Feeds

MySpace-hosted malware exploits QuickTime flaw

French band wants to know its fans better

Top 5 reasons to deploy VMware with Tegile

A security researcher has documented malware that uses a vulnerability in Apple's QuickTime movie player to make a computer download and run a Javascript. A MySpace account promoting a French music group is exploiting the flaw to siphon information about users visiting the page and send it to a remote server.

(Note: The hole was patched in a recent QuickTime update. An early version of this story mistakenly identified the flaw as a zero day.)

The perpetrators pull off the feat by embedding into their page an invisible QuickTime video that uses one Javascript to download and execute a second Javascript. It's this second script that acts as the spyware, according to the researcher, Didier Stevens, who documents his findings here.

Stevens says McAfee VirusScan will flag the first script as malware and identify it as JS/SpaceTalk Trojan. Both the QuickTime movie file, titled tys4.mov, and the second script are downloaded from a server at profileawareness.com. That's also the site that collects the user data.

Apple and MySpace have both suffered their share of security lapses in the recent past. Last week Apple released an update that squashed a variety of bugs in QuickTime, including eight security vulnerabilities. MySpace has also faced a series of exploits which have often been the result of rogue Javascripts. In 2005, for instance, a user named Samy inserted a script into his profile page that allowed him to scoop up millions of friends. And in July, a banner ad posted on the social networking site infected more than a million users with spyware.

We contacted both companies for comment late on Thursday but did not hear back.

According to Stevens, McAfee was the only antivirus provider to detect the script at the time he posted his finding. McAfee provides a reference of the Trojan, but the description was blank at the time of writing. ®

Beginner's guide to SSL certificates

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.