QuickTime flaw could fuel Second Life stealing

Researchers have shown how exploiting a flaw within QuickTime could allow an attacker could steal from other users in Second Life.

Security A to Z

From antivirus to zero-day, click here for silicon.com's alphabetical guide to security.

Charlie Miller of Independent Security Evaluators and Dino Dai Zovi, turned their attention to Second Life during a computer hacking conference in the US.

While Second Life does not install QuickTime, it invites users to install the player if they want to see multimedia files within Second Life.

What Miller and Zovi realised is that while direct communication between an attacker and a victim within Second Life passes through the servers at Linden Lab - the maker of Second Life - multimedia objects are actually stored elsewhere. Hence, an object with a multimedia link could inject malicious code. In this case, researchers exploited a recent flaw within RTSP tunnelling.

For their demonstration, they created "the most evil pink box you will ever see". They could have linked their malicious code to attributes of an avatar's hair, clothes or anything else.

In the demo, the researchers were able to show that their avatar became infected when it came too near the pink box. The code they used raided the avatar's Linden dollars and emptied the bank account. On the internet, an attacker can get one dollar for every 275 Linden dollars stolen, so there is a financial incentive to these attacks and other future attacks.

Original article: Exploiting QuickTime flaws in 'Second Life' from CNET News.com