QuickTime "feature" + MySpace vulnerability = "Fun" & Profit!

This weekend brought us yet another XSS vulnerability in MySpace being used to modify users’ profiles for malicious ends. Much like in the Windows virus space, we’re apparently past the phase of MySpace worms being used purely for notoriety, and well into the phase of worms for profit.

This worm (JS/QSpace) uses an intended function of QuickTime movies to use JavaScript code to open additional URLs. The additional URL in this case is a JavaScript file which modifies the user’s MySpace profile to include the malicious movie.

This boils down to two primary problems:

1. QuickTime will load external URLs without user consent
2. MySpace will embed or modify content without user consent, even from external sites

The MySpace part of the equation seems pretty straight-forward to address. Couldn’t something be set up to verify that a human is actually intentionally modifying content, especially if done in bulk?

The QuickTime issue being an intended feature makes this a bit trickier. It seems painfully naive to me, for a feature like this to be added with no precautions put in place to prevent malicious use.

One of the biggest reasons movie files are becoming increasingly popular as distribution methods for malware is that between newly discovered vulnerabilities and features like this, the “return on investment” for malware authors using these file-types is sky-rocketing. Very few people hesitate to view a movie file unless the context it comes in is incredibly suspect (and that’s mostly to avoid getting canned for watching porn at work, or getting the snot scared out of you by the car ad with the zombie that jumps out at the end).

But really, never mind the zombie. There are much more disturbing things potentially lurking in videos now.