Network News

X My Profile
View More Activity

QuickTime Flaw a Potential Threat to Second Life Fans

Security experts have spotted several Web sites exploiting an unpatched security hole in Apple's QuickTime media player to install malicious software on computers used to browse the sites.

Last week, Security Fix carried a post warning readers about the QuickTime flaw, noting that several sets of instructions showing attackers how to exploit the hole had been posted online. Over the weekend, Symantec reported it had detected a network of sites using the exploits to compromise vulnerable Windows computers.

In related news, a pair of security researchers demonstrated how the same QuickTime flaw could be used to "pick the pockets" of people engaging in various online games and virtual worlds. Dino Dai Zovi and Charles Miller described how the vulnerability might be leveraged to steal money from people who are members of "Second Life," a virtual world created by San Francisco-based software developer Linden Lab; the virtual world is populated by more than 10 million "residents" worldwide.

A screenshot from the demonstration published by Dino Dai Zovi and Charles Miller.

Second Life is vulnerable not because of any flaw in the game software itself, but because it allows players to embed video files in game objects, with QuickTime as the application handling all video rendering, Dai Zovi and Miller wrote. The two researchers showed how an attacker might create a malicious QuickTime video that would trigger if a player entered a swath of Second Life land owned by the attacker. In the example they used, the malicious software would automatically empty the victim's virtual bank account of "Linden dollars," the Second Life currency that can be cashed out into real world dollars.

While the current exchange rate in Second Life is roughly one U.S. dollar for every 270 Linden dollars, millions of U.S. dollars change hand each day in the virtual world. According to Linden Labs, nearly $1.4 million was exchanged between Second Life users over the past 24 hours.

Linden Labs has acknowledged the problem, but said it is has no plans to turn off all videos on the Second Life grid. Instead, it urged users to "employ caution when using QuickTime in Second Life, only enabling it in environments that you trust and are familiar with." The company also said it is able to track attacks, and that it will "vigorously pursue" attackers who try to exploit this vulnerability.

Miller, a researcher at Independent Security Evaluators in Baltimore who is probably best known for publishing the first-ever hacks against Apple's iPhone, said the Dai Zovi and Miller proof-of-concept was mainly aimed at demonstrating how a traditional browser-based exploit could be used in an unconventional attack.

"Most Second Life users probably don't go around [in the game] saying, 'Wow, that object looks suspicious,' and then the next thing they know their computer is slow and sending a million pieces of spam a second," Miller said.

While there may not be a preponderance of people reading this blog who are also Second Life users, the potential impact from this vulnerability is hardly limited to Second Life. Attacks exploiting this QuickTime flaw are likely to show up on and other high-traffic sites. It may well be weeks before Apple issues a patch to plug this vulnerability. In the meantime, readers should strongly consider following some of the instructions included in a previous post that can help mitigate the threat from this flaw.

In addition, this kind of flaw is one of the best selling points for a precaution I have often urged Windows users to take: Running their system under a "limited user" account, which can prevent vulnerabilities in programs from being used by attackers to seize control over the user's entire system. In addition, vulnerabilities like the one described above quickly become a non-issue for people who are using programs like "Drop My Rights," which allows users to run Web browsers and other programs under limited user accounts that do not have rights to install software or alter critical Windows system settings.

By Brian Krebs  |  December 3, 2007; 4:54 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Malware Targets E-Banking Security Technology
Next: Top 10 Best & Worst Anti-Phishing Web Registrars


This article is a useful tool that people can use. The reason why it is a useful tool because it can show you how technology advances and how it can relate to the criminal justice system. Most important of all, it is esstenial for computer users or installers.

Posted by: Luis | December 4, 2007 1:21 PM | Report abuse

Good article and kudos to Brian for the last paragraph on the impact this vulnerability has with respect to a limited user account (LUA) and the importance of always running with a LUA.

Posted by: LUAforever | December 4, 2007 3:47 PM | Report abuse

QT is the most dangerous software in the world, real or virtual!

Posted by: Steve Ballmer | December 5, 2007 12:10 PM | Report abuse

Posted by: Steve Ballmer | December 5, 2007 12:11 PM | Report abuse

I posted a comment on this last week that seems to have gone unheard. QT has been flawed since it was created. When will people learn not to trust this vial program. Brain you should be asking people to remove this flawed program as well as mentioning the many flaws it has, only then will the smart understand life without this JUNK software.

Posted by: MIke | December 5, 2007 12:53 PM | Report abuse

I tell you what. Apple is really starting to upset me. Their smug attitude just bugs the crap out of me. Here we have a serious vulnerability that is being actively exploited (Mac and PC) and they don't even acknowledge there is even a problem. This is pure incompetence if you ask me. At least Microsoft says "we are aware of the problem but for the time being you are *ucked".

Even the Mac forums on are upset.

The workarounds to protect ourselves from Apple's incompetence is hard to deploy on a large scale in a decentralized environment. The average user at home is at serious risk as well.

Thanks to Apple we now have vulnerable Windows and Apple systems. I would guess a quicktime vulnerability makes more computers vulnerable than a Microsoft vulnerability. Thanks for that, Apple! Can you please at least acknowledge the problem?

Posted by: Apple User | December 5, 2007 7:29 PM | Report abuse

@Apple User

Point well taken. Problem is Apple has the mindset (regarding security/patching) that Microsoft used to have years ago. Apple really needs greater transparency on so many levels.

Posted by: TJ | December 5, 2007 11:11 PM | Report abuse

I have been having recurring issues with my Firefox Browser IN G-MAIL appearing to be sending [the blue line at the bottom of the browser goes off in the middle of a message, as well as when I ultimately send] and I thought that I must have had some kind of malware on my machine that Kaspersky anti-virus in combination with Spyware Doctor, Ad-Aware Plus and Spyware Doctor [yahoo provided] wasn't finding.

I believe I have discovered the issue, however, in that I just so happened to notice that my 'chat list' seemed to be SOMEHOW growing on the left side of the browser [even though I do NOT use this feature.] As I understand 'chat,' those folks on the list get notified whenever I am active on my computer and if that is so, this would appear to explain 'otherwise mysterious' indications of 'sending activity.'

I personally choose not to use this feature simply because the last thing I want is to have my focus distracted bi 'interrupting' attempts to 'break in' for general BS while I am trying to FOCUS on what I want to be doing.

I think I have found a way to eliminate the 'chat list,' but I wonder HOW such a list occurred without my consent and if it is something that Google in g-mail allows others to remotely activate on my machine, THAT SUCKS and Google needs to change that.

Any observations ???

Posted by: BRUCEREALTOR | December 7, 2007 10:09 AM | Report abuse

Two corrections:

1. Yahoo's product is Spysweeper.

2. Everyone on the chat list was a g-mail address.

Posted by: BRUCEREALTOR | December 7, 2007 10:12 AM | Report abuse

Go to Apples sit e- they ahve known about QT crashing with a buffer overflow in WinXP and Vista since APRIL.

And have not done a DAMNED THING about it.

Apple sucks.

Posted by: WCARTER | December 7, 2007 11:06 AM | Report abuse

It's really hard to take anybody who plays with 2nd life very seriously. You move a doll around on screen and pretend it's you.

Oh wait. It's web 3.0. It's the future. Yep.

Posted by: Lau Fing Achoo | December 8, 2007 12:33 AM | Report abuse

Yep, the QT exploit is major.

This, from

Initially, the attacks appear to be loading Windows executables, however Symantec warns that the vulnerability affects both Windows and Mac operating systems.

Symantec suggests the following for mitigating risk until a patch is released:
To protect systems from attack, Symantec recommended blocking access to affected sites. "Filter outgoing access to,,,,, and Additionally,,, and should be filtered," it said, adding IT managers can also block outgoing TCP access to port 554.

Symantec also suggests that as a last step, users and IT managers consider uninstalling QuickTime until a patch is released.


Posted by: JimGoldbloom | December 12, 2007 9:12 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company