Until Apple fixes QuickTime’s serious security vulnerability I would recommend that users do the following:
From the “Edit” menu in the QuickTime player choose “Preferences”, then “QuickTime preferences”, and then select the “Browser” tab. /At this point there is an option that is checked by default to “Play movies automatically”
UNCHECK THIS!!! The result will be that if you visit a web page with a movie it will not run automatically. QuickTime will still load, but you will have to hit the play button. If you did not click on a movie file I recommend that you not play the movie. Taking this step will prevent “drive-by” attacks from being carried out by hostile .MOV files. Remember that if you click on a QuickTime movie file intentionally you will still have to hit the play button to view it, but at least now you have the choice!
Another step you can take that is less effective is to go to the “Edit” menu in the QuickTime player choose “Preferences”, then “Player preferences”, and then uncheck “Automatically play movies when opened”. The result of this will be that when you open a movie on your computer it will load, but not start playing until you hit the play button. If you downloaded a hostile .MOV file (movie) this will give you one last chance to think again before you play it!
Hopefully Apple will fix the problem by providing users with proper control of their application. Consenting to play a movie should never have be the same as consenting to have other applications run in this manner.
Director of Technical Education
Author ESET Research, ESET