Security Update to Second Life viewers: 26 Sept 2008
Linden Lab has released an optional update to the Second Life viewers today to address a potential security issue. Recently an audit identified a possible vulnerability. If a malicious user were able to obtain the IP address and port of a Resident’s viewer, then the malicious user could forge data packets to the Resident’s computer. This could be done in a way to cause the viewer to return enough information about its session to allow the attacker to initiate various server-side operations as if they were the Resident, including L$ transactions.
In the case of L$ transactions, this action would be visible to you: if this were to occur, the viewer would report the transaction after it occurred in the normal blue dialog box. Also, you are always able to inspect the transaction log to see recent transactions. This would allow you to notice and report these actions for violating the Second Life Terms of Service.
This type of malicious action would constitute a violation of the Terms of Service, and would be against the law in some locations. At this time we have no evidence that this vulnerability was ever exploited.
To eliminate this vulnerability, we have now updated the Second Life servers to transmit the messages over an encrypted channel (HTTPS). Now that the server upgrade is complete, we are releasing updated viewers that only accept these messages when transmitted over an encrypted channel. Once you have downloaded the update, if a malicious third party were to attempt to send messages over the old channel (UDP), they would be ignored.
Again, we have no indication to date that this security issue has ever been exploited or is being exploited currently. However, we strongly encourage Second Life Residents to update to the latest viewer with the security patches in place. The viewers are:
- Second Life Release Viewer 1.20.16 (this updates 1.20.15, released on July 24th)
- Second Life Release Candidate Viewer 1.21 RC3 (this updates RC2 and includes additional bug fixes as part of the usual release candidate cycle)
We have not provided a security update to older viewers (such as the 1.19 series) which are older than the official supported Second Life viewer. To take advantage of this security update, we do encourage Residents using version 1.19 to update if possible to version 1.20.16. However, this upgrade is not mandatory in order to continue to use Second Life. An old viewer will alert you that a new version is available.
The updated source code for these new 1.20 and 1.21 RC viewers is being made available via the usual open source channels.
For discussion about the issue, please visit the Second Life Forum: http://forums.secondlife.com/forumdisplay.php?f=350