If you logged into Second Life yesterday, you’ve seen the announcement from Linden Lab:
We were alerted a short time ago that a QuickTime exploit has been discovered which may allow an attacker to crash or exploit the Second Life viewer. The Second Life viewer uses Apple QuickTime to play videos and streaming media. This exploit affects QuickTime usage on every platform that uses it, and to date, Apple has not released a fix for the exploit.
While the Lindens are very clear that this is an exploit in QuickTime and not Second Life specifically, they were less than forthcoming about the exact details of the exploit. Mercury News fills in the details.
Charles Miller…and Dino Dai Zovi…, two experienced hackers, say they have found a vulnerability in the way Second Life protects a user’s money inside the virtual world from being stolen. It has significance because that currency, dubbed Linden dollars, can be converted into real world dollars.
According to Mercury News, QuickTime can be directed to a malicious website that “allows them to take over the Second Life avatar.”
Personally, I’m not clear about how this could work. Each land parcel in Second Life has an associated video stream, so the landowner would have to add the URL to their land — it’s not something a hacker can do without the landowner’s permission. I understand that malicious websites can exploit vulnerabilities in computers, but there’s a big gap between planting a virus and taking complete control of the Second Life client. Assuming that this malicious code is able to do that, one can’t use the Second Life client alone to plant viruses in-world, as Miller says. Many script-kiddies try that daily, and accomplish only annoyances — replicating cubes with offensive pictures, for example. Eventually, those cubes either meet behind-the-scenes defenses and get cleaned up with no harm done — they’re hardly viruses.
This isn’t the first attempt to steal Linden dollars. Previous attempts have been crude scripted objects in-world that depend on residents accidentally granting debit permissions.
To protect your Linden dollars from this hack, open Second Life and click Preferences in the login screen. From there, go to the Audio & Video tab and disable video streaming.