These days we have been analyzing one of the latest MySpace threats, JS/MySpace.A, which uses an interesting QuickTime feature : HREF Tracks. A deep analysis of this malware is avaliable at Didier Steven´s blog.
Abusing HREF Tracks was firstly documented by pdp at GNUCITIZEN blog, later the MoAB project showed how to exploit them in conjunction with other vulnerabilities that allowed hackers to gain remote code execution.
The end of the story is as follows: Apple has finally removed javascript support in QuickTime from version 7.1.5.
But that´s not the end of it, I still remember a very similar case in which a feature became a vulnerability and we ended up adding generic detections for a legal and documented use of WMF file format, though I don’t think anybody was really using it.
So I wonder and I ask you:
Should we add generic detections to file formats that support insecure features? If we do so, we may stop malware, but what can we say to a hypothetical customer using them properly?