Software vendors often indulge in adding “features” to their software products which are not really necessary. “To insecurity through bloatware”, we could say. And no, this time this is not a rant against the usual suspects.
Did you know that you can embed JS scripts in Apple Quicktime movies? (the feature is called “HREF tracks”)
An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.
Well, this might not be very new or bleeding-edge, but apparently there is malware using invisible QuickTime movies embedded in webpages. Didier Stevens writes about it:
The EMBED tag instructs your browser to play a movie when it renders the HTML page. But in this case, the movie is hidden (attribute hidden is true). It’s a QuickTime movie, downloaded from the profileawareness.com server.
This tys4.mov QuickTime movie is sneaky: it contains JavaScript code to download and execute another JavaScript program. QuickTime has a feature that allows you to embed URLs or JavaScript in a movie.
I don’t have Apple QuickTime installed in the laptop I’m using to write this, but I would be very surprised to see an option to disable this kind of behaviour or “trust zones” control like in IE or Outlook.
