QuickTime Exploit Found — URGENT

UPDATE, February 19:  I see this entry is still strangely popular, even after Apple has released a patch to the problem.  If you read this article at this late date, don’t freak!!  Apple has patched the bug.  (Of course, who knows what new bugs have appeared [shaking head….].)

Late in the time frame for news, but I just picked this up (11 hours later). The Lindens’ blog (written by Phoenix Linden in this case) announced that a flaw has been discovered in Apple’s QuickTime, which Second Life uses to stream video playbacks. This flaw could allow some evil progeny of slime mold to “exploit” your computer. The Lab does not say if any cracker has already tried this; but they are able to track attacks, and promise action if something happens.

This does not open your doors to an attack from every video stream on the Grid, only from one being sent with malicious intent. At this time, Phoenix suggests that you simply disable automatic playback of video through your Preferences panel. I’m assuming that Linden is banging on the true-hackers’ doors at Apple and calling for a fix. (The flaw rests in the QuickTime platform, not in the Second Life client!) I’m reading from this that you should still be able to watch video; it simply won’t play automatically. I already keep my video shut off anyway, for purposes of bandwidth, so the flaw shouldn’t affect me. Just pick and choose your streams intelligently, and preferably from the legendary “trusted sources.”

It’s sad that someone will surely try to do this kind of stunt, either for Evil Purposes, or just to simply get their giggles. We as Residents are faced with enough problems from the standard griefers (themselves progeny of slime mold — but of a higher evolutionary order in this case). There’s more I could say, but I’m a polite Resident, and prefer not to foul the aether with cuss words.

UPDATE, 10:57 a.m. local time:

There have been complaints that Linden Lab wasn’t doing more to notify the community about the danger. Those folks must have written before trying to log in — because when you go in, the first thing you see besides the cache picture of your last position is a new Terms of Service agreement that you must check off before continuing. The Terms themselves haven’t changed — but the news is up there in big flaming letters, along with a link to the Linden blog entry. So the news is getting out.

UPDATE,6:50 p.m. local time:

Reading the comments on the Lindens’ blog article, we’re seeing the usual reactions back and forth: castigation or praise of the Lindens, depending on how grouchy you are, tearing down of QuickTime and Apple, followed by equal dissing of Real, Shockwave, et al., and occasional attempts to spread oil on the waters. The best of the last is this comment, by the redoubtable Gwyneth Llewelyn (and not because she refers to my own comment above hers).

%d bloggers like this: