December 4, 2007 by ArthurFermi
Posted in
If you haven't disabled video in SL yet, hopefully this will make you do it! I found this out on ZD-Net. I will commment more on it after RL Work
QuickTime hack allows Second Life currency theft
Security researchers Dino Dai Zovi and Charlie Miller have found a way to exploit an unpatched QuickTime vulnerability to steal Linden Dollars from users in the Second Life virtual world.
Dai Zovi (the hacker behind the CanSecWest MacBook Pro hijack) and Miller (creator of the first iPhone code execution exploit) cooked up the QuickTime/Second Life attack during an investigation of the security of online games .
It works against QuickTime 7.3 (the latest) and Second Life 1.18.4(3).”All the victim has to do is have video enabled and enter a piece of land owned by the attacker,” Miller said, nothing that any Second Life player wandering near the attacker will have their pockets picked and then hell “I got hacked!”Rest of the story at ZD-Net
- ArthurFermi's blog
- Add new comment
- 714 reads
well you can still watch
well you can still watch video in your own land or land owned by people you know. video from trusted sources.
Its true that this exploit opened a can of worms all over the internet. The net is no longer safe. Browsing to an untrusted website can make you a victim of the same exploit. But one thing we must know is that this vulnerbility is not in the air. you dont catch it from the air, you need to be in an untrusted location. or clicking on an untrusted weblink.
This thing has to be solicited to you in some way, by email, in a chat room, or thru a website.
The solution for now is to go with sites you trust only.
Video products from established media stores in sl is safe, if your in doubt find out from the owner. Most are using progressive downloads btw and not RTSP. Even if they used RTSP the exploit has to be explicitly implemented to do harm. Its not in the air.
Just disable video when going to unknown parcels, and only turn it on when ur using it in a safe location.
Also helps to turn off scripting and build on ur land, and disable auto-loading for sl web profiles.
You are correct, but what is
You are correct, but what is a trusted source? Based on the way this attack seems to work you might be able to do it on a reliable parcel even your own. Media exploit Personally most places should have building turned off. If you turn off objects, and object entry, then you remove the possiblity of leaving prim based attacks around. By turning off scripting you give problems with AOs and things like that, a bit annoying.
Arthur Fermi
Fermi Sandbox & University
www.fermidesigns.com
For trusted sources some
For trusted sources some places come to mind,
http://slcn.tv,
http://www.lifeforyou.tv/eng/,
http://www.myslhome.tv
True, turning off scripting can be annoying, but depends on what the land is used for. You can limit scripting to members of your private group only.
Trusted Sources
Yeah, I'm all for the trusted sources :) I'm just concerend wtih a mix of exploits if you could come home and have your media info changed.
Yes, private group is good, in our shops we have build and entry off scripts on.
Arthur Fermi
Fermi Sandbox & University
www.fermidesigns.com
True, I agree
True, I agree
See Millers Blog at
See Millers Blog at http://securityevaluators.com/sl/ it includes a video of the exploit.
Arthur Fermi
Fermi Sandbox & University
www.fermidesigns.com
So people need to be aware
So people need to be aware of people offering public broacasts and take great caution when using quicktime. I've turned mine off, which is a pain as I was wondering why I couldn't get a television working on group land for one of my tenant's and then remembered this security issue!!!
Better safe than sorry though.
This is another financial
This is another financial blow for many small business once again. Those that provide streaming media content to people are going to be hurt. This is certainly not LL fault directly, but we shouldn't be stuck with just one media format. I wonder if SL did some sort of encapsulation if it woudl help things.
Arthur Fermi
Fermi Sandbox & University
www.fermidesigns.com