Yep. We tested the two security issues mentioned in our previous post on Mac OS X with QuickTime v7.1.3. We found that the .qtl issue works on the Mac. So, now we have an unpatched QuickTime vulnerability that affects both Windows and Mac OS users. Any malicious JavaScript code exploiting it would affect the users of both operating systems. Phishing and Quickspace-type web application worms are two examples of attacks that are possible.

Click here to view a screenshot from our test.

Also, let us reiterate once again that this is not a MySpace only issue – this affects every other website that allows the embedding of QuickTime content. We tested two other well-known social networking sites.

Just a side note: the HREF track and .qtl issues seem to affect users of QuickTime Alternative as well.