QuickTime flaw used to steal Linden dollars
updated 03:55 pm EST, Tue December 4, 2007
QT flaw can steal Lindens
A vulnerability in the QuickTime media player discovered late last month has been exploited to steal virtual currency in the game Second Life (called "Linden Dollars"), a significant problem since Linden Dollars can be converted into US dollars, with an exchange rate of about 250 Linden to one US dollar. The capability was discovered by Charlie Miller and Dino Dai Zovi, who said "Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. Furthermore, it is possible to have these media elements constantly playing. If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime File, they can be exploited. Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker's avatar twelve Linden dollars and shout "I got hacked."
Miller and Dai Zovi have posted a video of the exploit taking place.
The QuickTime flaw involves a boundary error can be created when processing RTSP replies, simply by using an overly long "Content-Type" header. This in turn leads to a stack-based buffer overflow, which grants attackers the ability to launch arbitrary code. The vulnerability is only confirmed to work on QuickTime 7.3 at present, however, and requires victims to open a QTL file or visit a malicious website.
To guard against this exploit, the team recommends that Second Life users discontinue their use of video by clicking Edit->Preferences and then "Audio & Video" and making sure that the box next to "Play Streaming Video When Available" is unchecked. Users should, of course, upgrade their QuickTime when a patch is released.
Linden Labs has been notified of the problem.
Proves
12/04, 04:59pm reply
just how real Second Life is! Real thieves stealing from people!
tindrum
Fresh-Faced Recruit
Joined: Apr 2004
yeah..
12/04, 05:04pm reply
And how, when, how many has this actually affected?
I love all the publicity about this - when every minute, thousands of infected computers are sending out emails, spoofing sites, and attempting to steal data
But please, tell us about the 2 people this happened to! (Who happen to work for a company that sells security services to online gaming providers. - How interesting that only these so-called security firms are the only ones "discovering" exploits, isn't it?)
Doofuses.
robttwo
Fresh-Faced Recruit
Joined: Nov 2005
wow
12/04, 05:48pm reply
Each theft is 12 Linden, which is 5 cents. Definitely a serious problem.
elroth
Fresh-Faced Recruit
Joined: Jul 2006
Go to jail
12/04, 05:59pm reply
wouldn't this be really easy to trace... I would trace it and call the FBI... fücker will go to jail!
sixcolors
Fresh-Faced Recruit
Joined: Oct 2001
So....
12/04, 06:27pm reply
I don't get it. Does this code only effect file's within Second Life's reach as a game, or can it spread throughout the system. Is this an OS specific issue, or just the game platform we're talking about here?
And 5¢? That's a joke considering how many ppl this would have to affect. Ditto on the above comments about the slime at so-called "security" firms.
danviento
Fresh-Faced Recruit
Joined: Dec 2005
bad headline...
12/04, 06:36pm reply
from the Yellow Bellies at MacNN. It should read that through an exploit of quicktime, Linden dollars MAY be diverted. Frankly, anybody who puts real bucks into fantasy land deserves a good technological buggering anyway.
Feathers
Forum Regular
Joined: Oct 1999
Easy to exploit
12/04, 10:56pm reply
Just to clarify, Second Life is vulnerable not because of any flaw in the game software itself, but because it allows players to embed video files in game objects, with QuickTime as the application handling all video rendering. All you have to do is visit a portion of the game where QuickTime is used. It's pretty easy to exploit. Let's remember in 2006 the MySpace worm was caused by a QuickTime vulnerability that was also easily exploited, and that was the biggest worm of 2006.
And frankly, anything that cheats people out of money, large or small, just by doing something they do every day, is a big deal.
As for the security companies: No security company issued a press release about this. None. The people who discovered the vulnerability are the ones that alerted the press. It grabbed headlines because frankly Apple tries to tout its security in its advertising, and therefore an Apple vulnerability will get headlines.
And MacNN: try being less of a click w****. They sensationalized the headline; it should say "QuickTime ALLOWS hackers to steal Linden dollars."
fubar_this
Fresh-Faced Recruit
Joined: Jul 2006
quicktime exploit or not
12/06, 08:33am reply
this is still on Second Life for their own lack of security_ Especially if they're going to have a legitimate exchange rate for imaginary money to US Dollars_
What will be real funny is if the Liden Buck ends up out-valuing the US Dollar with tthe rate at which the Dolalr is dropping these days_
UberFu
Fresh-Faced Recruit
Joined: Oct 2002