QuickTime hack allows Second Life currency theft

QuickTime hack allows Second Life currency theft

Summary: Security researchers Dino Dai Zovi and Charlie Miller have found a way to exploit an unpatched QuickTime vulnerability to steal Linden Dollars from users in the Second Life virtual world.Dai Zovi (the hacker behind the CanSecWest MacBook Pro hijack) and Miller (creator of the first iPhone code execution exploit) cooked up the QuickTime/Second Life attack during an investigation of the security of online games .

SHARE:
24

QuickTime hack allows Second Life currency theft Security researchers Dino Dai Zovi and Charlie Miller have found a way to exploit an unpatched QuickTime vulnerability to steal Linden Dollars from users in the Second Life virtual world.

Dai Zovi (the hacker behind the CanSecWest MacBook Pro hijack) and Miller (creator of the first iPhone code execution exploit) cooked up the QuickTime/Second Life attack during an investigation of the security of online games .

It works against QuickTime 7.3 (the latest) and Second Life 1.18.4(3)."All the victim has to do is have video enabled and enter a piece of land owned by the attacker," Miller said, nothing that  any Second Life player wandering near the attacker will have their pockets picked and then yell "I got hacked!"

Linden Dollars can be converted into U.S. dollars (approximately L$250 to US$1)  so this should be considered a very serious issue.

[ SEE: Apple QuickTime under siege ]

Miller says the attack exploits the same QuickTime vulnerability that was publicly released earlier this week.

Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. Furthermore, it is possible to have these media elements constantly playing. If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime File, they can be exploited.

Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker's avatar twelve Linden dollars and shout "I got hacked".

The duo has created a video showing the victim stumbling upon a piece of land with a small purple box (the exploit).  Very shortly after, she freezes, sends the attacker twelve Linden dollars and yells that she was hacked.

[ SEE: QuickTime zero-day attacks intercepted ]

In the absence of a patch from Apple, Miller recommends:

Second Life users (should) discontinue their use of video. Specifically, users should click on Edit->Preferences... and then "Audio & Video". Make sure the box next to "Play Streaming Video When  We've notified Linden Labs of this problem. We are recommending that until a patch is issued by Apple, Second Life users discontinue their use of video. Specifically, users should click on Edit->Preferences... and then "Audio & Video". Make sure the box next to "Play Streaming Video When Available" is unchecked. This will provide protection from this vulnerability. Users should upgrade their QuickTime when a patch is released.

See more at Miller's Web site.

Topics: Security, Hardware, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • I will never purchase an Apple product because of this

    Apple's security testing is bottom of the barrel. Pathetic.
    NonZealot
    • Not true

      You weren't going to purchase any Apple products anyway, before this bug was announced.

      Apple's security testing may be "bottom of the barrel", but to claim that this was somehow the difference between you buying Apple or not is disingenuous.
      KTLA
      • mind reader are we?

        How do you know he wasn't going to "purchase any Apple products anyway"? Or is that just a guess? Presented as fact?
        penno2
        • Doesn't take a mind reader

          to recognize a major troll. Just click on any Apple-related story and you will find this
          sad zealot saying something negative, without fail, and he has said on more than one
          occasion that he does not use Apple.

          Newbie
          MarcB_z
          • Try dealing with the facts

            Try avoid shooting the messenger and just because you think someone is a troll doesn't mean they're wrong.
            tonymcs@...
          • Please.

            You've been here long enough to know that Zealot has no knowledge of OS X. He's
            even stated it publicly. He only posts ignorant anti-Apple screeds.

            He's the very definition of a troll. He has no message, so you can't really call him a
            messenger.
            msalzberg
    • Don't worry about Second Life

      just go out and get a REAL life.

      Honestly.
      MarcB_z
    • Like you would without this...

      LOL
      BitTwiddler
    • TYPICAL RESPONSE

      for someone who LOVES billy gates!!!

      Yet, somehow, Apple products and software have no where near the Security issues
      like microshit Crapware!!!

      I wonder why that is???? Well now, let me think.

      There is a reason I will NEVER buy another PC or ANYTHING that has to do with
      billy gates and his microshit crapware!!
      Yes, I am a SMUG Apple user. I converted 9 months ago because Microsoft really
      BITES!!!!!
      dmiller1969@...
    • HIlarious!

      I've come to enjoy NZ's posts quite a bit. Keep 'em coming! No one really pays attention, aside from the comic value, and we can all use a good laugh!
      hjk4300
  • Security is a journey, not a destination

    Good thing for Apple that Microsoft paved the way.

    I know over the years that Windows has had FAR more security issues than OS X, but at the same time, I think Microsoft has learned its lesson, Apple is just now getting to school.

    Apple is going to continue to see these kinds of problems until it begins to look at security as a ground up approach. I think for many years they saw all of Microsoft's problems and thought they had little to worry about. Apple stuff was just out of the box more secure.

    While that may be true, get complacent about it and stuff happens.
    Heatlesssun1
  • O my...the virtual $$$ are gone!

    Not for me...Linux is not hacked like windoze & Quick Time, so my virtual $$$ are safe!
    Linux Geek
    • Shut up, fool.

      nt
      Hallowed are the Ori
    • until the company goes bankrupt

      haha
      Been_Done_Before
  • SL Quicktime can be killed server-side if exploit found in wild

    A paragraph in the Second Life blog seems to say that if Linden Lab starts noticing exploits, they'll kill all QuickTime on the grid and maybe roll back exploit-induced transactions. (This proof-of-concept doesn't count, apparently.) I wouldn't panic, though everyone should definitely turn off streaming video and only enable it at trusted locations if you're expecting to use it.

    Here's the relevant paragraph of the blog:
    "We do have the ability to turn off all videos on the grid, but have instead chosen to respect the existing in-world content and experiences which rely on streaming video, as we know that many of you enjoy these. We do recommend that you employ caution when using QuickTime in Second Life, only enabling it in environments that you trust, and are familiar with."
    AySz88
  • HAHA

    nothing digital cant be touched... another lesson brought to you by the digital people.
    Been_Done_Before
  • Question.

    For the exception of those individuals that are disabled to the point that these virtual worlds add a benefit to their life, to the rest does participating in these make you real or virtual losers?

    Second Life = BANK. Genius
    People
  • The sad history of quicktime

    For those who don't remember the previous century, the history of Quicktime under Windows has never been good. IT may have worked well on Apple's closed system, but it's always been a problem on Windows.

    The latest problems with Quicktime are an example of Apple's less than perfect programming - which is exemplified in Leopard's faults.

    If Apple wants to get out of its sheltered workshop, it really needs to test its software on other OSs.
    tonymcs@...
    • As compared to the glowing history of windows

      Exploits will be found on every system. A DNS flaw that was found and patched in
      1999 just showed up again on some windows systems. As of now the number of
      exploited flaws on OS X and quicktime have been very small. This may have a lot to do
      with installed base or it may be that the exploits have just been harder to find.
      Nobody really knows. The real question is how quickly are holes patched.

      So far apple's track record has been very good and very few people have been compromised due to Apple code.
      puggsly
      • Thank You

        I agree 100%!! There will be flaws in every system and the difference between
        Apple
        and microsoft is that Apple jumps right on the flaws and gets the patches out to
        the people that are most important to Apple and that is there Customers. My
        experience with MS... well I won't even go there. It makes me bitter!

        I used microsoft products since DOS 3.1, after the Vista Disaster and that is putting
        it lightly, I decided I was done with MS.

        I have had my iMac for 9 months now and I have yet to have the first problem...
        with OS X or the iMac itself!! There is a difference-a BIG difference.
        dmiller1969@...