Second Life Viewer Susceptible to Quicktime Security Flaw

We were alerted a short time ago that a QuickTime exploit has been discovered which may allow an attacker to crash or exploit the Second Life viewer. The Second Life viewer uses Apple QuickTime to play videos and streaming media. This exploit affects QuickTime usage on every platform that uses it, and to date, Apple has not released a fix for the exploit.

At this time we advise that you disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue. To do this, just open the Preferences dialog, and uncheck the “Play Streaming Video When Available” checkbox on the “Audio & Video” tab.

We do have the ability to turn off all videos on the grid, but have instead chosen to respect the existing in-world content and experiences which rely on streaming video, as we know that many of you enjoy these. We do recommend that you employ caution when using QuickTime in Second Life, only enabling it in environments that you trust, and are familiar with.

We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker. This will include account termination and legal action if appropriate, as well as the appropriate assistance for affected Residents.

The bug is in QuickTime, and not in the Second Life viewer. When Apple has submitted a fix, we will integrate it into the viewer as quickly as possible, and will notify everyone once this has been done.

This entry was posted in Announcements & News, Security. Bookmark the permalink.

146 Responses to Second Life Viewer Susceptible to Quicktime Security Flaw

  1. Bert Jedburgh says:

    Well, as a 1 Mega Internet bandwith user, Quicktime is kinda a not very enjoyable way to watch movies and videos… I always wondered why not allow to other video application in SL just as an alternative (like the Flv format), which is more genttle and runs smoother in low badnwith machines.

    I really hope Apple can find a fix for this issue.

    Thx and sorry for the bad english.

  2. Bucky Barkley says:

    Hmm… you should disable video streaming on the server side while you have the chance. A posting on the blog is NOT a far and wide enough alert for this. Get the new viewer fix out, then turn it on ..

  3. Cernus Piccard says:

    Here we go , why are people in sl trying to take over sims on mainland. simple Groups do not want to buy islands and pay a 295usd tier they would rather make life hell for those on the sim , so that there lil group pushes them out. to pay 195 tier. wake up lindens smell the coffee. 🙂

  4. Ann Otoole says:

    Thank you for letting us know and leaving it as our option to disable or enable the feature.

  5. Rascal Ratelle says:

    Thank you for informing us, it’s nice to Know SL is in Contact with apple

  6. Mica says:

    It is standalone maybe not a far enough alert…..
    but the alert, together with the information what they can Track any attack and will pursue the attacker with all given powers…..together with assistance to users doing so…..
    And the real ability to do as promised…will be.

    Sometimes its ven tactical to let a monitored security whole open….to catch a attacker…instead of immediatly closing the security whole and never know who the attackers are while these maybe know more wholes…
    So it even can be what they play with atackers with giving such a low warnign in the hope someone try’s something and when catch him as Promised.

    It would be a Profit for al lresients if they catch one.

    Good hunting Lindens

  7. Hal says:

    U only need to disable RTSP streaming in QuickTime to avoid this exploit – look in QT pref’s for the ‘MIME Settings…’ option and look in the Streaming section for the RTSP checkbox – then just uncheck it.

    SL and Linden don’t stream any video, it’s pointless asking for SL to stop these (or any) video streams – they have no control over them.

  8. Votslav Hax says:

    .. thanks for the ‘heads up…now lets spread the word!

  9. Lord Berchot says:

    I posted it to all my rental groups. if LL can’t spread it around we’ll just have to do it for them.

  10. Max Kleiber says:

    @2: Bucky, they can’t just turn off the video streaming, since the CSI sims are dependent on them, and possibly others.

    However, I would think a periodic system-wide announcement in-world would be very appropriate.

  11. Gordon Wendt says:

    Hmm, this has been a known issue with apple for awhile however I respect that it takes some time for LL to confirm that SL is vulnerable, I just wish I had been the one to email this in first for the reward.

  12. HealthStar says:

    Good job on the TOS attachment – slick move. Kudos

  13. sirhc DeSantis says:

    WTF – i went down to the corner to get some beer and get THAT warning when i log back in ? that was one hell of a heads up and brought me here. Absolutely fantastic use of available info updates LL 🙂 Bloody well done 🙂 pats on backs and donuts all round

  14. We had to finagle a cache setting on the corporate server, so some people will see the TOS a second time. It is harmless, please forgive our slip.

  15. Jasmin Marquez says:

    cheer guys ! you bother us with that message and suddenly the whole client and viewer crashs on precachin…. you might fix that too, but you dont have to worry about this security bug anymore since noone can log in or stay on the grid… applauds and wait some hours for someone who could DETECT this issue.

  16. Thanks for the fair warning! I wonder if you’re referring to this exploit?

  17. SkyShey Jewell says:

    Thank you for the heads up!!!

  18. Drystan Knight says:

    Agree that Quickslime is NOT the method to do video or anything else….here or anywhere. So many other options and you guys force me to have to put a Snapple product on my pure pc…for SHAME!
    Joking asside… Web pages and flash on objects that operate in a sandbox and have no real connection to your system would be a great addition to SL. Still wating for the day i can play pacman on my pacman games.

  19. Bucky Barkley says:

    Awesome that they did the TOS warning – that’ll work 🙂

    And what I was referring to in the @2 quote was this:
    “We do have the ability to turn off all videos on the grid,”

    Knowing a smidgen of how things work, they could do something like return an empty string for a parcel media url… It is a server side thing in the sense that the location of “what to stream” has to originate from their side.

  20. bobbyb30 zohari says:

    At least LL had a speedy response to this issue and well at least SL is online atm.

  21. mmm.. shame the hackers have nothing better to do with their time like be creative, shame, I love QuickTime as a video format, prob some secret Microsoft or Adobe agents working to discredit Apple. Eqaually probably not, just kidding any layers out there.

  22. Jarek Dejavu says:

    You must be kidding! 😦 Only today I configured at last DARWIN STREAMING SERVER to stream out through RTSP to our Czech & Slovak virtual expo event! Who will now have courage to enable video when visiting our sim? 😦 At least anounce that only RTSP is dangerous then please 😥

  23. Eva Ryan says:

    @12

    The issue for you might be that your shortcut to SecondLife.exe is edited to include -login . If this the issue, login without the switched shortcut.

  24. Alfredo Handrick says:

    POR QUE NO PONEN LA PAGINA TAMBIEN EN ESPAÑOL, AHI MUCHOS ESPAÑOLES JUGANDO A SECOND LIFE ¿Y LOS QUE NO SABEMOS INGLES QUE HACEMOS? NOS DISCRIMINAIS Y NO ES JUSTO, ESPERO QUE EN LA PROXIMA VERSION TANTO DE LA WEB COMO EN EL JUEGO SE PUEDA INSTALAR Y LEER EN ESPAÑOL.

    GRACIAS.

  25. Roguewolf Vollmar says:

    Well isn’t that just perfect the one thing i know how to do in SL and spent money on server and quick time and everything else not to mention the time invested on the videos and now it’s just a big waste of effort for nothing.

  26. awesome TOS announcement. this is a supper way to get emergency information to every user two thumbs up for the one who thought of it

  27. Develin Demina says:

    Can a Linden verify post #7, and comment on the effectiveness of this as a possible solution or fix.

    “Hal Says:
    November 30th, 2007 at 4:49 PM PST

    U only need to disable RTSP streaming in QuickTime to avoid this exploit – look in QT pref’s for the ‘MIME Settings…’ option and look in the Streaming section for the RTSP checkbox – then just uncheck it.

    SL and Linden don’t stream any video, it’s pointless asking for SL to stop these (or any) video streams – they have no control over them.”

  28. Montana Corleone says:

    Well, stuff can always be taken advantage of. Apple are pretty good at fixing things, usually before they are out in the wild. Not so likely to be a bug as a weakness/exploit in the protocol. I would expect a fairly quick fix for this. Why QT? Well, it’s great technology, working on open standards and cross platform, which is why it’s used to widely. I often get Windows format video, some of it is beautifully compressed, and works fine till the imge starts moving a lot eg if it rains on screen, when the whole thing pixellates to crap. QY might be a bit larger, but the quality is there. I have no prob with QT video, on a Mac with a 512 connection over wireless :-O

    Remember, SL is full of holes and bugs, and run by one Philip Rosedale, who in a former life, was responsible for that cack piece of streaming software called Real Player lol. Once a cack programmer, always one I guess…

  29. superdave Pegler says:

    is quicktime alternative susceptible to the exploit?

  30. Digital Digital says:

    Wonderful lol

  31. MasterLiveWire Moody says:

    Yes m once agia.. most likely its people pissed ffat thecsino thing
    stupid keyboard

  32. Beta X says:

    good, those who use this “gun” know who you are, glad to announce myself your grief is over 😡 i myself will assist LindenLab if your useing it and doing the same still with any other “crash” weapon, you won’t be hard to “clean up” and prosses to LL, and if you know me in world, and are one of these people, you know better then to respond negitivly to this because you know you’ll show us all who you are

  33. Kyder Ling says:

    Thankyou for the heads up.

    Any word on how long this exploit has existed or has it come with a recent patch or candidate?

  34. WarKirby says:

    Smart way to get the message out through the TOS 🙂

    Thanks for the warning. I’ll keep video disabled until farther notice.

  35. Beta X says:

    i seen it as far back as half a year ago when i first seen it, but this was a weapon used by an attitide griefer claiming some kinda power trip, i’m glad LL has confermed this, unfortunatly they ARE exploiting a piece of software which is a TOS voilation as far as i recall, let’s help clean SL and rid it of anymore people like this
    (laughs 2 inces directly in front of their face “LOL HAHAHA!”)

  36. Phoenix:

    Thanks for the heads-up. I do agree with others that have stated that the MOTD should be changed to reflect this ENTRY to reach the maximum number of people.

    Good Luck,

    Bob

  37. Jag Talaj says:

    Linden Lab seems to have pretty much everything with SL open source as far as the client goes. How about using an open source video player as well. We have so many people contributing code to improve SL now, why have this Apple garbage jeopardizing our fun? Anyways, kudos on admitting the problem instead of covering it up, drag it into the public eye and it’ll do much more good than harm.

    Now to kill those pesky megaprims . .

  38. Jarek Dejavu says:

    There is a way to fix it quickly! 🙂 All 10 000 000 SL users – sent bug report to APPLE to make them solve it quick! LOL

  39. Mint Edo says:

    Remember folks, any QuickTime URL is vulnerable -even one that starts with ‘http’ – QuickTime has lots of container formats that can be downloaded via http and contain rstp:// streams.

    Until Apple fixes this and Linden deploys a new viewer, I would only view media on parcels from residents you trust.

  40. Creem says:

    @22:

    I suspect Linux users will have the courage to turn on video in your sim, since the Quicktime exploit doesn’t affect us at all (gstreamer is used instead of Quicktime for video decoding).

  41. Ryu Darragh says:

    I don’t need any exploit to crash SL. Happens every 15 or 20 minutes with great regularity. Nothing else crashes. PC is still running. Still connected to the web. Other machine being used by wife remains connected to SL. *Nothing* else on my machine is affected, but “Second life has stopped responding.”. Ben this way for a while. All software up to date. Best hardware you can get (one or two razor blades from Bleeding Edge, but still runs all the usual (WoW, Oblivion, COD, etc..) with excellent frame rates (and no crashes).

  42. Rhin Forti says:

    I agree to the intelligence of leaving this ‘hole’ open in security. Believe it or not, this is a tactic employed by just about all of Corporate America… affectionately known as “Giving someone enough rope to hang themselves with”.

    Leave these holes in security open, Lindens have told us how to avoid getting exploited.

    With any luck, the insecure little children who need to cause grief to others in order to feel like they have spine and delude themselves into thinking they’re elite or something will put thier wee-wees in this ‘hole’ only to be greeted on the other side by the guillotine of law.

  43. Beta X says:

    mega prims can be used for good, i’v seen people do wonders with them, it’s those that drop them off to hinder us, it’s still a touchie issue, but i bolth agree and dis agree with that one, it was at the time considered a “sizing exploit” from what i’v been told, but i seen some marvalious work and structures built with these, and i have also seen the unfortunate done with them as well :O( so i dunna, i on the other hand had no use for them myself

  44. Stretch Mayo says:

    Agreed, Flash FLV are the preferred format for video. SL get with the program.

  45. Lost Ares says:

    Thanks for letting us know about this as soon as you did ,Keep up the good work and lets hope this weekend is a little better than the last few we have had 🙂

  46. mimi says:

    mentioning the bug in the TOS window is great! now noone will miss it! an awesome way of informing people!

  47. Nava Muni says:

    Well, #7, #11, #35, and #39 — I guess we’re not all as clued in.

    It’s a tad disappointing to see that the most we get from LL is a vague message: “We were alerted a short time ago that a QuickTime exploit has been discovered which may allow an attacker to crash or exploit the Second Life viewer.”

    While not detailing how to implement the exploit, we should certainly be told what to expect if “attacked.” It’s like going to the doctor, being told that you have a genetic disorder which, if it manifests itself, could kill you — then never being told the symptoms should it manifest!

    And finally if you “… are able to track attacks …” and are able to “… discover a malicious stream …” then you are in the data path and can intercede, ad hoc. That is, unless you meant to say that you could track attacks and discover malicious streams after the damage had already been done.

  48. Thank you for this needed information (^_^)
    Great work ,,,=^_^=,,,

  49. Blinders Off says:

    I have to agree with some of the responses here about QuickTime being a very poor choice of video engine. How many Mac users do you have compared with PC users? Then why go with an Apple engine instead of the much more widely supported .wmv or .mpeg format (just to name a couple of choices).

    Quicktime messes with my PC and IE browser. Don’t like it, never have, wish SL would choose something else.

  50. hatheadrickenbacker says:

    QuickTime only = eggs in one basket

  51. hatheadrickenbacker Says: November 30th, 2007 at 7:16 PM PST
    QuickTime only = eggs in one basket

    QUOTED FOR TRUTH

    http://jira.secondlife.com:80/browse/VWR-726

  52. Bison Jinn says:

    How does one know if he already has the problem? Any way to check? Will standard internet protection pick up any problems and what are the signs of infection?

    I’m asking because I was invited to watch a video last night that had already caused me to question a few things (and the person showing it), before this warning came out. Any info would be much appreciated. BTW, I think the TOS ploy is a fine way to go for an emergency annoucement…an in-world annoucement would, perhaps, be better as those already signed in might spend 12 hourse before signing on again and reading the warning.

  53. Pingback: Beware: Second Life viewer flaw

  54. Bison Jinn says:

    I just want to say I think a lot of people are real assh*les with how they respond to the problems on the grid. Didn’t it ever occur to you that the servers are probably being attacked all the time too? What, are those bitching the loudest engaging in diversionary tactics? (just being sardonic.)

  55. Di Jun says:

    Whatever the exploit is please fix it asap, I’v already crashed four times in the last 2 hours. Is that really a problem associated with Quick Time?

  56. Katarin Kiergarten says:

    Yes, hear hear on the clever use of available resources to get the word out.

  57. Arsenic Soyinka says:

    .

    read The Mercury News’ take on this …

    mercextra.com/blogs/takahashi/2007/11/30/

    .

  58. Stroker Serpentine says:

    “…We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker”

    Just as you have rigorously pursued content thieves? Griefers? Underage avatars?

    I understand this is an exploit beyond the control of Linden Lab. But, do not placate me with statements as such. This is not a derail, it’s a relevant observation that LL is unwilling or unable to “pursue” much of anything. At least we, as content creators, have some control over the proliferation of this QT exploit. I guess we should stop creating new content if we dont want it exploited as well. Hell yes…I’m cynical.

  59. ONE PO'd RESIDENT says:

    http://jira.secondlife.com:80/browse/VWR-726

    please vote for this so we can get RID of quicktime this has been on jira for months cannot believe only 2 votes vote for your fixes and changes

  60. inacentaur says:

    what is the actual exploit? is it another phishing one like the iframe attack from a while ago?

  61. CERT vuln page here: http://www.kb.cert.org/vuls/id/659761

    To prevent attacks, simply disable the RTSP protocol handler in the quicktime control panel under MIME types.

    Or just use linux, GStreamer doesn’t have this problem, thankfully.

    Also of note, the same RTSP bug is in Real/Helix player, but not VideoLAN (VLC).

  62. Berry Steinhoff says:

    Thank you very much for the notice, both in-world and here.

  63. For now we must know its still safe to watch videos from trusted Sources.

    The exploit only affects streams using the rtsp protocols. So not all quicktime streams can potentially be exploited.

    The malicious stream has to be specially scripted to use the exploit. So the stream will likely be coming from an untrusted source.

    These are the facts i can confirm so far.

    I have tried some of the other workarounds but i cant confirm them yet.

    Its good to word out.

  64. Gaye Andrew says:

    mmmmm Ive been thinking about why it is that a big company like apple have the gaul to still be running quicktime on a pc.?? Firstly it rubbish always has been it uses up far too much space on my pc its so full of junk that you don’t need now, secondly theres a lot of players out there that are far better at handling things like streaming video from a pc, are a lot quicker I said “quicker” Quicktime than the really time consuming waste of space that your granny of a player takes up (sorry grannie no offence lol ) And as for S/L using it in the first place shame on you see how much trouble its caused eh ?? its high time you got your own player sorted like other companys have one thats simple and does the job its supposed to do play streaming media …Hope you listen to the comments put here by the serious people of S/l for a change :))

  65. Ayla Holt says:

    I just opened an amusement park and put in a movie theater using a DVD player that I bought in world. I want to do the responsible thing so should I close that down and just not have any streaming video on my land?

    I’m just not understanding this fully. Anyone have any advice for me? 🙂

  66. prana says:

    Hmmm, who need quicktime? Its worst player with worst support and its slow. It makes only trouble with encoding.

    Do us a favor and replace it with good player… no matter what as long as its NOT quicktime…

  67. Ayla, note that ur DVD player maynot even be using RTSP at all, if u trust the creator u can still use the DVD. This exploit is specific, happens in a specific instance, streaming video u trust in ur own land dosent expose ur computer.

  68. TigroSpottystripes Katsu says:

    time to ditch quicktime and go after some FOSS alternative

  69. Jarek Dejavu says:

    Please try realize, that this all is kind of hoax! Probability, that you will visit a parcel with RTSP streaming from untrustable server is quite low itself and probability that it’s provided by somebody who knows how and wants to use the exploit to get access to your acount i.e. is even much lower.
    Just disable automatic playing of video on parcels and you will be fine. Where you have trust in the land owner and what he is putting to his parcel as a video source, you can use video relatively save enough without worries. There not even reported single case of any attack this way so far! And the probability that it will be just you, who will be attacked, if you are not behaving realy risky, is realy low.

  70. Nate T. says:

    There have been other third-parties implementing QuickTime in their programs that have released patches to stop this exploit, why can’t you do the same, instead of just waiting for Apple to fix it?

  71. Wiz Nordberg says:

    Well, this could be better news for SLCN. 🙂 …as our entire business is based upon streaming Quicktime video into Second Life venues!

    In any case, I thought it worthwhile mentioning that ALL SLCN content is produced by us using known equipment which is virus free and does not under any circumstances cause this exploit. All of it is served from our own equipment and each file and live stream is checked by me personally. So, until this blows over, I wanted to assure anybody that anything streamed by SLCN is 100% safe.

    In fairness, you of course need to be careful about having Quicktime enabled and watching content which may be tainted. In many ways the safest thing is to disable QT entirely.

    But, in the interests of the Giant Snail Races, SL Hockey, and Tonight Live (among many other shows residents produce), I hope this is fixed soon and people can get by in the meantime!

  72. Avacea Fasching says:

    I am so over anything by Apple……

    another viewer option please.

  73. rell sands says:

    After all this time, Second Life needs to allow use of alternatives to Quicktime. Never have understood why they only enable this one application. The bug they cite has been in the news for a good week or so. Apple has not fixed it, still another reason to allow other viewers to be used.

  74. Bobo Decosta says:

    Don’t blame Apple when you should be able to fix this yourself. It’s easy to blame other companies for your own troubles.

  75. Iexo Bethune says:

    Well this would explain why SL crashes every time I try to run it with Quicktime installed. It’s been doing that for months now, the only way I’ve been able to get on since it started is I completely uninstalled Quicktime.

    Glad to know I’m not alone in this issue, hopefully it will be fixed soon and I’ll be able to see movies again at the theater in um… I forget where it is, and it seems the SL website doesn’t actually have an interactive map anywhere like the Voicemap they used to have, but like a basic map… You’d think it would, anywaysu, yeah. Glad to know I’m not crazy. xD

  76. Duckling Kwak says:

    Lindens,

    KUDOS! This communication was EXCELLENT. To the point, clear, timely, gives us options, treats is like adults, doesn’t mandate anything, warns us of the potential threat. Absolutely perfect! Thank you!

    DK

  77. Alessandra Pinklady says:

    You made us agree to a new TOS for an issue like this and more important bugs get put on hold for almost a month??? WTF???

    I’m loosing confidence in LL by the minute now.

  78. Aries Gigamon says:

    Lindens, than you for the warning. Sad to say, but you really shouldn’t be using Quicktime. Popular it may be, but it is garbage.

    While I’m here and complaining, comment #3 by Cernus Piccard needs to be removed for being off topic.

    Comment #24 by Alfredo Handrick needs to either be removed as abusive towards an English-oriented website (and thus every English speaker using the website) or forcibly converted to English.

    And now, being very much off topic :

    #61 Stroker Serpentine. You, sir, should quit complaining. No one, not even our much vaunted CIA or FBI actually has the ability to track anything save an explosion as it occurs, for various reasons.

    Reason 1: it occurs too quickly to track as it happens, this occurs with most types of data transfers, being that they end up routed across the planet.

    Reason 2: as soon as it occurs, most such attackers will instantly shut down, so as to prevent themselves from being found.

    As to your complaints of underage avatars, I can only assume you mean underage avatars being used in a mature setting. LL certainly cannot control that, any more than they can control whether a Neo Nazi uses their program.
    More importantly, are you a paying customer? if so, then my apologies for the next bit.
    If you aren’t a paying customer, no company in the world will even bother to READ your complaint, much less take action regarding your complaints.
    The same applies to content thieves, and simulation crashers. They are most likely paying customers. They just happen to allso be a**holes to everyone they see.
    Being that they are PAYING customers, LindenLabs would be understandably reluctant to permenantly ban them, mostly fearing lawsuits claiming some sort of discrimination.

    I think I’m done here.

  79. Pingback: The Second Life Grid Grind » Blog Archive » Be careful watching streaming video in Second Life

  80. Pingback: Kitten Lulu » Blog Archive » A word of warning about the QuickTime security flaw

  81. Pingback: Second Life Viewer Warning » Kabalyero

  82. Jaime Hocken says:

    Will SL support any other type of move file ever??

  83. Just to clear it up b4 we disable anything, for @home TV users and other residents. Our TVs and products pre-loaded content is completely safe from this exploit.

    Only the SLCN and AmericaFREE channels in our TVs are using RTSP but these are well trusted sources. Completely Safe. I know the producers of both channels. They are well established and trusted. Wiz has cleared it up for SLCN on #74 above. AmericaFREE is also well established and ive been in contact with their CEO. Their content is completely safe.

    All other content in our TVs do not use RTSP, so they are completely safe as well.

    So enjoy ur home TVs with confidence 🙂

    For other video streaming locations in sl, i can’t speak for them but my opinion is that most places dont use RTSP.

    The key is to go with trusted sources.

    Happy Viewing.

  84. Fellatione Aabye says:

    “We had to finagle a cache setting on the corporate server, so some people will see the TOS a second time. It is harmless, please forgive our slip.”

    Dear Phoenix

    Don t you think that all the SL Citizens are starting to get annoyed by all the “we apologize for this and that and those” problems created only on the Lined Labs side of SL ???

    We aren t kids you know, as you still think ???? And most SL Citizens only demand a stable platform … and not all the sick gimmicks like Voice and now Windlight (who are forced upon the Citizens and I dare say NOT a single SLCitizen ever asked for … except some sick minds and Linden .. apologies for that)

    But thx for the warning, as i never use video in SL except music … of course …

  85. Oh my, quicktime? Susceptible to bugs in streaming protocols ?! Impossible, everyone knows apple is perfect and due to the name on it, scares hackers and other l33t forms of life away!

    Maybe in the future, LL will start thinking of the bottom line and stop developing for the lowest common denominator.

  86. Pingback: The Grid Live » Second Life News for December 1, 2007

  87. Tya Fallingbridge says:

    I say turn off Video on the grid until its fixed.

  88. At0m0 Beerbaum says:

    sounds like it’s time to get away from quicktime.

    I suggest maybe making use of an open source multimedia backend or player, mplayer, vlc or xine come to mind, or plugins that interface with said media players. just like how the linux client makes use of gstreamer.

  89. Anna Eisbar says:

    Typically American.

    There is a big security threat in SL, which is accessible worldwide, and no poor soul at LL would care about translating this warning message in as many languages as possible.

  90. Ren Diqui says:

    well… that’s one of the cons working with 3rd party components.

  91. Pepper Haas says:

    Thank you, very useful blog post, explaining your actions and giving customers a workaround. Here’s wishing you deal with every glitch and bug that way from now on!!

  92. Pepper Haas says:

    #24 Alfredo, I meet people from all over the world in sl and they ALL attempt English. Even the French!! It is only, ever, the Spanish speakers who walk around asking people to speak their language. It says right on the webpage that SL is an English language environment, maybe you can do what the German users do and have their own SL webpage where someone posts the info in German. In any case, please accept that English is a world language, and Spanish is not.

  93. Efemera Bisiani says:

    Kudos LL – *very* impressed with how you have dealt with notifying residents of this issue.

  94. Jay Prospero says:

    Stay away from the porn streams if you are concerned lol

  95. Laura18 Streeter says:

    Just a quick point to make: software and companies susceptible to exploits are usually the ones with the widest reach. Don’t think that tomorrow’s new RTSP streamer wont be attacked if it becomes a de facto standard. Switching technologies is not the solution and is probably too costly in the way of rewriting a lot of SL code as it is.

  96. Ishtara Rothschild says:

    Good way to notify us. I agree with some replies here though, I also never liked Apple’s cr*p that constantly wants to phone home and seems to be made to greatly reduce the performance of Intel machines (especially iTunes).

  97. Hoodie Lykin says:

    Yet another reason to run Second Life on Linux.

  98. Ayamo Nozaki says:

    Pah, maybe when the sound, let alone the video actualy works in Linux.

  99. U M says:

    I am happy I don`t have Quick time installed.

  100. Gil Druart says:

    Long term … how about a move away from using Quicktime at all? It’s a nasty, nasty piece of software. Wouldn’t be on my machine at all except for SL’s requirements.

  101. @Aries
    Did you know that Stroker had his warez plagiarized? That some unscrupulous person copied his sexgen devices? I understand his plight, as I have had neighbors steal my artisans content….

    Thank you LL for notifying us about this 😉

  102. Wiz Nordberg says:

    I think it’s a waste of thread bandwidth to focus on Quicktime and try to lobby LL to replace it with something else. I believe LL has good knowledge of why or why not to use particular technologies and when, especially for streaming. Yes, it would be nice to have other formats, but I think the real issue here has to do with security response, which LL has been excellent in handling in this case, so let’s applaud the fact that they told us about it the way they did.

    Also, be careful of the “grass is always greener” mentality. For example, on October 19th, a “zero-day” vulnerability in Real Player caused a very similar and equally serious exploit where malicious code could be executed on the user’s computer. If the Second Life client used Real Player instead of QT, it’s possible we would have been having this same “bashing” discussion two weeks ago, except we would have been slamming Real Networks instead of Apple.

    Neither Linden Labs nor Apple are the criminals here. Hackers and exploit-writers are. If you know one, kick ’em in the shins for me.

  103. U M says:

    “If the Second Life client used Real Player instead of QT, it’s possible we would have been having this same “bashing” discussion two weeks ago, except we would have been slamming Real Networks instead of Apple.”

    Real Player is even worse. Talk about bulky and outdated streaming. no thank you! Whats worse is the the hackers just love Real Player just as much. Again No Thank You.

  104. Pingback: QuickTime Exploit Found — URGENT « Around the Grid with Harper

  105. Harper says:

    Also, be careful of the “grass is always greener” mentality. For example, on October 19th, a “zero-day” vulnerability in Real Player caused a very similar and equally serious exploit where malicious code could be executed on the user’s computer. If the Second Life client used Real Player instead of QT, it’s possible we would have been having this same “bashing” discussion two weeks ago, except we would have been slamming Real Networks instead of Apple.

    Neither Linden Labs nor Apple are the criminals here. Hackers and exploit-writers are. [italics mine — Harper] If you know one, kick ‘em in the shins for me.

    Agreed on this. No blame should be assigned, period. I’ve done some software writing, and software by default is buggy, being (a) very complex except for short pieces, and (b) written by human beings. There hasn’t been a complex program written that has not had at least one bug in it, and the Master Programmer would insist that even a one-line program would have a bug somwhere.

    Blame instead the ones who are thrilled to take malicious advantage of these flaws

  106. U M says:

    What new with quick time? its always been hacked one time of another. Thats one of the mian reasons why i don`t have it installed on my computer. and or Real Player.

  107. I’d like to weigh in on this issue as well…I am the creator of the TIM (Temporal Industries Media) DVD and TV products. TIM does not use RTSP as a streaming protocol, nor do our urls lead to RTSP feeds. All of our streams are tested and vetted by our own SL testers, prior to inclusion in our players and TV’s.

    From all I can find out about this exploit, which has been around for about six month..it ONLY takes advantage of the RTSP streaming protocol of quicktime.

    “A vulnerability exists in the way Apple QuickTime handles specially crafted Real Time Streaming Protocol (RTSP) URL strings. Public exploit code is available that demonstrates how opening a .QTL file triggers the buffer overflow. However, we have confirmed that other attack vectors for the vulnerability also exist.”

    Possible attack vectors include

    a web page that uses the QuickTime plug-in or ActiveX control
    a web page that uses the rtsp:// protocol
    a file that is associated with the QuickTime Player

    This means that a URL that does NOT start with RTSP (http for example) can be used to encapsulate a RTSP feed. There is a way in the quicktime player v 7.2 and later, to disable RTSP feeds by opening the player, choosing edit/preferences/quicktime preferences/file types/streaming/and unchecking the rtsp protocol…from all I can see, from reading various sources, this will prevent quicktime from accessing even an embedded RTSP feed.

    We also suggest that if you use the firefox browser to view quicktime files, outside of the SL platform, that you disable the quicktime plugin for that browser. Currently the plugin for IE 6 and IE 7, as well as safari seem to be ok…but we recommend disabling those plugins or active X controls as well, since I am sure that they will be next on the hackers “to do” list.

    TIM products will continue to be tested and we will continue to be a trusted source for quicktime content on the SL platform.

  108. Melanie Milland says:

    Video has never worked for me in either Windows or Linux.
    It may be that self-compiled viewers cannot display video for some reason, but I will not lose any sleep over it. SL is beautiful without video, i fail to see the need to have video in SL at all, except for corporate/educational use.

    What is the point of a SL TV within a SL home, what is the point of an SL home? ^^

    But Kudos for finding this novel way of alerting residents to the threat!

    By the way, where is Voice for Linux?

  109. Maldoror Damone says:

    Hahaha! Did you just call a TOS harmless? HAHAHA!

  110. Navigator Hax says:

    Seems to me that only PC users are whining about Quicktime. Maybe it’s not QT but your PC that is garbage? … If you have not bought a new computer in the past ummm 5 to 10 years, then perhaps that too is your problem.

    SL is far from perfect and Apple has its’ fair share of problems too, but nothing in comparison to the endless list of PC bugs, viruses and ill fated Windoze induced parasites that gave way to Hackers and Hacking in the first place. – Maybe if BIlly Gates had not been so damn greedy we would all be living in a kinder, more USER friendly world, where hackers and their fruitless efforts were NULLIFIED and VOIDED prior to them reaching the users’ welcome mat. – There is nothing wrong with Apple’s Quicktime… it makes every other video encoding system look like mush, that is if you are using A REAL COMPUTER and not something your grandmother was using 2 decades ago… then again… with the exception of Flash, the rest of these encoders are pure mush! – Keep Quicktime, DUMP the whiney PC users! LOL….

    PS… if you can’t take a joke, byte me! :p

    Nav muahahahaha!

  111. MrLunk Voom says:

    Damn ! that sux but eej now there is finnaly a REAL REASON to get a different platform for video integrated into SL !!!
    How hard can it be to implement flash video ?
    or is there maybe some secret deal with Apple Quicktime that we all dont know about ?

    fork the whole QT system get on .hlv or divx streams…
    work with stuff that annyone has capability to stream webcam and video…

  112. Melanie Milland says:

    $_=’Navigator Hax’;
    chomp;

    There’s your byte!

    * Firmly pushes the video switch to the off positon *

  113. U M says:

    no, windows people arent. Frankly speaking being a old apple users for 20 years ago i used quick time very offen. But these days whats the point of using it since its being hacked as is real player is.

  114. Melanie Milland says:

    @115: That may well be the reason – maybe they don’t want everyone to easily be able to do it. Maybe they don’t want hundreds of prims showing live images of residents’ genitals…
    I know I don’t!

  115. Pingback: Hackers use QuickTime flaw to pick SecondLife pockets « I’m Just an Avatar

  116. Nevera Stooge says:

    Is it possible to temporarily use another video program in SL, until the QT bug is fixed?

    Then just post the program link for everyone to download…

    ??

  117. Wiz and Harper have it right.

    Just because Linden Lab was friendly enough to warn all users of the possibility of a problem, it doesn’t make LL “careless” or Apple “a fiend”.

    YouTube, blip.tv, and several similar sites (including iTunes!) all use, to an extent, RTSP streaming (in the case of YouTube videos, mostly for mobile phones, but you can see those videos on your computer as well — and inside SL!). Did you receive a nice letter from either of them warning you to take care when watching videos? Of course not.

    Security in your computer is something that is your responsibility. The vastest part of Humankind has no clue what the initials “CERT” stand for. They have no idea how many exploits per day are found and published world-wide. If you got an email for each and every one of those exploits, you’d dump your computer, close the door and lock it, and hide under your bed — burning your credit and debit cards. There are exploits for everything — even for the chips running software inside your car. Some are serious, most are very exotic and not dangerous. Some will probably never get fixed. Most, at some point, get patched. How do you really know, if you’re not being informed on a daily base?

    Be glad that LL is actually doing something to alert you that it’s a jungle out there.

    Thrashing QuickTime as “an inferior product” is simply pure ignorance. Remember that Apple co-developed the “open source” MPEG-4 format — which was for ages the herald of open source video formats.

    Search for windows media player exploit under Google: you’ll get 1.8 million links. real player exploit will give you about the same number; quicktime exploit will give you 1.3 million links. Any one is as “bad” as the others.

    The choice of QuickTime as the underlying video/audio streaming engine is not due to being a “better” product: it’s because of its licensing model. Apple allows redistribution of SL using the underlying QT libraries without charging LL anything — and even allowing LL to redistribute the viewer code as open source and for free. Microsoft would allow neither. Real Networks would be even worse (and Philip worked for them — he knows!). This means that we all had to pay something for the SL viewer and couldn’t have the code, too. How many people would be willing to do that? The choice was soundly made years ago, to allow us to enjoy a free SL client. Many of you remember the days when there were just a few thousand users in SL willing to pay for it; in fact, the number of Premium accounts is still under hundred thousand. People simply expect software to be free, and that was LL’s choice too. QuickTime was the only serious alternative that allowed close integration with SL without a licensing model.

    Worse than that: the QuickTime libraries work across both the Windows and Mac platforms. Microsoft’s would only work on Windows — cutting out perhaps a third of the regular user base of SL. It would be a very unwise choice, even if LL would manage to negotiate better licensing terms with Microsoft (highly unlikely).

    Of course there are free and open source alternatives (some people use them to back-patch the Linux SL viewer to view some streams). Maintaining them is a nightmare — poor documentation, projects getting abandoned quicker than they start, and so on. Please don’t misunderstand me: I use mplayer and VLC a lot, which are two media players which are still around, and have been so for several years. Sure, they’re clumsy and outdated. But at least there is ongoing support for them, and probably will be for many years. This is what LL is aiming at: long-term support of the audio/video streaming infrastructure.

    They could have supported their own player, of course. But why should day invest labour and money supporting code that is freely available from a major software development corporation? (in this case, Apple; for the in-world HTML browser, the Mozilla Foundation) They just needed to add the “hooks” to Apple’s library code and let Apple provide patches and updates to their code, leaving LL’s developers to focus on what they do best: creating an awesome renderer.

    So be glad that LL is warning us all of potential exploits, instead of blaming them on the cracker culture that exploits everything. Just because you’re not aware how many exploits there are for any piece of software, and suddenly woke up to an announcement that there is one exploit for QuickTime, don’t blame LL (or Apple) for the cracker culture.

    Instead, take a look at a list of exploits and vulnerabilities. Here are the latest published by CERT. Notice how open source software also appears on the list. But are they serious? You can evaluate the degree of seriousness here. I hope you notice what’s on top of that list. More than that, you can check if these have been fixed or not (most of the more serious ones have never been fixed!).

  118. Pingback: Second Life: ecco la piccola criminalità virtuale

  119. Party Miles says:

    he would not be simpler to eliminate from sl the Hackers

  120. Party Miles says:

    In italiano….. visto che l’inglese è pessimo… Ma non è più semplice eliminare gli Hackers da SL::::::!

  121. Opensource Obscure says:

    Party Miles:
    Non solo non è più semplice, ma quello che dici non ha neppure senso. Prova a spiegare come individueresti “gli hackers” da Second Life, per esempio.

  122. U M says:

    sigh another novel long post. I wish the blog would allow xnumber of words for a single posting. Nothing worse then having to read a endless rambling of some one on a daily bases!

    Ok now back to this topic. Quick time has been a known loved by hackers. Sl had nothing to do with this exploit but atleast they informed on asap. But to what degree has this effected people computers? And has Apple or Microsoft commented on this problem? Of will they?

  123. Pingback: Apple Quicktime exploit impacts SL video streaming » VTOR - Virtual TO Reality

  124. Peebee McMillan says:

    It has been said more than once, but AWESOME PROCEDURE WITH THE EMERGENCY TOS ANNOUNCEMENT!

    Once more LL has proved, that they can be effective in information transparency. Surely not every single resident is happy with every single aspect of SL. But the fact that LL shows us that they care, that they proceed and inform, gives a good feeling.

    But as a golden rule for all and everyone, in all situations of life (either): KEEP IT UP GETTING BETTER!

    :o))) Cheers to all addicties, Peebee

  125. Retsujou Arashi says:

    As mentioned before simply read
    http://www.kb.cert.org/vuls/id/659761
    and
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6166

    This is an exploit in the handling of RTSP Content-Type header descriptions.
    There are easy work-around on this problem and you do not need to disable streaming completely.

    The information provided by Linden Labs seems a bit incomplete.

    Thanks

  126. Joe Linden says:

    Gwyneth Llewelyn said many of the things I intended to post this morning, so I won’t repeat those, but I do want to clarify a couple of issues.

    This potential exploit exists within all versions of QuickTime from version 4.0 to 7.3 and is considered “extremely critical” by leading internet security professionals. The exploit method is a stack buffer overflow which could allow arbitrary code to be executed on your machine. The details of the exploit are documented several places on the web but the CERT advisory is here: http://www.kb.cert.org/vuls/id/659761

    Second Life is not the only application affected (iTunes, Firefox, IE, Opera, and Safari running on Leapard, Tiger, or WinXP are equally vulnerable) but *we* have the unique ability to notify all of our users at login that this exploit exists, and have done so. Most users of iTunes or Firefox to this moment do not know that this exploit exists and are at risk unless they take steps to become aware of the streams they may process in those applications. As Phoenix mentioned, we do have the ability to disable all streaming video in-world, just shut it all down, and we may find a reason to do just that if we believe the exploit is in active use within Second Life but we do not feel we have cause to take that step now.

    If you host a live performance and are responsible for providing an RSTP stream to Second Life Residents, this exploit cannot affect you or your audience. A perpetrator must take explicit steps to create a malformed stream designed to execute rogue code on your machine then lure you to their land and ask you to turn on streaming. So, for now, until Apple addresses this serious flaw in QT we encourage all Residents to leave QT streaming off in the “Audio & Video” preferences tab unless you are attending an event, performance or business gathering at a location you personally have reason to trust. The vast majority of such events in Second Life this weekend will be trustworthy, but caution is warranted and you are fully empowered to protect yourself from the few that may attempt to use this exploit as a griefing tool.

    It bears restating that we do have a means in place to track and trace any QuickTime URL used within Second Life which may attempt to use this exploit before Apple patches it. We will take steps to hold any perpetrator accountable, so don’t even think about experimenting with this on your own land as a science project…

    Next steps: When Apple issues a corrected version of QuickTime closing this vulnerability, we will push a new mandatory viewer update that will verify you have an updated copy of QuickTime on your system before enabling the QT subsystem for use in SecondLife. Those who choose not to enable video streaming will not need to update QT to continue to use Second Life.

    Enjoy the weekend!

  127. Masami Kuramoto says:

    @ Gwyneth, #121
    “Of course there are free and open source alternatives (some people use them to back-patch the Linux SL viewer to view some streams). Maintaining them is a nightmare”

    You forgot to add: “… on Windows.”

    The GStreamer framework on Linux is a shared component which is well-documented, well-maintained and extensible. LL is using it in the SL viewer for Linux by default. But it wasn’t designed for Windows. Tough luck …

  128. riven homewood says:

    Thank you for letting us know about this and giving us the option to still use QuickTime when necessary.

    I’d like to suggest that you check the CSI sim and contact Electric Sheep about this. I recently visited the CSI sim, which makes heavy use of streaming video. I found a strange thing happened when I tried to Search there. I visited that sim with both the In Rez viewer and the SecondLife viewer, and I can’t remember whether the problem occurred with just one viewer or with both.

    When I tried using the Search tool to search for landmarks outside of the CSI sim (for example, my favorite dress shop in Caledon) a list would come up that included the correct landmark and then immediately that list would be replaced by a list of “Adult” places.

    I don’t know if this is an example of the kind of thing that an outside person could do to exploit the QuickTime bug, but I immediatly thought of it when I read your announcement.

  129. Pingback: Alerta de segurança para usuários do Second Life

  130. AWM Mars says:

    I’ve been posting about QT exploits but few seemed to believe me.
    These exploits have been around for some years and growing in seriousness. However, you will only get exploits if:
    The source media has been infected (knowingly or unknowingly).
    If the media is delivered via the http which can incorporate code that combines the stream with malicous code form another source.
    You have an open port, which is controlled by a trojan etc on your system, that uses it to share and bring in/give out malicous code.

    FYI: ALL WBA media created on our systems, and hosted on our secure streaming servers, shown in SL on a Silver Stream Network system, are free from malicous code and or exploits.

  131. AWM Mars says:

    Regarding Exploits:

    With the WEB Tab in profiles. If you simply open someone profile, you are at RISK of getting infected. If the person has any malicous code within their website index.html, by opening their profile, you automatically grant that code access onto your system, even if you do not click the web tab!

    To prove that, open someones profile that has background music set on their home page, without clicking on the web tab, you will hear that music. You will NOT hear exploiting code. Disable this ‘feature’ and spam LL until they remove it.

  132. U M says:

    shakeshead……..

  133. Bison Jinn says:

    So, how does one check if one has been affected? Will standard virus scans, etc work? Or should the machine be wiped and the OS reinstalled?

  134. Lex Neva says:

    It should be noted that an a proof-of-concept exploit of this vulnerability exists, which seems to allow someone to send all of your L$ to an attacker. This REQUIRES that you have streaming video enabled, RTSP not disabled in quicktime, and that you ARE ON THEIR LAND, so don’t everyone go panicking yet. Here’s a description:

    http://www.securityevaluators.com/sl/

    It seems that disabling RTSP in your quicktime preferences mitigates this, but for now, I’m also disabling quicktime in SL until a fix is released.

  135. Tasho Fairplay says:

    I really have to say, using quicktime as the sole source for video content on SL is really a hindering stance in the progression that needs to happen.

    If there is indeed a reasonable way to allow users to host other video format or even just flash videos, it would be wonderful if some steps were taken down this path in the near future.

    I remember when playing a .swf file wasn’t an issue (as long as the file auto-played) and nowadays, even those won’t properly load.

  136. Way to go LL, help griefers some more why dont you? Using video streaming to IP log griefers as they crash sims is one of the important ways to fight griefing and document who the real abusers are. Eliminating this ability only helps griefers, much as your stupid idea to enable people to hide groups. Far more than helping to get rid of griefing or give us more security features, you keep enabling griefing with your stupid decisions like this one.

  137. Eclaire Looming says:

    head up if u r SL and bothering to read this… heavy lag..tp not working

  138. Beej Barbarossa says:

    OK – So what do we do if the TOS page will not load??? I cannot choose to accept it – it’s greyed out. It’s been more than 10 minutes now – I’ve closed and reopened SL, cleared the cache, still not loading the page… no hourglass – no nothing… just shows ‘loading…’ :((((

  139. Oryx Tempel says:

    I’d recommend also alerting residents using the Message of the Day upon login. That way we’ll all see it while waiting to connect to servers, etc.

  140. Sharla Meredith says:

    Same as 142, I can’t even log in at all as the updated TOS won’t load. It’s been 2-3 hours now, and I still can’t get in. 😦

  141. Pingback: Lex Neva’s thoughts » Disable QuickTime in SL

  142. U M says:

    142 has a point. a dam ******* good point. Why wasnt this done? Well I tell you because the lindens themselves were late. Hence look at one of those remarks here. It appears that some if not many had no idea what so ever. typical……………….

  143. Blinders Off says:

    @Joe Linden:
    Joe, scuse, but to me Linden Lab’s position in this matter is absolutely senseless. If this exploit has existed ever since v 4.0 of Quicktime, it seems Apple shares LL’s habit of allowing significant bugs to continue for months and even years on end.

    So instead of LL waiting for Apple to correct this problem (whenever that may be), why don’t you folks just switch to a more widely-used format? Go to WMA or mpeg.

    Torley’s hints aren’t in Quicktime are they? Youtube isnt’ Quicktime is it? Switch to a better format, even if it means the system opens up a video window instead of broadcasting videos on a prim. I’m sure no one is going to complain all that much… and a video window might actually work better.

    I mean, geeze LL, take the smart direction for once. 😉

  144. Masami Kuramoto says:

    @ Blinders, #147
    “why don’t you folks just switch to a more widely-used format? Go to WMA or mpeg.”

    Quicktime isn’t a format. Most clips in SL are MPEG-4 already. The viewer is just using Quicktime to download and decode them.

    Oh, and Windows Media is not exactly a “widely used format”.

  145. Amanda Kirkorian says:

    My login screen is stuck on the TOS, it will not load =(

  146. Slartibartfast Magicthise says:

    Just wanted to pop in and kick U M in the nuts for making this is his personal MySpace page.

    Word of advice: DON’T PANIC. S’not as grim as it sounds. Apple will have it patched before most users even know it existed, and U M will still be wondering what Chocolate Rain is all about.

Comments are closed.