A security researcher has documented malware that uses a
vulnerability in Apple’s QuickTime movie player to make a computer
download and run a Javascript. A MySpace account promoting a French
music group is exploiting the flaw to siphon information about users
visiting the page and send it to a remote server.

The perpetrators pull off the feat by embedding into their page an
invisible QuickTime video that uses one Javascript to download and
execute a second Javascript. It’s this second script that acts as the
spyware, according to the researcher, Didier Stevens, who documents his
findings here.