Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crime Wave Thwarted in Second Life

Posted by Zonk on from the watch-what-you-walk-near dept.

Ponca City, We Love You writes "The Mercury News reports that a vulnerability in the way Second Life protects a user's money has been identified. Risks for users are reportedly limited because the researchers say the flaw can be quickly patched. The flaw exploits a known problem with Apple's QuickTime - when a virtual character passes by an infected object planted by hackers, the Second Life software activates QuickTime so it can play the video or picture. Hackers can direct the Second Life software to a malicious Web site that then allows them to 'take over the user's avatar and force it to hand over its Linden cash. Second Life is recommending that users disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue.' The hack raises tough questions for operators of virtual worlds. Should they be as secure as banks and guarantee the safety of money and property that characters in the world possess?"

5 of 183 comments (clear)

  1. Old recommendation, Quicktime prob killed soon by AySz88 · · Score: 5, Informative
    If you take a look at the Second Life blog, you'll see that the referenced recommendation was from a couple of days ago (November 30). A paragraph in the blog seems to say that if LL starts noticing exploits, they'll kill all QuickTime on the grid and maybe roll back exploit-induced transactions - expect this to happen soon.

    We do have the ability to turn off all videos on the grid, but have instead chosen to respect the existing in-world content and experiences which rely on streaming video, as we know that many of you enjoy these. We do recommend that you employ caution when using QuickTime in Second Life, only enabling it in environments that you trust, and are familiar with.

    We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker. This will include account termination and legal action if appropriate, as well as the appropriate assistance for affected Residents.
  2. Re:Not-so-virtual by SJ2000 · · Score: 5, Informative

    Yes, you can using Linden Labs own exchange to turn US$ to L$ vice versa. Look on their website

  3. Re:I'm sorry by wertarbyte · · Score: 4, Informative

    Every time I post on Slashdot, it takes forever for me to Submit the post, because I get probed on a few ports (which timeout).
    Set your packet filter to REJECT instead of DROP. Dropping packets i usually a bad idea and sounds like some kind of obscure desktop firewall in "stealth mode".
    --
    Life is just nature's way of keeping meat fresh.
  4. Re:SL's economy is a giant sinkhole anyway by Jesrad · · Score: 4, Informative

    "You're either renting land, throwing cash into a bizarro stock market, or going to a furry cybersex sim."

    In three years sent in Second Life I have not done any of this. I must some weird and very persistent aberration, then. Or maybe you're just wrong.

    "As the Linden (the currency of Second Life) is not based on anything"

    It is based on the USD, and maintained at a rather fixed rate by LindenLab acting as a central bank. It's not perfect, but it has worked remarkably well so far.

    "Linden Labs simply dumps currency into the market whenever they feel like it."

    No, they sell some L$ only when they rate drops under 265 L$ per 1 USD to maintain the rate, and they buy back the L$ when the rate goes higher than 266 L$ per 1 USD (though they apparently never have had to do that). That's not "whenever they feel like it".

    "So economic problems are pretty common"

    Err, no. The L$ has been exceptionnally steady ever since LL introduced the measures I pointed out above, and the vast majority of players have zero problems with it. Only those who want to play games with their money and that of other people are taking risks. You're obviously confusing economy with finance if you conflate financial institutions like the "banks" and "stock exchanges" with the economy itself. But then, that's to be expected on a technology-oriented website like /.

    --
    Maybe we deserve this world ?
  5. It gets worse. All QuickTime files now threats. by Animats · · Score: 4, Informative

    This isn't a Second Life problem. It affects all QuickTime players. QuickTime has a recently discovered vulnerability which allows it to be used as a way to inject executable content into the user's machine. This can attack far more than Second Life.

    See US CERT Vulnerability Note VU#659761 -- Apple QuickTime RTSP Content-Type header stack buffer overflow. "Apple QuickTime contains a stack buffer overflow vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service condition. ... We are currently unaware of a practical solution to this problem.. ... "Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability. Testing indicates that QuickTime versions 4.0 through 7.3 are vulnerable on all supported Mac and Windows platforms."

    CERT suggests disabling all the ways QuickTime can be launched:

    • Block the rtsp:// protocol
    • Disable the QuickTime ActiveX controls in Internet Explorer
    • Disable the QuickTime plug-in for Mozilla-based browsers
    • Disable file association for QuickTime files

    This vulnerability was first published on November 23, 2007.