The Second Life Quicktime exploit soon redone?
February 15, 2008 12:26 pm“Second Life from a security perspective is horribly broken*,” says Greg Hogland, author of the book Exploiting Online Games: Cheating Massively Distributed Systems. “When you look at Second Life, you know in your bones they simply did not think about security when they developed this application. It’s broken from the inside.”
Remember the Quicktime exploit? Here they first mentioned it on the Linden blog and in ‘Quicktime Security Update‘ the Lindens say they more or less fixed it. More or less? Well, you client now checks if you have a recent, patched update of Quicktime installed. If not, streaming video is disabled. The Register now mentions this is a rather one-sided and limited fix: so far, nothing has been done to prevent similar un-patched vulnerabilities from exploiting Second Life users in the future. Linden Lab has done little to change the architecture that allowed the exploit to work in the first place.
At the moment, those exploits can only be used to steal money from our balances, but a certain Mr. Miller - curious what he looks like? - says he’s in the process of rewriting the code so it automatically debits credit cards filed on Second Life servers. He also says it would be “trivial” to modify the exploit so it installs a rootkit or other type of backdoor on a vulnerable machine.
Miller also says QuickTime is only one of the potentially vulnerable engines that the Second Life client depends on to render sound or video. Separate engines called fmod and Vivox, which are used to deliver sound effects and voice chat respectively, could also put users at risk.
But sure, Lindens will notice and keep us safe, no? Nah, probably not after a lot of damage is already done and complaints and disputed Linden Dollar transfers start piling up: “They’re not doing much because last night I exploited a character 50 times,” Miller says. “It was my own character, but they didn’t know that. No power from above came down and said: ’stop that.’ They certainly don’t know when it happens because I do it all the time.“
The original exploit is to be demonstrated this weekend at the Shmoocon hacker conference in Washington. Look under ‘Virtual Worlds - Real Exploits’ by Charlie Miller and Dino Dai Zovi in the schedule. Any Lindens attending? I wonder how long it will take before someone puts this to malicious use again, and even more how long it will take Linden to do something about this type vulnerability.
Source: TheRegister
* No ‘only from a security perspective?’ jokes here, please! ;)
UPDATE: A Linden was attending: ‘For their demonstration, they created “the most evil pink box you will ever see.” They could have linked their malicious code to attributes of an avatar’s hair, clothes, or anything else. They also could have buried the pink box underground or otherwise hidden it, but both researchers admitted they weren’t very good players within Second Life. Within Second Life they used a property that they own to demonstrate the exploit. Linden Labs sent a representative at the conference and a robot to the virtual demonstration site. The robot held a sign saying Hello to ShmooCon attendees watching the live demo.‘
Source: CNet
9 Responses to “The Second Life Quicktime exploit soon redone?”
[…] and Qucktime security. By BalpAdd commentssecurity, operating systems, Second Life Thanks to Vint I have now read an uninformed rant over at the register. “Second Life from a security perspective […]
Argh, this could get to the point CopyBot had reached, if someone develops a powerful enough file QuickTime-readable. However, what Linden did is kind of OK, as on my other computer, I have an old version of QuickTime and Second Life did not allow me in any way to play streaming video, and left a floating text message above boards which have the video playing texture, saying, “Click here to download QuickTime”. But, i’m sure Apple already fixed this exploit and Linden are simply too lazy to implement it. (I’m not an Apple “fanboy”, just that from previous experience I know they fix a bug when they see it ;-) Linden need to learn from them.)
But, the same risk exists in resident-compiled viewers, and just like how you choose to download only trusted viewers like Nicholaz Beresford’s elite viewer or Linden’s bogus-yet-trusted viewer, you need to make the same choice with video-streaming parcels. (I’m calling it “bogus” due to all the bugs, that they claim to need weeks to fix, when an expert code developer like Nicholaz fixes these bugs in a week or less.) So, you just need to play video in trusted locations, just like they said*. Though I think Mac owners are safe as the security on that computer is very, very good.
*I’m using exact Google Search to be able to show the marked text, since I can’t use a marker on a page and hand it to you ‘^_^.
Argh, sorry, but I posted a link through Google Search Israel. Here is a fixed link, with some unneeded parts cut out.
http://sexsecond.blogspot.com/2008/02/how-to-solve-many-of-our-data-problems.html
latest amusing exploit of the day…
browsing in world.
Lillie, strange now, no? We have SLex a volenté, and still, a Second Life is frustrating! ;)
[…] the general approach used in the exploit has been around for a while, as Vint Falken blogs in The Second Life Quicktime exploit soon redone?. Here’s how Miller and Zovi demonstrated the current version of the exploit. “For […]
[…] How safe is SL by Vint […]
[…] the general approach used in the exploit has been around for a while, as Vint Falken blogs in The Second Life Quicktime exploit soon redone?. Here’s how Miller and Zovi demonstrated the current version of the exploit. “For […]
[…] February 20, 2008 — dusanwriter Vint Falken, a frequent blogger about SL and an avid user, ”writes about the QuickTime exploit in SL that continues to pose a security hazard to users of […]
Care to comment?