updated 03:55 pm EST, Tue December 4, 2007
QT flaw can steal Lindens
A vulnerability in the QuickTime media player discovered late last month has been exploited to steal virtual currency in the game Second Life (called "Linden Dollars"), a significant problem since Linden Dollars can be converted into US dollars, with an exchange rate of about 250 Linden to one US dollar. The capability was discovered by Charlie Miller and Dino Dai Zovi, who said "Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. Furthermore, it is possible to have these media elements constantly playing. If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime File, they can be exploited. Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker's avatar twelve Linden dollars and shout "I got hacked."
Miller and Dai Zovi have posted a video of the exploit taking place.
The QuickTime flaw involves a boundary error can be created when processing RTSP replies, simply by using an overly long "Content-Type" header. This in turn leads to a stack-based buffer overflow, which grants attackers the ability to launch arbitrary code. The vulnerability is only confirmed to work on QuickTime 7.3 at present, however, and requires victims to open a QTL file or visit a malicious website.
To guard against this exploit, the team recommends that Second Life users discontinue their use of video by clicking Edit->Preferences and then "Audio & Video" and making sure that the box next to "Play Streaming Video When Available" is unchecked. Users should, of course, upgrade their QuickTime when a patch is released.
Linden Labs has been notified of the problem.