ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

QuickTime hack allows Second Life currency theft

By | December 4, 2007, 10:38am PST

Summary: Security researchers Dino Dai Zovi and Charlie Miller have found a way to exploit an unpatched QuickTime vulnerability to steal Linden Dollars from users in the Second Life virtual world. Dai Zovi (the hacker behind the CanSecWest MacBook Pro hijack) and Miller (creator of the first iPhone code execution exploit) cooked up the QuickTime/Second Life [...]

QuickTime hack allows Second Life currency theft Security researchers Dino Dai Zovi and Charlie Miller have found a way to exploit an unpatched QuickTime vulnerability to steal Linden Dollars from users in the Second Life virtual world.

Dai Zovi (the hacker behind the CanSecWest MacBook Pro hijack) and Miller (creator of the first iPhone code execution exploit) cooked up the QuickTime/Second Life attack during an investigation of the security of online games .

It works against QuickTime 7.3 (the latest) and Second Life 1.18.4(3).”All the victim has to do is have video enabled and enter a piece of land owned by the attacker,” Miller said, nothing that  any Second Life player wandering near the attacker will have their pockets picked and then yell “I got hacked!”

Linden Dollars can be converted into U.S. dollars (approximately L$250 to US$1)  so this should be considered a very serious issue.

[ SEE: Apple QuickTime under siege ]

Miller says the attack exploits the same QuickTime vulnerability that was publicly released earlier this week.

Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. Furthermore, it is possible to have these media elements constantly playing. If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime File, they can be exploited.

Once the malicious file has been viewed by the victim, the attacker has complete control over the victim’s computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker’s avatar twelve Linden dollars and shout “I got hacked”.

The duo has created a video showing the victim stumbling upon a piece of land with a small purple box (the exploit).  Very shortly after, she freezes, sends the attacker twelve Linden dollars and yells that she was hacked.

[ SEE: QuickTime zero-day attacks intercepted ]

In the absence of a patch from Apple, Miller recommends:

Second Life users (should) discontinue their use of video. Specifically, users should click on Edit->Preferences… and then “Audio & Video”. Make sure the box next to “Play Streaming Video When  We’ve notified Linden Labs of this problem. We are recommending that until a patch is issued by Apple, Second Life users discontinue their use of video. Specifically, users should click on Edit->Preferences… and then “Audio & Video”. Make sure the box next to “Play Streaming Video When Available” is unchecked. This will provide protection from this vulnerability. Users should upgrade their QuickTime when a patch is released.

See more at Miller’s Web site.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Second Life, Attacker, Apple QuickTime, Avatar, Video, Charlie Miller, Duo, Corporate Communications, Digital Music, Digital Media, Security, Marketing, Personal Technology, Consumer Electronics, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

24
Comments
Add Your Opinion

Join the conversation!

Just In

HIlarious!
hjk4300 17th Dec 2007
I've come to enjoy NZ's posts quite a bit. Keep 'em coming! No one really pays attention, aside from the comic value, and we can all use a good laugh!
View in thread
0 Votes
+ -
I will never purchase an Apple product because of this
NonZealot 4th Dec 2007
Apple's security testing is bottom of the barrel. Pathetic.
0 Votes
+ -
Not true
KTLA 4th Dec 2007
You weren't going to purchase any Apple products anyway, before this bug was announced.

Apple's security testing may be "bottom of the barrel", but to claim that this was somehow the difference between you buying Apple or not is disingenuous.
0 Votes
+ -
mind reader are we?
penno2 4th Dec 2007
How do you know he wasn't going to "purchase any Apple products anyway"? Or is that just a guess? Presented as fact?
0 Votes
+ -
Doesn't take a mind reader
MarcB_z 4th Dec 2007
to recognize a major troll. Just click on any Apple-related story and you will find this
sad zealot saying something negative, without fail, and he has said on more than one
occasion that he does not use Apple.

Newbie
0 Votes
+ -
Try dealing with the facts
tonymcs@... 4th Dec 2007
Try avoid shooting the messenger and just because you think someone is a troll doesn't mean they're wrong.
0 Votes
+ -
Please.
msalzberg 4th Dec 2007
You've been here long enough to know that Zealot has no knowledge of OS X. He's
even stated it publicly. He only posts ignorant anti-Apple screeds.

He's the very definition of a troll. He has no message, so you can't really call him a
messenger.
0 Votes
+ -
Don't worry about Second Life
MarcB_z 4th Dec 2007
just go out and get a REAL life.

Honestly.
0 Votes
+ -
Like you would without this...
BitTwiddler 4th Dec 2007
LOL
0 Votes
+ -
TYPICAL RESPONSE
dmiller1969@... 14th Dec 2007
for someone who LOVES billy gates!!!

Yet, somehow, Apple products and software have no where near the Security issues
like microshit Crapware!!!

I wonder why that is???? Well now, let me think.

There is a reason I will NEVER buy another PC or ANYTHING that has to do with
billy gates and his microshit crapware!!
Yes, I am a SMUG Apple user. I converted 9 months ago because Microsoft really
BITES!!!!!
0 Votes
+ -
HIlarious!
hjk4300 17th Dec 2007
I've come to enjoy NZ's posts quite a bit. Keep 'em coming! No one really pays attention, aside from the comic value, and we can all use a good laugh!
0 Votes
+ -
Security is a journey, not a destination
Heatlesssun1 4th Dec 2007
Good thing for Apple that Microsoft paved the way.

I know over the years that Windows has had FAR more security issues than OS X, but at the same time, I think Microsoft has learned its lesson, Apple is just now getting to school.

Apple is going to continue to see these kinds of problems until it begins to look at security as a ground up approach. I think for many years they saw all of Microsoft's problems and thought they had little to worry about. Apple stuff was just out of the box more secure.

While that may be true, get complacent about it and stuff happens.
0 Votes
+ -
O my...the virtual $$$ are gone!
Linux Geek 4th Dec 2007
Not for me...Linux is not hacked like windoze & Quick Time, so my virtual $$$ are safe!
0 Votes
+ -
Shut up, fool.
Hallowed are the Ori 4th Dec 2007
nt
0 Votes
+ -
until the company goes bankrupt
Been_Done_Before 5th Dec 2007
haha
0 Votes
+ -
SL Quicktime can be killed server-side if exploit found in wild
AySz88 4th Dec 2007
A paragraph in the Second Life blog seems to say that if Linden Lab starts noticing exploits, they'll kill all QuickTime on the grid and maybe roll back exploit-induced transactions. (This proof-of-concept doesn't count, apparently.) I wouldn't panic, though everyone should definitely turn off streaming video and only enable it at trusted locations if you're expecting to use it.

Here's the relevant paragraph of the blog:
"We do have the ability to turn off all videos on the grid, but have instead chosen to respect the existing in-world content and experiences which rely on streaming video, as we know that many of you enjoy these. We do recommend that you employ caution when using QuickTime in Second Life, only enabling it in environments that you trust, and are familiar with."
0 Votes
+ -
HAHA
Been_Done_Before 4th Dec 2007
nothing digital cant be touched... another lesson brought to you by the digital people.
0 Votes
+ -
Question.
People 4th Dec 2007
For the exception of those individuals that are disabled to the point that these virtual worlds add a benefit to their life, to the rest does participating in these make you real or virtual losers?

Second Life = BANK. Genius
0 Votes
+ -
The sad history of quicktime
tonymcs@... 4th Dec 2007
For those who don't remember the previous century, the history of Quicktime under Windows has never been good. IT may have worked well on Apple's closed system, but it's always been a problem on Windows.

The latest problems with Quicktime are an example of Apple's less than perfect programming - which is exemplified in Leopard's faults.

If Apple wants to get out of its sheltered workshop, it really needs to test its software on other OSs.
0 Votes
+ -
As compared to the glowing history of windows
puggsly 5th Dec 2007
Exploits will be found on every system. A DNS flaw that was found and patched in
1999 just showed up again on some windows systems. As of now the number of
exploited flaws on OS X and quicktime have been very small. This may have a lot to do
with installed base or it may be that the exploits have just been harder to find.
Nobody really knows. The real question is how quickly are holes patched.

So far apple's track record has been very good and very few people have been compromised due to Apple code.
0 Votes
+ -
Thank You
dmiller1969@... 14th Dec 2007
I agree 100%!! There will be flaws in every system and the difference between
Apple
and microsoft is that Apple jumps right on the flaws and gets the patches out to
the people that are most important to Apple and that is there Customers. My
experience with MS... well I won't even go there. It makes me bitter!

I used microsoft products since DOS 3.1, after the Vista Disaster and that is putting
it lightly, I decided I was done with MS.

I have had my iMac for 9 months now and I have yet to have the first problem...
with OS X or the iMac itself!! There is a difference-a BIG difference.
0 Votes
+ -
Let me guess
People 5th Dec 2007
You're helping by beta testing Safari?

Since you brought it up, how is Mac OS X any more or less closed than Windows? Can you provide me the source code to explorer.exe? How about the HAL?

Here, have some Apple source: http://www.opensource.apple.com/darwinsource/

The QT unit has some house cleaning to do. I'll give you that.
0 Votes
+ -
Oh Dear...
mollenhourb@... 5th Dec 2007
The fake money from a fake world with fake people is gone. This is finally it; the end
of America as a world power. Now we know from where the next act of terrorism will
come. The Iranians will steal all our Linden dollars and our economy will collapse.

I better start stuffing my mattress.
0 Votes
+ -
Sad that people spend money like this...
John Musbach 5th Dec 2007
I personally find it sad that online gaming is such a profitable business. People are dropping cash left and right for what? A game? Why people spend hundreds on a online game is beyond me, IMO people who waste money like this deserve a little jolt in hopes that it brings them back to reality and makes them more conscious about how they're spending their money. Stop dropping money on stuff that actually holds little value and these kinds of issues will be of little relevance to you...

- John Musbach
0 Votes
+ -
And so another horse with blinders speaks
tikigawd 5th Dec 2007
I don't like football and would never spend the amounts of money some people spend on tickets, memorabilia, etc etc Yet that's something millions and millions of people drop money on every year.
If you went to a game and someone stole your car while you were in the stadium would you consider yourself responsible? Would you say "if I didn't like football so much this wouldn't have happened?"

Who are you to place yourself higher than these gamers, as if you were a much more enlightened person?

The people who play Second Life enjoy it and it's not right that some ****** out there might rip them off in the process.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix