corigin.com

Security experts have spotted several Web sites exploiting an unpatched security hole in Apple’s QuickTime media player to install malicious software on computers used to browse the sites.

Last week, Security Fix carried a post warning readers about the QuickTime flaw, noting that several sets of instructions showing attackers how to exploit the hole had been posted online. Over the weekend, Symantec reported it had detected a network of sites using the exploits to compromise vulnerable Windows computers.

In related news, a pair of security researchers demonstrated how the same QuickTime flaw could be used to “pick the pockets” of people engaging in various online games and virtual worlds. Dino Dai Zovi and Charles Miller described how the vulnerability might be leveraged to steal money from people who are members of “Second Life,” a virtual world created by San Francisco-based software developer Linden Lab; the virtual world is populated by more than 10 million “residents” worldwide.

A screenshot from the demonstration published by Dino Dai Zovi and Charles Miller.

Second Life is vulnerable not because of any flaw in the game software itself, but because it allows players to embed video files in game objects, with QuickTime as the application handling all video rendering, Dai Zovi and Miller wrote. The two researchers showed how an attacker might create a malicious QuickTime video that would trigger if a player entered a swath of Second Life land owned by the attacker. In the example they used, the malicious software would automatically empty the victim’s virtual bank account of “Linden dollars,” the Second Life currency that can be cashed out into real world dollars.

While the current exchange rate in Second Life is roughly one U.S. dollar for every 270 Linden dollars, millions of U.S. dollars change hand each day in the virtual world. According to Linden Labs, nearly $1.4 million was exchanged between Second Life users over the past 24 hours.

…more