Update: P0wned by a QT movie

Apple has released a new QuickTime version (7.1.5) without support for JavaScript. This happened about a week before I posted “P0wned by a QT movie”. I had analyzed the infection and written (but not published) my post before Apple published the update, and since I don’t use QT (it’s not installed on my systems), I was not aware of this fix when I published my post.

This unfortunate timeline created some confusion, several readers wanted to know if this infection vector could still be used with the latest QuickTime version. I’ve tested this and I can confirm that the latest version of QuickTime (7.1.5) doesn’t support JavaScript anymore. Apple has done the right thing, even if it was “a feature and not a bug”, the best thing to do was to remove support for JavaScript in QuickTime.

The modified QT movie I used in my tests displays a message box when it is embedded in an HTML page and viewed with IE. If you’re interested, I’ve made a movie of my tests (rest assured, it’s not QT), the movie is hosted here on YouTube, and you can find a hires version (XviD) here.