These days we have been analyzing one of the latest MySpace threats, JS/MySpace.A, which uses an interesting QuickTime feature : HREF Tracks. A deep analysis of this malware is avaliable at Didier StevenÂ´s blog.
Abusing HREF Tracks was firstly documented by pdp at GNUCITIZEN blog, later the MoAB project showed how to exploit them in conjunction with other vulnerabilities that allowed hackers to gain remote code execution.
But thatÂ´s not the end of it, I still remember a very similar case in which a feature became a vulnerability and we ended up adding generic detections for a legal and documented use of WMF file format, though I don’t think anybody was really using it.
So I wonder and I ask you:
Should we add generic detections to file formats that support insecure features? If we do so, we may stop malware, but what can we say to a hypothetical customer using them properly?