[sldev] Latest SL / Quicktime issue in the news...

Ryan Williams (Which) rdw at lindenlab.com
Mon Dec 3 11:10:06 PST 2007


The Slashdot article regrettably told the story of some sort of
SL-specific exploit, instead of recognizing that the QT bug allows
pretty much any exploit.
http://games.slashdot.org/article.pl?sid=07/12/02/0640203

-RYaN


Hamncheese wrote:
> Just curious here because I'm a security newbie :): How'd you get from
> "may allow an attacker to crash or exploit the Second Life viewer" (from
> the blog) to "allowing lindens to be transferred without prior
> permission"? Am I missing some non public knowledge? Also have you seen
> this?:
> http://www.symantec.com/enterprise/security_response/weblog/2007/12/exploit_for_apple_quicktime_vu.html
> 
> 
> Symantec obviously thinks its Apple's problem as well.
> 
> 
> ----- Original Message ----- From: "Mitch McKenzie" <mitch at mckenzie.ws>
> To: <sldev at lists.secondlife.com>
> Sent: Monday, December 03, 2007 9:35 AM
> Subject: [sldev] Latest SL / Quicktime issue in the news...
> 
> 
>>
>>
>> Perhaps someone on this list would take a stab at explaining how this
>> issue is an Apple issue and not a Second Life issue? Why would we expect
>> Apple to understand the cash transfer system of SL in order to defeat
>> this bug? As I understand it, this is an RTSP issue. Yet, before anyone
>> can access my Linden account, they have to go through the LL servers do
>> they not? So claiming this is solely a client side issue seems really
>> odd to me as also the claim that "we are waiting on Apple to fix it", is
>> really a goofy idea as well. As near as I can tell, the hacker is really
>> just sending malicious code instead of an actual stream, this coode is
>> somehow accessing the client and allowing lindens to be transferred
>> without prior permission. What am I missing here?
>>
>> _______________________________________________
>> Click here to unsubscribe or manage your list subscription:
>> /index.html 
> 
> _______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html



More information about the SLDev mailing list