Joe Hall forwarded an interesting news item to Dave Farber’s IP mailing list on a new Second Life security vulnerability, Exploiting QuickTime flaws in ‘Second Life’. The exploit allows an object with a multimedia link to inject malicious code into the victim.

“Researchers Charlie Miller of Independent Security Evaluators, and Dino Dai Zovi, turned their attention to Second Life during a Saturday morning presentation at ShmooCon, an East Coast computer hacking conference. The researchers didn’t exploit a flaw within Linden Labs’ Second Life, but within QuickTime. They showed how an attacker could make money stealing from innocent Second Life victims.” (link)

Their SmooCon talk was titled “Virtual Worlds - Real Exploits” and had the abstract

“Virtual worlds serve as a new way to deliver exploits to the masses. Besides traditional attacks, they also allow attackers to control the “avatars” of players, including being able to steal the player’s virtual money and possessions. When there is a link between the virtual money and real money, this can be an easy way for an attacker to profit. This talk will address these issues and illustrate the technical details of a Second Life exploit.” (link)

Apparently the general approach used in the exploit has been around for a while, as Vint Falken blogs in The Second Life Quicktime exploit soon redone?. Here’s how Miller and Zovi demonstrated the current version of the exploit.

“For their demonstration, they created “the most evil pink box you will ever see.” They could have linked their malicious code to attributes of an avatar’s hair, clothes, or anything else. They also could have buried the pink box underground or otherwise hidden it, but both researchers admitted they weren’t very good players within Second Life. … In the demo, the researchers were able to show that their avatar became infected when it came too near the pink box. The code they used raided the avatar’s Linden dollars and emptied the bank account.” (link)

Since Linden dollars have a known exchange rate with more traditional currencies, and may even be stronger that the US dollar these days, Second Lifers will have to be careful.

This Spring UMBC will mount our first “regular” undergraduate class as part of its new programs on games, animation and interactive media. The class, Anatomy of a Video Game, will be taught by UMBC Alumna Katie Hirsch, who graduated with dual degrees in Computer Science and Visual Arts and who works at and Breakaway Games in Hunt Valley MD.

“This class dissects the process of developing a video game from an introductory perspective. The class will give artist and programmers an opportunity to focus on their specific areas of interest within the development pipeline while learning to work across their disciplines. The class will include production and design as well as art and programming specific topics.”

This course, as well as several others this spring, will take advantage of UMBC’s new GAIM Lab that is equipped with a generous gift of 20 Xbox consoles from Microsoft.