There’s a story in the SANS ISC Diary today about Javascript hiding in media files. It has the potential to be a security nightmare, but the right question is, “why are they doing this?” Do we need a better container format? Quicktime is such a container, yet Apple supports scripts in unwrapped MP3 – why is that? Is it the lack of metadata support in Windows?