NEWS FROM THE LAB - Monday, March 19, 2007

QuickSpace: MySpace Tracker Launch by QuickTime Posted by Jose @ 06:07 GMT

We've seen another attack using an insecure feature of QuickTime called HREF Tracks. This is a feature that can specify movies from other links to automatically open simultaneously when the movie is run. With the QuickTime sample that we received, it will try to download and execute a spying JavaScript from this website:


We detect the JavaScript as Trojan-Spy:JS/Spacestalk.A. We detect the downloader as


The said script collects MySpace information from the user that includes Username, FriendID, MySpace Display Name, and other logins of the user, and sends this information back to the tracking server at http://profileawareness.com together with the current URL as well as the current referrers' page.


Updated to add:
We would like to note that Apple resolved this issue with QuickTime 7.1.5 – released on March 5th. See CVE-ID: CVE-2006-4965, CVE-2007-0059 for all the details.

From Apple's website:
QuickTime 7.1.5 for Windows may be obtained from the Apple Software Update application, or as a manual download from: http://www.apple.com/quicktime/download/win.html

So, you'll need Apple Software Update installed or else you'll have to perform a manual download. We've already posted on manually downloading QuickTime. Some of ours readers wrote to tell us that the update automation also includes "optional recommendations" to install iTunes…

This isn't particularly useful to those of us with corporate machines that want QuickTime but not iTunes.