Beating the QuickTime Vulnerability

Apple QuickTime includes the ability to create a movie that can use JavaScript commands. This "feature" is referred to as the HREF track. One exploitation of this "feature" resulted in the spreading of a worm on MySpace. While the functionality itself has legitimate uses there is no legitimate reason for forcing active content from a movie file on users. QuickTime has no provision for disabling scripting from a movie. This is similar to Word 95 and Excel 95 where an infected document with an auto-run macro would infect users as soon as they opened it. In Office 1997 the ability to be prompted when there was a macro, and then to allow the user to choose whether or not to run it was added. QuickTime has no such option.

Until Apple fixes QuickTime's serious security vulnerability I would recommend that users do the following:

• From the "Edit" menu in the QuickTime player choose "Preferences", then "QuickTime preferences", and then select the "Browser" tab. /At this point there is an option that is checked by default to "Play movies automatically"
• UNCHECK THIS!!! The result will be that if you visit a web page with a movie it will not run automatically. QuickTime will still load, but you will have to hit the play button. If you did not click on a movie file I recommend that you not play the movie. Taking this step will prevent "drive-by" attacks from being carried out by hostile .MOV files. Remember that if you click on a QuickTime movie file intentionally you will still have to hit the play button to view it, but at least now you have the choice!

Another step you can take that is less effective is to go to the "Edit" menu in the QuickTime player choose "Preferences", then "Player preferences", and then uncheck "Automatically play movies when opened". The result of this will be that when you open a movie on your computer it will load, but not start playing until you hit the play button. If you downloaded a hostile .MOV file (movie) this will give you one last chance to think again before you play it!

Hopefully Apple will fix the problem by providing users with proper control of their application. Consenting to play a movie should never have be the same as consenting to have other applications run in this manner.

Randy Abrams
Director of Technical Education
ESET LLC