QuickTime Flaw a Potential Threat to Second Life Fans
Security experts have spotted several Web sites exploiting an unpatched security hole in Apple's QuickTime media player to install malicious software on computers used to browse the sites.
Last week, Security Fix carried a post warning readers about the QuickTime flaw, noting that several sets of instructions showing attackers how to exploit the hole had been posted online. Over the weekend, Symantec reported it had detected a network of sites using the exploits to compromise vulnerable Windows computers.
In related news, a pair of security researchers demonstrated how the same QuickTime flaw could be used to "pick the pockets" of people engaging in various online games and virtual worlds. Dino Dai Zovi and Charles Miller described how the vulnerability might be leveraged to steal money from people who are members of "Second Life," a virtual world created by San Francisco-based software developer Linden Lab; the virtual world is populated by more than 10 million "residents" worldwide.
Second Life is vulnerable not because of any flaw in the game software itself, but because it allows players to embed video files in game objects, with QuickTime as the application handling all video rendering, Dai Zovi and Miller wrote. The two researchers showed how an attacker might create a malicious QuickTime video that would trigger if a player entered a swath of Second Life land owned by the attacker. In the example they used, the malicious software would automatically empty the victim's virtual bank account of "Linden dollars," the Second Life currency that can be cashed out into real world dollars.
While the current exchange rate in Second Life is roughly one U.S. dollar for every 270 Linden dollars, millions of U.S. dollars change hand each day in the virtual world. According to Linden Labs, nearly $1.4 million was exchanged between Second Life users over the past 24 hours.
Linden Labs has acknowledged the problem, but said it is has no plans to turn off all videos on the Second Life grid. Instead, it urged users to "employ caution when using QuickTime in Second Life, only enabling it in environments that you trust and are familiar with." The company also said it is able to track attacks, and that it will "vigorously pursue" attackers who try to exploit this vulnerability.
Miller, a researcher at Independent Security Evaluators in Baltimore who is probably best known for publishing the first-ever hacks against Apple's iPhone, said the Dai Zovi and Miller proof-of-concept was mainly aimed at demonstrating how a traditional browser-based exploit could be used in an unconventional attack.
"Most Second Life users probably don't go around [in the game] saying, 'Wow, that object looks suspicious,' and then the next thing they know their computer is slow and sending a million pieces of spam a second," Miller said.
While there may not be a preponderance of people reading this blog who are also Second Life users, the potential impact from this vulnerability is hardly limited to Second Life. Attacks exploiting this QuickTime flaw are likely to show up on Myspace.com and other high-traffic sites. It may well be weeks before Apple issues a patch to plug this vulnerability. In the meantime, readers should strongly consider following some of the instructions included in a previous post that can help mitigate the threat from this flaw.
In addition, this kind of flaw is one of the best selling points for a precaution I have often urged Windows users to take: Running their system under a "limited user" account, which can prevent vulnerabilities in programs from being used by attackers to seize control over the user's entire system. In addition, vulnerabilities like the one described above quickly become a non-issue for people who are using programs like "Drop My Rights," which allows users to run Web browsers and other programs under limited user accounts that do not have rights to install software or alter critical Windows system settings.
Posted by: Luis | December 4, 2007 1:21 PM | Report abuse
Posted by: LUAforever | December 4, 2007 3:47 PM | Report abuse
Posted by: Steve Ballmer | December 5, 2007 12:10 PM | Report abuse
Posted by: Steve Ballmer | December 5, 2007 12:11 PM | Report abuse
Posted by: MIke | December 5, 2007 12:53 PM | Report abuse
Posted by: Apple User | December 5, 2007 7:29 PM | Report abuse
Posted by: TJ | December 5, 2007 11:11 PM | Report abuse
Posted by: BRUCEREALTOR | December 7, 2007 10:09 AM | Report abuse
Posted by: BRUCEREALTOR | December 7, 2007 10:12 AM | Report abuse
Posted by: WCARTER | December 7, 2007 11:06 AM | Report abuse
Posted by: Lau Fing Achoo | December 8, 2007 12:33 AM | Report abuse
Posted by: JimGoldbloom | December 12, 2007 9:12 AM | Report abuse
The comments to this entry are closed.