QuickTime exploit in the wild, demoed on Second Life

As reported, the RTSP vulnerability in QuickTime was accompanied by working exploit code, accelerating the process of malefactors and miscreants turning it into actual malicious payloads. Symantec & other outlets have since reported that the QuickTime exploit has been seen in the wild; the exploit causes Windows clients to download a secondary malware package.

Meanwhile, security researchers Charlie Miller and Dino Dai Zovi (he of the CanSecWest hacking prize) leveraged the QuickTime vulnerability to demonstrate an attack within the Second Life virtual environment. Since SL uses QuickTime to play video in-game, any player wandering within activation distance of the 'evil movie' can be pwned. Miller and Dai Zovi's demo causes the victim to gesticulate, shout "I've been hacked!" and — most disturbingly — send 12 Linden dollars to the attackers' SL account.

The Second Life exploit starts to veer disturbingly towards Snow Crash territory. I don't want to spoil Neal Stephenson's brilliant breakthrough novel for those who haven't read it, so go read it. For the rest of us, doesn't the idea of a 'virus video' that attacks anyone who watches it seem awfully familiar?

[via Mac OS Ken]