Joe Hall forwarded an interesting news item to Dave Farber’s IP mailing list on a new Second Life security vulnerability, Exploiting QuickTime flaws in ‘Second Life’. The exploit allows an object with a multimedia link to inject malicious code into the victim.
“Researchers Charlie Miller of Independent Security Evaluators, and Dino Dai Zovi, turned their attention to Second Life during a Saturday morning presentation at ShmooCon, an East Coast computer hacking conference. The researchers didn’t exploit a flaw within Linden Labs’ Second Life, but within QuickTime. They showed how an attacker could make money stealing from innocent Second Life victims.” (link)
Their SmooCon talk was titled “Virtual Worlds – Real Exploits” and had the abstract
“Virtual worlds serve as a new way to deliver exploits to the masses. Besides traditional attacks, they also allow attackers to control the “avatars” of players, including being able to steal the player’s virtual money and possessions. When there is a link between the virtual money and real money, this can be an easy way for an attacker to profit. This talk will address these issues and illustrate the technical details of a Second Life exploit.” (link)
Apparently the general approach used in the exploit has been around for a while, as Vint Falken blogs in The Second Life Quicktime exploit soon redone?. Here’s how Miller and Zovi demonstrated the current version of the exploit.
“For their demonstration, they created “the most evil pink box you will ever see.” They could have linked their malicious code to attributes of an avatar’s hair, clothes, or anything else. They also could have buried the pink box underground or otherwise hidden it, but both researchers admitted they weren’t very good players within Second Life. … In the demo, the researchers were able to show that their avatar became infected when it came too near the pink box. The code they used raided the avatar’s Linden dollars and emptied the bank account.” (link)
Since Linden dollars have a known exchange rate with more traditional currencies, and may even be stronger that the US dollar these days, Second Lifers will have to be careful.