New QuickTime Exploit hits MySpace, Steals Passwords

From Computerworld

A Trojan horse exploiting a flaw in Apple Inc.'s QuickTime that was patched two weeks ago is infecting MySpace.com users' computers, collecting confidential information, including passwords, several security companies said today.

The attack is reminiscent of one late last year that plagued MySpace users and forced the popular social networking site to shut down hundreds of profiles.

Like that December exploit, today's leverages the QuickTime "HREF" function, which allows movies to contain URLs or JavaScript that load Web pages into a browser. Rather than issue a fix to all QuickTime users then, however, Apple took the unusual step of letting MySpace itself link to the blocking code. In other words, only MySpace users were protected.

"This function is not strictly a bug or a vulnerability, but it is something that can be misused," said Ivan Macalintal, research director at Trend Micro Inc.

Click here to read more "New QuickTime Exploit hits MySpace, Steals Passwords"