The worm, dubbed "Quickspace," exploits a bug in QuickTime JavaScript support and affects current Windows and Mac editions of QuickTime.

Gregg Keizer, Contributor

December 11, 2006

1 Min Read

The QuickTime flaw that led to phishing attacks on MySpace can be found in both the Windows and Mac OS X versions of the media player, a security company warned Monday. Apple has yet to patch the player.

More than a week ago, MySpace shut down hundreds of user profiles that had been infected by a worm that took victims to a phishing site. The worm, dubbed "Quickspace," exploited a bug in QuickTime JavaScript support.

Finnish security company F-Secure has confirmed that the bug is in the current Windows and Mac editions of Apple Computer's QuickTime. "Any malicious JavaScript code exploiting it would affect the users of both operating systems," said S.G. Masood, F-Secure's phishing analyst, on the security vendor's blog. The Quickspace worm was originally pegged as affecting only Windows users running Microsoft's Internet Explorer browser.

Masood also pointed out that an earlier QuickTime vulnerability remains unpatched; that bug, he said, could be exploited in the same way as the one used by the Quickspace worm.

"With no fix available, the only feasible workaround for these social networking sites, and also other Web sites, is to completely block users from uploading Apple QuickTime content," Masood recommended. "This is not a MySpace only issue. [It] affects every other Web site that allows the embedding of QuickTime content."

Apple has provided a fix for the Quickspace problem to MySpace, which has distributed the patch to its users running IE. However, the computer maker has been mum on a general QuickTime update. Apple did not immediately reply to a request for comment.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights