Lex Neva's thoughts blog of Lex Neva in Second Life

December 1, 2007

Disable QuickTime in SL

Filed under: Miscellaneous — lex @ 3:18 pm

I know you’ve all seen the warning that there’s a vulnerability in quicktime, but I just want to urge you to disable quicktime in SL if you haven’t decided to already.

There’s now a proof of concept that this vulnerability can be used to take over your SL viewer and make it do whatever an attacker wants, such as sending them your L$.

http://www.securityevaluators.com/sl/

Just to avoid being alarmist:

  • There is no evidence that evil people have done this yet.
  • You MUST be on land owned or controlled by the attacker for them to get you.
  • You can disable quicktime and completely remove the possibility that you’ll be attacked.
  • Playing a video on land owned by a friend you trust is not going to leave you vulnerable.

So no running around and screaming. But on the other hand, this is more serious than LL’s blog post makes it seem. This vulnerability CAN let attackers gain complete control over your system, and working exploits for the QuickTime vulnerability itself can be found on the web. LL has said that they’ll be active in investigating any reports of the actual use of this vulnerability in SL, but that might not be enough. What if someone uses their control over your system to “open source” all of your products, distributing them for free?

I’ve sent an email to LL urging that they hit their big quicktime offswitch, despite what I know this would mean for several of the projects I’ve worked on in SL. In the mean time, I urge you to disable quicktime in SL, or at the very least follow these steps to disable RTSP (the vulnerable part of quicktime):

  1. Start Quicktime.
  2. Edit -> Preferences -> Quicktime Preferences
  3. File Types tab
  4. Expand “Streaming – Streaming movies”
  5. Uncheck “RTSP stream descriptor”.

It’s very likely that this will completely mitigate the vulnerability. However, I’ve seen a littel conflicting evidence on this front, so, since I have so much at risk with my products in SL, I’ve decided to go the paranoid route and only enable quicktime in SL when I completely trust the owner of the parcel I’m on.

Again, I don’t want to incite panic here, but I think knowledge about the possibilities opened up by these kinds of vulnerabilities is critical to making an informed choice.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress