Does QuickTime pose a security risk?

"The problem is that it is possible to inject JavaScript code in QuickTime movie files"

Sorry thats not technically correct. The hreftrack feature allows the creator of a QuickTime file to embed commands, not inject them. Microsoft has a similar feature for WMV files as well.

Also Brian Krebs hsa pretty well discredited himself as a reporter, he's hardly someone I'd go to for security information.

"It was my understanding that this"bug" is actually a legitimate feature of QuickTime and that the security risk was actually caused on MySpace's end due to poor coding"

Yes, it is a feature. Is that feature a good idea? No, not really. Actually, it's a pretty stupid feature.

As for the latter comment, are you sure you are not confusing this problem with the recent phishing-exploit hole at MySpace?

http://seclists.org/fulldisclosure/2006/Nov/0275.html

... because if you're not I really can't imagine what could be going through your mind. However, ince we're on that issue, I would have to comment that the risk that a MySpace user might "Trojan" a menu in his "profile" area is not down to "poor coding" but poor *policies*. MySpace should not be permitting users to add CSS code to their profiles. It's a bad policy.

However that may be, the post above is concerned not with that problem but with a totally different one. The problem is that it is possible to inject JavaScript code in QuickTime movie files:

http://www.apple.com/quicktime/tutorials/hreftracks.html

Now think about that one. Because MySpace is a social networking site and large numbers of people all over the world are adding content to it, ***you do not know whose content you're getting***. It's not like viewing a QuickTime movie at the BBC or National Geographic or something.

MySpace deals in user-generated content.

Again, one has to ask oneself are MySpace's policies sensible? Frankly, should they allow users to upload potentially dangerous content that they are unable to police?

However, never mind what MySpace does or doesn't do. What you have to bear in mind is that someone else, somewhere else on the web could just as easily serve you a QuickTime video with malicious JavaScript imbedded in it. So either uncheck "Enable JavaScript" and "Enable plugins" in Safari's Preferences or be very, very careful about where you go. In particular think twice about visiting social networking sites that accept imbedded QuickTime movies.

Brian Krebs at the Washington Post comments:

"Allowing QuickTime videos to silently load interactive JavaScript content and commands seems like a pretty bad idea from a user protection perspective. Allowing QuickTime vids to be embedded like that in massive social networking sites strikes me as an invitation to disaster."

poor coding from myspace? i dont believe it...

It was my understanding that this"bug" is actually a legitimate feature of QuickTime and that the security risk was actually caused on MySpace's end due to poor coding.

QuickTime DOES pose a security risk. About as much as Objective C, Java and other programming languages when used in an insecure way. Anything that interacts with a user is a security risk.

Thank you

So far it hasn't affected any Mac users and I'm sure Apple is hard at work to keep OS X free. I'm sure we'll see a security update and/or Quicktime update soon enough.

perhaps. i doubt any of the people who will comment on this Really Knows.

you know, the real security risk is the arrogance (and perhaps ignorance) of (us) mac users. os x is s0 secure zomgz! (no, this is the internet).