Archive for the ‘Security’ Category

Security Update to Second Life viewers: 2008-10-06

Monday, October 6th, 2008

Today, we released an important update that improves the security of the Second Life viewer for all Residents. This update eliminates a recently discovered issue, and we’re requiring that all Residents download and install it to ensure that everyone remains secure while using Second Life. You will be prompted to download and install the update when you log-in, or you can get it from the Downloads page.

More details about the improvements included in this update are available below.

Linden Lab has released a Security Update to the Second Life viewer software today to address a potential security issue. This Security Update includes an additional security patch related to the Security Update issued on 26-Sept-2008.

Available for:

Second Life Viewer 1.20.15 / 1.20.16
Second Life Release Candidate Viewer 1.21.4

Description:

We recently updated the Second Life server and viewers to enhance the communications code. All transfer operations are now restricted to files that the user has expressly chosen, and specific directories that the viewer uses for transferring data. For the safety of all Second Life users, we are releasing this updated viewer to all Residents.

Potential vulnerabilities had been identified in those message communications directed at a Second Life viewer over the previous protocol. By taking advantage of this vulnerability, while extremely difficult technically, a malicious user could potentially use the viewer to access files on the victim’s computer. We currently have no evidence of this vulnerability ever being exploited.

This Security Update 2008-10-06 is required to continue to log-in to Second Life. By downloading the update, you will upgrade the software on your computer to version 1.20.17:

For Residents who use the Release Candidate viewer, you are required to update to RC5, which also includes other latest bug fixes:

Earlier versions of Second Life (1.19.1, 1.19, and before) include the serious vulnerabilities and are no longer supported. You will be prompted to upgrade to the latest version on your next login.

For any Residents who prefer / have been using earlier versions that do not include WindLight rendering, we have created a page on the Second Life Wiki that explains how to turn all related graphics settings to “Low,” effectively turning off WindLight in the current official viewer.

The source code for these new 1.20 and 1.21 RC5 viewers will be made available via the usual open source channels.

For discussion about the issue, please visit this thread in the SL Forums.

Security Update to Second Life viewers: 26 Sept 2008

Friday, September 26th, 2008

Linden Lab has released an optional update to the Second Life viewers today to address a potential security issue. Recently an audit identified a possible vulnerability. If a malicious user were able to obtain the IP address and port of a Resident’s viewer, then the malicious user could forge data packets to the Resident’s computer. This could be done in a way to cause the viewer to return enough information about its session to allow the attacker to initiate various server-side operations as if they were the Resident, including L$ transactions.

In the case of L$ transactions, this action would be visible to you: if this were to occur, the viewer would report the transaction after it occurred in the normal blue dialog box. Also, you are always able to inspect the transaction log to see recent transactions. This would allow you to notice and report these actions for violating the Second Life Terms of Service.

This type of malicious action would constitute a violation of the Terms of Service, and would be against the law in some locations. At this time we have no evidence that this vulnerability was ever exploited.

To eliminate this vulnerability, we have now updated the Second Life servers to transmit the messages over an encrypted channel (HTTPS). Now that the server upgrade is complete, we are releasing updated viewers that only accept these messages when transmitted over an encrypted channel. Once you have downloaded the update, if a malicious third party were to attempt to send messages over the old channel (UDP), they would be ignored.

Again, we have no indication to date that this security issue has ever been exploited or is being exploited currently. However, we strongly encourage Second Life Residents to update to the latest viewer with the security patches in place. The viewers are:

We have not provided a security update to older viewers (such as the 1.19 series) which are older than the official supported Second Life viewer. To take advantage of this security update, we do encourage Residents using version 1.19 to update if possible to version 1.20.16. However, this upgrade is not mandatory in order to continue to use Second Life. An old viewer will alert you that a new version is available.

The updated source code for these new 1.20 and 1.21 RC viewers is being made available via the usual open source channels.

For discussion about the issue, please visit the Second Life Forum: http://forums.secondlife.com/forumdisplay.php?f=350