
- The reality of movie technology
- Do smartphones need security software?
- Protecting the London 2012 Olympic Games
- Focus on... Flexible working
- Cyber policing and surveillance in Britain today
- How an FBI agent transformed Microsoft security
- Can security concerns kill cloud computing?
- GhostNet: Did the Chinese government hack the world?
- How poor web security nearly lead to a jail term
Latest Security Reviews
HP BladeSystem c3000 review: blade server
Rating: 
- CA ARCserve Backup r12.5 review
- FaceTime Communications USG530 - web filtering appliance review
- Guardium 7 – database security review
- Google Apps Premier Edition
- SmoothWall UTM-1000 review
- Lenovo ThinkPad USB Portable Secure Hard Drive
- LogRhythm LR-500-XM review
- EXCLUSIVE - eSoft ThreatWall 250
- Zebra RZ400 - RFID Printer
advertisement
Latest News Videos in Security
Video: Mobile security threats and Mac complacency
PlayPart two: Eugene Kaspersky, chief executive and founder of Kaspersky Lab, talks about the increasing security threats mobile users are facing.
Whitepapers
Want more background on today's hottest IT trends?
Visit IT PRO's whitepaper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Social Bookmark this article: What is this?