Apple’s Quick Time flaw enables hackers to steal Linden dollars in Second Life
Two security researchers have discovered an exploit in Linden Lab’s Second Life where hackers can not only steal Linden dollars from a victim’s avatar, but also access a victim’s computer as well.
The exploit would be a serious security problem to residents of Second Life as its currency, known as Linden dollars, are directly convertible to US dollars.
Charles Miller and Dino Dai Zovi disclosed that the exploit is rooted from Apple’s third-party QuickTime media player, which is used to display videos in Second Life.
“The exploit works because Second Life allows users to embed videos or pictures on their character’s or their virtual property. When someone comes nearby and is within view of the object, the Second Life software activates QuickTime so it can play the video or picture. In doing so, QuickTime directs the Second Life software to a web site,” Mercextra writes.
By exploiting the QuickTime flaw, hackers can direct the Second Life software to malicious web sites to execute trojan files which may allow them to completely control the victim’s computer and its Second Life avatar.
The security researchers has demonstrated their exploit by freezing the victim’s avatar and making it send the attacker’s avatar twelve Linden dollars and shout “I got hacked”.
[youtube]http://www.youtube.com/watch?v=RaCo4USXd5Y[/youtube]
US-Cert reports that the latest QuickTime flaw affects software versions 4.0 through 7.3 on all supported Mac and Windows platforms. To date, Apple has not released a fix for it.
It seems the practical recommendation to residents of Second Life for now is to avoid holding onto large numbers of Linden dollars until Apple issues a fix. However, Linden Lab disclosed that it isn’t aware of anyone actually using the exploit to rob anyone.
Related Posts:
