Apple Quicktime exploit impacts SL video streaming

When logging into Second Life this morning the following screen appeared:

This isn’t an issue with Second Life but an unpatched flaw in Apple Quicktime. The exploit allows crashing the SL viewer.

The SL blog post advises:

… that you disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue. To do this, just open the Preferences dialog, and uncheck the “Play Streaming Video When Available” checkbox on the “Audio & Video” tab.

Linden Lab plans to fix this as soon as Apple releases a fix for the bug.

Update 10:55am SL Time: You can learn more about the specifics of the exploit here:

The hackers say that the scene shows they can take complete control of any player’s avatar and make that avatar surrender any money and other property in its account. That’s a serious security breach.

And even more details here:

Once the malicious file has been viewed by the victim, the attacker has complete control over the victim’s computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like. This particular exploit freezes the avatar and makes them send the attacker’s avatar twelve Linden dollars and shout “I got hacked”. Please see the movie below. In this movie, the victim, Sussy McBride is wandering along, minding her own business. She stumbles upon a piece of land with a small purple box (the exploit). Remember, all she has to do is have video enabled and get on the same piece of land as the object. Very shortly after, she freezes, sends the attacker, Pwned Naglo, the twelve Linden dollars and yells that she was hacked.

Would definitely NOT recommend visiting any parcel with video streaming that you don’t fully trust. Or, perhaps better, visit strange places with an alt avatar with no money, just in case.