UR-SL logo


    UNITED RASTAFARIANS       UR-SL ENTERTAINMENT       UR-SL ADVERTISING       UR-SL RENTALS       SHOPPING    LINKS    HELP   


Second Life Topsites Directory

   



advertisement(s)


GoDaddy.com

News

New Exploiting QuickTime flaws in 'Second Life'

WASHINGTON--Researchers Charlie Miller of Independent Security Evaluators, and Dino Dai Zovi, turned their attention to Second Life during a Saturday morning presentation at ShmooCon, an East Coast computer hacking conference. The researchers didn't exploit a flaw within Linden Labs' Second Life, but within QuickTime. They showed how an attacker could make money stealing from innocent Second Life victims.

Miller and Zovi are both experienced with flaws within Apple products. Miller published the first Apple iPhone flaw shortly after its release. At last year's CanSecWest security conference, Zovi exploited a QuickTime flaw to win a "PWN to Own" hack-a-Mac contest. While Second Life does not install QuickTime, it invites users to install the player if they want to see multimedia files within Second Life.

What Miller and Zovi realized is that while direct communication between an attacker and a victim within Second Life passes through the servers at Linden Labs, multimedia objects are actually stored somewhere else. Hence, an object with a multimedia link could inject malicious code. In this case, researchers exploited a recent flaw within RTSP tunneling.

For their demonstration, they created "the most evil pink box you will ever see." They could have linked their malicious code to attributes of an avatar's hair, clothes, or anything else. They also could have buried the pink box underground or otherwise hidden it, but both researchers admitted they weren't very good players within Second Life.

Within Second Life they used a property that they own to demonstrate the exploit. Linden Labs sent a representative at the conference and a robot to the virtual demonstration site. The robot held a sign saying Hello to ShmooCon attendees watching the live demo.

In the demo, the researchers were able to show that their avatar became infected when it came too near the pink box. The code they used raided the avatar's Linden dollars and emptied the bank account. On the Internet, an attacker can get one dollar for every 275 Linden dollars stolen, so there is a financial incentive to these attacks and other future attacks. The attack demonstrated today works only on the property they own, and for the safety of others they put up signs perimeter that clearly stated a demo of an exploit was in progress.

To protect yourself while in Second Life, the researchers suggested either turning off multimedia altogether, or setting the multimedia preference within Second Life not to play streaming video when available, but to ask the user first.
26 Feb 2008 - 10:59 by UR-SL UR-SL news | comments (0)
News management powered byXpression News
spacer.gif

LATEST HEADLINES

UR-SL still standing strong ;-)
NEW!!!! UR-SL HOSTING !!!NEW
New Exploiting QuickTime flaws in 'Second Life'
Finally! Ad Farms are getting banned!!!
UR-SL Advertising gained a new face :)

CATEGORIES


UR-SL news
Sandwich boards
Billboards
Banners
Introductions
Goals
Parcel Rental
Shop Rental

Loading...



Deze website is mede
mogelijk gemaakt door
Biamore Internet Service Center en BISCseo
Biamore Internet Service Center


©2007 by UR-SL.COM
Second Life® and Linden Lab® are trademarks or registered trademarks of Linden Research, Inc. All rights reserved. No infringement is intended. This site is not owned or operated by Second Life or Linden Lab.
design by:
Mivanthi Biamore designed this website!
hosted by:
Biamore Internet Service Center ( BISC )