Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Monday, 03 December 2007 10:03

QuickTime RTSP flaw enables Second Life muggings

A pair of security researchers has demonstrated a way of exploiting the QuickTime RTSP vulnerability to steal currency from Second Life avatars.
The exploit is associated with an object that's left for other inhabitants to stumble upon. Any avatar moving onto the same piece of land as the object triggers the playback of a malicious QuickTime file that takes advantage of the vulnerability.

"Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar," say researchers Charlie Miller and Dino Dai Zovi.

The demo exploit makes the affected avatar send 12 Linden Dollars and shout "I got hacked." The attacker can then convert the Linden Dollars into real-world currency.

Until Apple releases a fix, Linden Lab recommends its users disable the streaming video playback option in the Second Life viewer "except when you are attending a known and trusted venue."

The company could have disabled this feature globally, but chose not to as many users enjoy "in-world content and experiences which rely on streaming video".

"We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker," said Linden officials.

Perhaps the existence of an exploit involving a big-name online environment and the risk of real-life monetary losses will spur Apple into releasing an updated version of QuickTime more expeditiously than would otherwise have been the case.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments