Home / Project & Story
Recommended Reads: QuickTime-Zombies
"Charles Miller and Dino Dai Zovi, two experienced hackers, say they have found a vulnerability in the way Second Life protects a user’s money inside the virtual world from being stolen. It has significance because that currency, dubbed Linden dollars, can be converted into real world dollars." (Dean Takahashi, The Tech Talk Blog)
Second Life is riddled with bugs, that’s a well-known fact – it seems like you can be glad if you manage to still keep your belongings (and clothing for that matter) with you after you are transported to a new land. This time a severe security issue was exposed in Second Life, to be more precise: an exploit on QuickTime-videos that takes its toll on Second Life through the embedded Second Life Viewer. Right now, after enjoying a QT-video in Second Life – zing!, you might find yourself blagged of all your Linden Dollars – or moving uncontrollably towards the next land to spread the QT-virus on.
That’s true, as Mashable reports, by using a flaw in QuickTime, one “can not only pick the pocket of any user within 100 virtual feet of the [QT-]player, they can take complete control of the avatar. Once the account has been taken over, the hackers can then use that avatar to go to other lands, embed their virus loaded video, and it will continue to spread from land to land.”
Dean Takahashi states in his blog:
“The exploit works because Second Life allows users to embed videos or pictures on their character’s or their virtual property. When someone comes nearby and is within view of the object, the Second Life software activates QuickTime so it can play the video or picture. In doing so, QuickTime directs the Second Life software to a web site. By exploiting the flaw in QuickTime, the hackers can direct the Second Life software to a malicious web site that then allows them to take over the Second Life avatar.”
There is no fix for the exploit yet, but Linden’s official blog covers the matter:
“At this time we advise that you disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue. To do this, just open the Preferences dialog, and uncheck the “Play Streaming Video When Available” checkbox on the “Audio & Video” tab.”
The QuickTime header stack buffer overflow exploit was exposed just some two weeks ago, and so far there does not seem to be any proof of a real pickpocket in SL using this bug.
Comments & Trackbacks
Please leave us your comments on this topic.
This is Coobico's blog, Linking People's official developer's blog about our free to play online multiplayer strategy-game Coobico, flash games, chat and funny internet-stuff we like.
All registered trademarks used on this website, whether marked as trademarks or not, belong to their respective owners. Coobico is a registered trademark of Linking People.
