A security researcher has documented malware that uses a
vulnerability in Apple’s QuickTime movie player to make a computer
download and run a Javascript. A MySpace account promoting a French
music group is exploiting the flaw to siphon information about users
visiting the page and send it to a remote server.

The perpetrators pull off the feat by embedding into their page an
invisible QuickTime video that uses one Javascript to download and
execute a second Javascript. It’s this second script that acts as the
spyware, according to the researcher, Didier Stevens, who documents his
findings here.

http://www.theregister.com/2007/03/16/myspace_quicktime_exploit/