Second Life Forums Archive - Quicktime exploit: may affect SL viewer ?

Jesrad Seraph

Nonsense

Join date: 11 Dec 2004

Posts: 1,463

11-29-2007 02:13

There currently is an unpatched vulnerability in the Quicktime real time streaming protocol that can be exploited:
http://www.theregister.co.uk/2007/11/29/new_quicktime_exploit/

I believe this can be abused within Second Life by pointing the parcel streaming media URLs to a malicious source. Until I know whether it is exploitable in this way, I'll keep streaming media disabled in my viewer or limited to trusted sources.

_____________________

Either Man can enjoy universal freedom, or Man cannot. If it is possible then everyone can act freely if they don't stop anyone else from doing same. If it is not possible, then conflict will arise anyway so punch those that try to stop you. In conclusion the only strategy that wins in all cases is that of doing what you want against all adversity, as long as you respect that right in others.

Sally Silvera

live music maniac

Join date: 17 Feb 2007

Posts: 2,325

11-29-2007 02:30

Hi Jesrad,

Disclaimer: I know nothing about anything really....

This sentence stood out for me though:

"In order for the exploit to work, an attacker would have to trick a user into clicking on a booby-trapped link, or playlist."

and this one:

"Researchers have been chiming in about the vulnerability over the past few days, often offering conflicting analyses of exactly how effective the attacks are when used in combination with specific browsers"

I´m wondering whether this mean you have to click an internet browser link to get hit? And if so, this could be the same thing that was discussed here a while back? I seem to remember that there was something gong on with a risk occurring when clicking an internet link from within SL.

I couldn´t live without my streaming music

_____________________

FD Spark

Prim & Texture Doodler

Join date: 30 Oct 2006

Posts: 4,697

11-29-2007 02:53

I don't want to get the heavier harder on my computer update I really hope they don't make it manatory to update because of this exploit.
I don't use my sound in SL very rarely so its mute point for me.

_____________________

Look for my alt Dagon Xanith on Youtube.com

Newest video is

Loneliness by Duo Zikr DX's Alts & SL Art Death of Avatar

Void Singer

Int vSelf = Sing(void);

Join date: 24 Sep 2005

Posts: 6,973

11-29-2007 02:59

the streaming meida urls are the same thing as if you'd clicked a link so yes, SL may be vunerable through that vector, depending on how it's implemented...

from a cursory glance at the code, it looks like music streams would be vunerable too...

of course it requires, A) someone with access to the land stream controls, B) intent to do harm, and C)knowledge of how to use the exploit to do harm

many people don't realize, there are much worse things than stealing your computer info, or crashing your system.... like using it as a remote storage for child porn or other illegal content (happened to a friend), using it to attack websites (DDoS attacks, happened to another friend), using it to attempt to break into other computers... the list goes on

_____________________

|
| . "Cat-Like Typing Detected"
| . This post may contain errors in logic, spelling, and
| . grammar known to the SL populace to cause confusion
|
| - Please Use PHP tags when posting scripts/code, Thanks.
| - Can't See PHP or URL Tags Correctly? Check Out This Link...
| -

Jesrad Seraph

Nonsense

Join date: 11 Dec 2004

Posts: 1,463

11-29-2007 03:14

From: Sally Silvera

Hi Jesrad,

Disclaimer: I know nothing about anything really....

This sentence stood out for me though:

"In order for the exploit to work, an attacker would have to trick a user into clicking on a booby-trapped link, or playlist."

and this one:

"Researchers have been chiming in about the vulnerability over the past few days, often offering conflicting analyses of exactly how effective the attacks are when used in combination with specific browsers"

I´m wondering whether this mean you have to click an internet browser link to get hit?

As Void Singer said, the SL viewer does all the browsing and connecting already, when you move to a new parcel and it starts playing the music stream it's roughly the same as if you had clicked on the streaming URL, opened a browser window, and launched the QuickTime player's playback.

_____________________

Either Man can enjoy universal freedom, or Man cannot. If it is possible then everyone can act freely if they don't stop anyone else from doing same. If it is not possible, then conflict will arise anyway so punch those that try to stop you. In conclusion the only strategy that wins in all cases is that of doing what you want against all adversity, as long as you respect that right in others.

Sally Silvera

live music maniac

Join date: 17 Feb 2007

Posts: 2,325

11-29-2007 03:21

Actually (having had my third cup of coffee),
I´m coming at this from a live music freak point of view btw....
I´m aware that anyone who has access to a live music stream has access to info about the systems of those listening.
I just figure that, as Void said, it would take someone with bad intent to do anything with any of this. And I can´t see the average venue owner in that light.
But it does sound a bit worrying.
Thanks for pointing it out btw.

_____________________

Jesrad Seraph

Nonsense

Join date: 11 Dec 2004

Posts: 1,463

11-29-2007 06:47

OK, I understand now. Yes, it would take a malevolent land holder to set up a "trapped parcel" that you would visit with streaming activated, in order to infect your computer.

So, we're reasonably safe as long as we only listen to music or watch videos in trusted places.

_____________________

Either Man can enjoy universal freedom, or Man cannot. If it is possible then everyone can act freely if they don't stop anyone else from doing same. If it is not possible, then conflict will arise anyway so punch those that try to stop you. In conclusion the only strategy that wins in all cases is that of doing what you want against all adversity, as long as you respect that right in others.

Kitty Barnett

Registered User

Join date: 10 May 2006

Posts: 5,586

11-29-2007 09:07

From: Jesrad Seraph

So, we're reasonably safe as long as we only listen to music or watch videos in trusted places.

Video can be force-started by a script, so you'd have to disable it entirely until you actually want to watch one.

Tiziana Corleone

Registered User

Join date: 22 Sep 2006

Posts: 54

Quicktime exploit and changed ownership of TV screen

12-15-2007 15:46

In checking the objects on my land, I discovered that the flatscreen TV I'd installed was owned by someone unknown to me - Pittys Piaggio - and when I checked the profile there was nothing but the rezdate 12/2/07. I can't remember using it in the past several weeks and when I did it was to view the music videos listed in SL program menu.

I have all permissions turned off - create objects, object entry, and run scripts ... I'm confused as to how this alt could change the ownership of my TV, and I wonder if there was some exploit connected with it.

Thanks!

Alyx Sands

Mental Mentor Linguist

Join date: 17 Feb 2007

Posts: 2,432

12-15-2007 16:40

Can't tell you anything about that particular problem, but Apple has released a fixed version, you should install that!

/327/84/229725/1.html

_____________________

~~I'm a linguist. RL sucks, but right now it's decided to be a little less nasty to me - you can still be nice to me if you want! ~~
->Potestatem obscuri lateris nescitis.<-

Caroline Ra

Carpe Iugulum

Join date: 20 Dec 2006

Posts: 400

12-16-2007 07:46

If you dont watch video in SL is Quick Time really needed?....I uninstalled it when I heard about the exploit. Have I done something I shouldnt have and should I reinstall?

_____________________

The secret of life is honesty and fair dealing. If you can fake that, you've got it made.

Brenda Connolly

Un United Avatar

Join date: 10 Jan 2007

Posts: 25,000

12-16-2007 08:34

It seems my TV plays "All Your Base Are Belong To Us" constantly. Should I be worried?

_____________________

Don't you ever try to look behind my eyes. You don't want to know what they have seen.

http://brenda-connolly.blogspot.com

Chosen Few

Alpha Channel Slave

Join date: 16 Jan 2004

Posts: 7,496

12-16-2007 09:03

From: Tiziana Corleone

In checking the objects on my land, I discovered that the flatscreen TV I'd installed was owned by someone unknown to me - Pittys Piaggio - and when I checked the profile there was nothing but the rezdate 12/2/07. I can't remember using it in the past several weeks and when I did it was to view the music videos listed in SL program menu.

I have all permissions turned off - create objects, object entry, and run scripts ... I'm confused as to how this alt could change the ownership of my TV, and I wonder if there was some exploit connected with it.

Thanks!

Did you have the TV shared with a group? If so, it's possible someone in the group made a copy and deleted your original.

From: Caroline Ra

If you dont watch video in SL is Quick Time really needed?....I uninstalled it when I heard about the exploit. Have I done something I shouldnt have and should I reinstall?

If you don't plan on watching video, then no, Quicktime is not needed. You didn't break anything by uninstalling it. So don't worry.

However, you can now safely install the latest version of Quicktime with nothing to worry about. The exploit has been patched. Just make sure you don't have an old version running on any machine you use.

_____________________

.

Land now available for rent in Indigo. Low rates. Quiet, low-lag mainland sim with good neighbors. IM me in-world if you're interested.

Quicktime exploit: may affect SL viewer ?
Jesrad Seraph Nonsense Join date: 11 Dec 2004 Posts: 1,463	11-29-2007 02:13 There currently is an unpatched vulnerability in the Quicktime real time streaming protocol that can be exploited: http://www.theregister.co.uk/2007/11/29/new_quicktime_exploit/ I believe this can be abused within Second Life by pointing the parcel streaming media URLs to a malicious source. Until I know whether it is exploitable in this way, I'll keep streaming media disabled in my viewer or limited to trusted sources. _____________________ Either Man can enjoy universal freedom, or Man cannot. If it is possible then everyone can act freely if they don't stop anyone else from doing same. If it is not possible, then conflict will arise anyway so punch those that try to stop you. In conclusion the only strategy that wins in all cases is that of doing what you want against all adversity, as long as you respect that right in others.
Sally Silvera live music maniac Join date: 17 Feb 2007 Posts: 2,325	11-29-2007 02:30 Hi Jesrad, Disclaimer: I know nothing about anything really.... This sentence stood out for me though: "In order for the exploit to work, an attacker would have to trick a user into clicking on a booby-trapped link, or playlist." and this one: "Researchers have been chiming in about the vulnerability over the past few days, often offering conflicting analyses of exactly how effective the attacks are when used in combination with specific browsers" I´m wondering whether this mean you have to click an internet browser link to get hit? And if so, this could be the same thing that was discussed here a while back? I seem to remember that there was something gong on with a risk occurring when clicking an internet link from within SL. I couldn´t live without my streaming music _____________________
FD Spark Prim & Texture Doodler Join date: 30 Oct 2006 Posts: 4,697	11-29-2007 02:53 I don't want to get the heavier harder on my computer update I really hope they don't make it manatory to update because of this exploit. I don't use my sound in SL very rarely so its mute point for me. _____________________ Look for my alt Dagon Xanith on Youtube.com Newest video is Loneliness by Duo Zikr DX's Alts & SL Art Death of Avatar
Void Singer Int vSelf = Sing(void); Join date: 24 Sep 2005 Posts: 6,973	11-29-2007 02:59 the streaming meida urls are the same thing as if you'd clicked a link so yes, SL may be vunerable through that vector, depending on how it's implemented... from a cursory glance at the code, it looks like music streams would be vunerable too... of course it requires, A) someone with access to the land stream controls, B) intent to do harm, and C)knowledge of how to use the exploit to do harm many people don't realize, there are much worse things than stealing your computer info, or crashing your system.... like using it as a remote storage for child porn or other illegal content (happened to a friend), using it to attack websites (DDoS attacks, happened to another friend), using it to attempt to break into other computers... the list goes on _____________________ \| \| . "Cat-Like Typing Detected" \| . This post may contain errors in logic, spelling, and \| . grammar known to the SL populace to cause confusion \| \| - Please Use PHP tags when posting scripts/code, Thanks. \| - Can't See PHP or URL Tags Correctly? Check Out This Link... \| -
Jesrad Seraph Nonsense Join date: 11 Dec 2004 Posts: 1,463	11-29-2007 03:14 From: Sally Silvera Hi Jesrad, Disclaimer: I know nothing about anything really.... This sentence stood out for me though: "In order for the exploit to work, an attacker would have to trick a user into clicking on a booby-trapped link, or playlist." and this one: "Researchers have been chiming in about the vulnerability over the past few days, often offering conflicting analyses of exactly how effective the attacks are when used in combination with specific browsers" I´m wondering whether this mean you have to click an internet browser link to get hit? As Void Singer said, the SL viewer does all the browsing and connecting already, when you move to a new parcel and it starts playing the music stream it's roughly the same as if you had clicked on the streaming URL, opened a browser window, and launched the QuickTime player's playback. _____________________ Either Man can enjoy universal freedom, or Man cannot. If it is possible then everyone can act freely if they don't stop anyone else from doing same. If it is not possible, then conflict will arise anyway so punch those that try to stop you. In conclusion the only strategy that wins in all cases is that of doing what you want against all adversity, as long as you respect that right in others.
Sally Silvera live music maniac Join date: 17 Feb 2007 Posts: 2,325	11-29-2007 03:21 Actually (having had my third cup of coffee), I´m coming at this from a live music freak point of view btw.... I´m aware that anyone who has access to a live music stream has access to info about the systems of those listening. I just figure that, as Void said, it would take someone with bad intent to do anything with any of this. And I can´t see the average venue owner in that light. But it does sound a bit worrying. Thanks for pointing it out btw. _____________________
Jesrad Seraph Nonsense Join date: 11 Dec 2004 Posts: 1,463	11-29-2007 06:47 OK, I understand now. Yes, it would take a malevolent land holder to set up a "trapped parcel" that you would visit with streaming activated, in order to infect your computer. So, we're reasonably safe as long as we only listen to music or watch videos in trusted places. _____________________ Either Man can enjoy universal freedom, or Man cannot. If it is possible then everyone can act freely if they don't stop anyone else from doing same. If it is not possible, then conflict will arise anyway so punch those that try to stop you. In conclusion the only strategy that wins in all cases is that of doing what you want against all adversity, as long as you respect that right in others.
Kitty Barnett Registered User Join date: 10 May 2006 Posts: 5,586	11-29-2007 09:07 From: Jesrad Seraph So, we're reasonably safe as long as we only listen to music or watch videos in trusted places. Video can be force-started by a script, so you'd have to disable it entirely until you actually want to watch one.
Tiziana Corleone Registered User Join date: 22 Sep 2006 Posts: 54	Quicktime exploit and changed ownership of TV screen 12-15-2007 15:46 In checking the objects on my land, I discovered that the flatscreen TV I'd installed was owned by someone unknown to me - Pittys Piaggio - and when I checked the profile there was nothing but the rezdate 12/2/07. I can't remember using it in the past several weeks and when I did it was to view the music videos listed in SL program menu. I have all permissions turned off - create objects, object entry, and run scripts ... I'm confused as to how this alt could change the ownership of my TV, and I wonder if there was some exploit connected with it. Thanks!
Alyx Sands Mental Mentor Linguist Join date: 17 Feb 2007 Posts: 2,432	12-15-2007 16:40 Can't tell you anything about that particular problem, but Apple has released a fixed version, you should install that! /327/84/229725/1.html _____________________ ~~I'm a linguist. RL sucks, but right now it's decided to be a little less nasty to me - you can still be nice to me if you want! ~~ ->Potestatem obscuri lateris nescitis.<-
Caroline Ra Carpe Iugulum Join date: 20 Dec 2006 Posts: 400	12-16-2007 07:46 If you dont watch video in SL is Quick Time really needed?....I uninstalled it when I heard about the exploit. Have I done something I shouldnt have and should I reinstall? _____________________ The secret of life is honesty and fair dealing. If you can fake that, you've got it made.
Brenda Connolly Un United Avatar Join date: 10 Jan 2007 Posts: 25,000	12-16-2007 08:34 It seems my TV plays "All Your Base Are Belong To Us" constantly. Should I be worried? _____________________ Don't you ever try to look behind my eyes. You don't want to know what they have seen. http://brenda-connolly.blogspot.com
Chosen Few Alpha Channel Slave Join date: 16 Jan 2004 Posts: 7,496	12-16-2007 09:03 From: Tiziana Corleone In checking the objects on my land, I discovered that the flatscreen TV I'd installed was owned by someone unknown to me - Pittys Piaggio - and when I checked the profile there was nothing but the rezdate 12/2/07. I can't remember using it in the past several weeks and when I did it was to view the music videos listed in SL program menu. I have all permissions turned off - create objects, object entry, and run scripts ... I'm confused as to how this alt could change the ownership of my TV, and I wonder if there was some exploit connected with it. Thanks! Did you have the TV shared with a group? If so, it's possible someone in the group made a copy and deleted your original. From: Caroline Ra If you dont watch video in SL is Quick Time really needed?....I uninstalled it when I heard about the exploit. Have I done something I shouldnt have and should I reinstall? If you don't plan on watching video, then no, Quicktime is not needed. You didn't break anything by uninstalling it. So don't worry. However, you can now safely install the latest version of Quicktime with nothing to worry about. The exploit has been patched. Just make sure you don't have an old version running on any machine you use. _____________________ . Land now available for rent in Indigo. Low rates. Quiet, low-lag mainland sim with good neighbors. IM me in-world if you're interested.

Welcome to the Second Life Forums Archive

Quicktime exploit: may affect SL viewer ?