Browse this website

Gallery

Skydiving

Support

Vendors

About Abbotts Aerodrome

About Cubey Terra

Project Snack

RSS feed

Links to other websites

Linden Lab
makers of Second Life

LSL scripting wiki
learn the SL scripting language

New World Notes
Wagner James Au reports from within SL

Second Life
the Second Life homepage

Second Life forums
official forums

Second Citizen
A drama-filled forum... usually NSFW

SL Boutique
shop for SL creations

SL Exchange
shop for SL creations

SL Observer
a French language SL fansite

SL Universe
Cristiano Midnight's forums, search, SL pics, etc

SLOG
a collaborative blog by several leading SL residents

#secondlife IRC channel
chat with SL residents (requires an IRC client)



Get Cubey in a handy wireless format...

...a book!




Since 2003, Cubey Terra has been dedicated to building the finest virtual vehicles in the metaverse.

Hackers exploit flaw in Apple QuickTime to rob Second Life residents
Saturday, December 01, 2007

If you logged into Second Life yesterday, you've seen the announcement from Linden Lab:

We were alerted a short time ago that a QuickTime exploit has been discovered which may allow an attacker to crash or exploit the Second Life viewer. The Second Life viewer uses Apple QuickTime to play videos and streaming media. This exploit affects QuickTime usage on every platform that uses it, and to date, Apple has not released a fix for the exploit.

While the Lindens are very clear that this is an exploit in QuickTime and not Second Life specifically, they were less than forthcoming about the exact details of the exploit. Mercury News fills in the details.

Charles Miller...and Dino Dai Zovi..., two experienced hackers, say they have found a vulnerability in the way Second Life protects a user?s money inside the virtual world from being stolen. It has significance because that currency, dubbed Linden dollars, can be converted into real world dollars.

According to Mercury News, QuickTime can be directed to a malicious website that "allows them to take over the Second Life avatar."

Personally, I'm not clear about how this could work. Each land parcel in Second Life has an associated video stream, so the landowner would have to add the URL to their land -- it's not something a hacker can do without the landowner's permission. I understand that malicious websites can exploit vulnerabilities in computers, but there's a big gap between planting a virus and taking complete control of the Second Life client. Assuming that this malicious code is able to do that, one can't use the Second Life client alone to plant viruses in-world, as Miller says. Many script-kiddies try that daily, and accomplish only annoyances -- replicating cubes with offensive pictures, for example. Eventually, those cubes either meet behind-the-scenes defenses and get cleaned up with no harm done -- they're hardly viruses.

This isn't the first attempt to steal Linden dollars. Previous attempts have been crude scripted objects in-world that depend on residents accidentally granting debit permissions.

To protect your Linden dollars from this hack, open Second Life and click Preferences in the login screen. From there, go to the Audio & Video tab and disable video streaming.

Cubey Terra

Add a comment




Fresh words...

»Next up: CTH-200, the 'copter of a thousand faces

»CTH-100 releases at noon Wednesday!

»Hey look! My first helicopter!

»Tinker toys in space: SkyLife "Space" series relau...

»To copy, or not to copy: that is the question

»Lindens perform a Havok brain transplant

»New image gallery page

»The Secret Green Monkey Room of Abbotts

»Ready... Set...

»Domo arigato, Mr. Roboto

top. home. e-mail.

This page is powered by Blogger. Isn't yours?

Disclaimer: "Second Life, SL, and inSL are trademarks of Linden Research, Inc. Cubeyterra.com is not affiliated with or sponsored by Linden Research."

Copyright 2004-2008 Stephen Cavers