December 4th, 2007

QuickTime hack allows Second Life currency theft

Posted by Ryan Naraine @ 10:38 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Metasploit, Passwords, Patch Watch, Responsible disclosure, Spyware and Adware, Symantec, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Second Life, Attacker, Apple QuickTime, Avatar, Video, Charlie Miller, Duo, Corporate Communications, Digital Music, Digital Media

Security researchers Dino Dai Zovi and Charlie Miller have found a way to exploit an unpatched QuickTime vulnerability to steal Linden Dollars from users in the Second Life virtual world.

Dai Zovi (the hacker behind the CanSecWest MacBook Pro hijack) and Miller (creator of the first iPhone code execution exploit) cooked up the QuickTime/Second Life attack during an investigation of the security of online games .

It works against QuickTime 7.3 (the latest) and Second Life 1.18.4(3).”All the victim has to do is have video enabled and enter a piece of land owned by the attacker,” Miller said, nothing that  any Second Life player wandering near the attacker will have their pockets picked and then yell “I got hacked!”

Linden Dollars can be converted into U.S. dollars (approximately L$250 to US$1)  so this should be considered a very serious issue.

[ SEE: Apple QuickTime under siege ]

Miller says the attack exploits the same QuickTime vulnerability that was publicly released earlier this week.

Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. Furthermore, it is possible to have these media elements constantly playing. If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime File, they can be exploited.

Once the malicious file has been viewed by the victim, the attacker has complete control over the victim’s computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker’s avatar twelve Linden dollars and shout “I got hacked”.

The duo has created a video showing the victim stumbling upon a piece of land with a small purple box (the exploit).  Very shortly after, she freezes, sends the attacker twelve Linden dollars and yells that she was hacked.

[ SEE: QuickTime zero-day attacks intercepted ]

In the absence of a patch from Apple, Miller recommends:

Second Life users (should) discontinue their use of video. Specifically, users should click on Edit->Preferences… and then “Audio & Video”. Make sure the box next to “Play Streaming Video When  We’ve notified Linden Labs of this problem. We are recommending that until a patch is issued by Apple, Second Life users discontinue their use of video. Specifically, users should click on Edit->Preferences… and then “Audio & Video”. Make sure the box next to “Play Streaming Video When Available” is unchecked. This will provide protection from this vulnerability. Users should upgrade their QuickTime when a patch is released.

See more at Miller’s Web site.