QuickTime RTSP flaw enables Second Life muggings

Stephen Withers
Monday, 03 December 2007 09:03

Opinion and Analysis

A pair of security researchers has demonstrated a way of exploiting the QuickTime RTSP vulnerability to steal currency from Second Life avatars.
The exploit is associated with an object that's left for other inhabitants to stumble upon. Any avatar moving onto the same piece of land as the object triggers the playback of a malicious QuickTime file that takes advantage of the vulnerability.

"Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar," say researchers Charlie Miller and Dino Dai Zovi.

The demo exploit makes the affected avatar send 12 Linden Dollars and shout "I got hacked." The attacker can then convert the Linden Dollars into real-world currency.

Until Apple releases a fix, Linden Lab recommends its users disable the streaming video playback option in the Second Life viewer "except when you are attending a known and trusted venue."

The company could have disabled this feature globally, but chose not to as many users enjoy "in-world content and experiences which rely on streaming video".

"We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker," said Linden officials.

Perhaps the existence of an exploit involving a big-name online environment and the risk of real-life monetary losses will spur Apple into releasing an updated version of QuickTime more expeditiously than would otherwise have been the case.