Dai Zovi (the hacker behind the CanSecWest MacBook Pro hijack) and Miller (creator of the first iPhone code execution exploit) cooked up the QuickTime/Second Life attack during an investigation of the security of online games .
It works against QuickTime 7.3 (the latest) and Second Life 1.18.4(3)."All the victim has to do is have video enabled and enter a piece of land owned by the attacker," Miller said, nothing that any Second Life player wandering near the attacker will have their pockets picked and then yell "I got hacked!"
Linden Dollars can be converted into U.S. dollars (approximately L$250 to US$1) so this should be considered a very serious issue.
[ SEE: Apple QuickTime under siege ]
Miller says the attack exploits the same QuickTime vulnerability that was publicly released earlier this week.
Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. Furthermore, it is possible to have these media elements constantly playing. If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime File, they can be exploited.
Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker's avatar twelve Linden dollars and shout "I got hacked".
The duo has created a video showing the victim stumbling upon a piece of land with a small purple box (the exploit). Very shortly after, she freezes, sends the attacker twelve Linden dollars and yells that she was hacked.
[ SEE: QuickTime zero-day attacks intercepted ]
In the absence of a patch from Apple, Miller recommends:
Second Life users (should) discontinue their use of video. Specifically, users should click on Edit->Preferences... and then "Audio & Video". Make sure the box next to "Play Streaming Video When We've notified Linden Labs of this problem. We are recommending that until a patch is issued by Apple, Second Life users discontinue their use of video. Specifically, users should click on Edit->Preferences... and then "Audio & Video". Make sure the box next to "Play Streaming Video When Available" is unchecked. This will provide protection from this vulnerability. Users should upgrade their QuickTime when a patch is released.
See more at Miller's Web site.