QuickTime hack allows Second Life currency theft

Summary:Security researchers Dino Dai Zovi and Charlie Miller have found a way to exploit an unpatched QuickTime vulnerability to steal Linden Dollars from users in the Second Life virtual world.Dai Zovi (the hacker behind the CanSecWest MacBook Pro hijack) and Miller (creator of the first iPhone code execution exploit) cooked up the QuickTime/Second Life attack during an investigation of the security of online games .

QuickTime hack allows Second Life currency theft
Security researchers Dino Dai Zovi and Charlie Miller have found a way to exploit an unpatched QuickTime vulnerability to steal Linden Dollars from users in the Second Life virtual world.

Dai Zovi (the hacker behind the CanSecWest MacBook Pro hijack) and Miller (creator of the first iPhone code execution exploit) cooked up the QuickTime/Second Life attack during an investigation of the security of online games .

It works against QuickTime 7.3 (the latest) and Second Life 1.18.4(3)."All the victim has to do is have video enabled and enter a piece of land owned by the attacker," Miller said, nothing that  any Second Life player wandering near the attacker will have their pockets picked and then yell "I got hacked!"

Linden Dollars can be converted into U.S. dollars (approximately L$250 to US$1)  so this should be considered a very serious issue.

[ SEE: Apple QuickTime under siege ]

Miller says the attack exploits the same QuickTime vulnerability that was publicly released earlier this week.

Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. Furthermore, it is possible to have these media elements constantly playing. If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime File, they can be exploited.

Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker's avatar twelve Linden dollars and shout "I got hacked".

The duo has created a video showing the victim stumbling upon a piece of land with a small purple box (the exploit).  Very shortly after, she freezes, sends the attacker twelve Linden dollars and yells that she was hacked.

[ SEE: QuickTime zero-day attacks intercepted ]

In the absence of a patch from Apple, Miller recommends:

Second Life users (should) discontinue their use of video. Specifically, users should click on Edit->Preferences... and then "Audio & Video". Make sure the box next to "Play Streaming Video When  We've notified Linden Labs of this problem. We are recommending that until a patch is issued by Apple, Second Life users discontinue their use of video. Specifically, users should click on Edit->Preferences... and then "Audio & Video". Make sure the box next to "Play Streaming Video When Available" is unchecked. This will provide protection from this vulnerability. Users should upgrade their QuickTime when a patch is released.

See more at Miller's Web site.

Topics: Security, Hardware, Mobility

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.