Owning Virtual Worlds For Fun and Profit 82
Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"
So... (Score:3, Informative)
That's what keeps the industry running!
Re:Hello 911!!!!! (Score:3, Informative)
funny, but unlike a normal MMO, Second Life's virtual money is purchased with real money by design. And there have already been property-rights lawsuits over virtual land and items within second life.
Because that's not how it works. (Score:5, Informative)
It is just a URL that you enter into a field in the in-world parcel data. The simulator hands it to the viewer (client/browser) and tells it to play that and put it onto a texture that is drawn on a 3D surface. The viewer hands the URL to Quickslime, which then plays it. SL's backend never sees the video file/data, as it is directly downloaded from the target host specified in the URL.
I supposed you could argue why don't they run some kind of scanner on the URL before allowing it to be posted. Of course, that is pointless for any number of reasons, including:
1) There is no scanner to check all possible video formats that Quickslime plays, nor one which is foolproof in terms of detecting vulnerabilities.
2) Since the file/data is not hosted by Linden Lab, a single scan would be useless, as an attacker could put up a valid file, run the scan, then replace the file with a malicious one anytime afterwards.
Today's internal Linden Lab discussion... (Score:5, Informative)
Here's what happened in one of Linden Lab's internal IRC channel today...
[16:42] [Linden001] hey, we made slashdot: http://it.slashdot.org/story/10/08/18/2154207/Owning-Virtual-Worlds-For-Fun-and-Profit [slashdot.org]
[16:45] [Linden002] fascinating.
[17:11] [Linden003] besides, we enforced the patched version of QuickTime to close this exploit.
[17:12] [Linden003] there is no mention of that in the article either.
[17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.