[sldev] Latest SL / Quicktime issue in the news...

Tateru Nino tateru.nino at gmail.com
Mon Dec 3 07:59:13 PST 2007 

It's a fairly standard sort of buffer-overrun/code-injection exploit as
I understand it - which means they can fool quicktime into running
arbitrary code (provided at the time of the attack) or leverage that to
repurpose whatever software Quicktime is running as a component of (I
expect your web-browser could well be 'maliciously repurposed' by a
carefully constructed quicktime stream as well).

At present, so far as we are aware, the only proof-of-concept exploit
exists to use the bug in quicktime to repurpose the SL viewer while the
SL viewer is utilizing quicktime as a component.

Short version: If you are including third-party software as an integral
part of your thread-of-execution, it's security problems become your
security problems.

Any of that help?

Mitch McKenzie wrote:
> Sorry for the double posting, thought I pasted this link in last note.. 
>
> http://www.mercurynews.com/business/ci_7609295?nclick_check=1
>
>
>
> -----Original Message-----
> From: sldev-bounces at lists.secondlife.com
> [mailto:sldev-bounces at lists.secondlife.com] On Behalf Of Mitch McKenzie
> Sent: Monday, December 03, 2007 8:36 AM
> To: sldev at lists.secondlife.com
> Subject: [sldev] Latest SL / Quicktime issue in the news...
>
>
>
> Perhaps someone on this list would take a stab at explaining how this
> issue is an Apple issue and not a Second Life issue? Why would we expect
> Apple to understand the cash transfer system of SL in order to defeat
> this bug? As I understand it, this is an RTSP issue. Yet, before anyone
> can access my Linden account, they have to go through the LL servers do
> they not? So claiming this is solely a client side issue seems really
> odd to me as also the claim that "we are waiting on Apple to fix it", is
> really a goofy idea as well. As near as I can tell, the hacker is really
> just sending malicious code instead of an actual stream, this coode is
> somehow accessing the client and allowing lindens to be transferred
> without prior permission. What am I missing here?  
>
> _______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html
>
> _______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html
>
>   

-- 
Tateru Nino
http://dwellonit.blogspot.com/

More information about the SLDev mailing list