You've probably seen the headlines, there's an interesting XSS attack going on at myspace using a malicious QuickTime movie to infect myspace sites.

Here's a good description of the basic technique that uses a QT movies to execute a HREFTrack, the HREFTrack being some javascript.
http://www.gnucitizen.org/blog/backdooring-quicktime-movies/

The interesting thing (to this forum) would be that this technique doesn't work in Safari. It does however execute javascript in Omniweb, which surprised me since OW utilizes so much of WebKit.
You can access this test movie to see if your browser displays a benign pop-up http://rdiv.com/downloads/jim/pop-up.mov

I'm not sure whether this is a Safari security feature or lack of javascript support . . . and is this a correctly functioning feature or hole in OmniWeb.

This is a good question.

In general, whenever Apple releases a Security Update via Software update, one of the things usually updated is Safari, to fix security holes.

There are also frequent security updates to Firefox, from the Mozilla people.

My question is, what about OW? Are fixes from Apple sufficient to fix the same WebKit flaw in OW, or does Omni need to fix each hole just like Apple?

It would seem from the above post that things fixed in Safari doen't automatically get fixed in OW, which makes me a bit concerned. Not that there are too many security flaws, but it makes me feel better when Apple or Mozilla issue patches regularly and to address major flaw announcements.

I have only recent versions of Safari and OW, but apparently even 1.x versions of Safari are not executing this javascript.

It depends on the security issue but usually it's our responsibility to release a patch that prevents / corrects the flaw.