[sldev] Security Update to SL Viewers and source code
Ramzi
ramzi at lindenlab.com
Fri Sep 26 13:11:03 PDT 2008
Hi SLDEVelopers,
I wanted to mention directly to the SLDEV list that Linden Lab released
a security update to the official and Release Candidate viewers to
address a potential security issue. Updated source code is available at:
http://wiki.secondlife.com/wiki/Source_downloads
The full text of the announcement to Second Life Residents is on the
Status Page of secondlifegrid.net,
and repeated here below for your convenience.
Kind regards,
Ramzi Linden
http://status.secondlifegrid.net/2008/09/26/post256/
*Security Update to Second Life viewers: 26 Sept 2008*
Linden Lab has released an optional update to the Second Life viewers
today to address a potential security issue. Recently an audit
identified a possible vulnerability. If a malicious user were able to
obtain the IP address and port of a Resident’s viewer, then the
malicious user could forge data packets to the Resident’s computer. This
could be done in a way to cause the viewer to return enough information
about its session to allow the attacker to initiate various server-side
operations as if they were the Resident, including L$ transactions.
In the case of L$ transactions, this action would be visible to you: if
this were to occur, the viewer would report the transaction after it
occurred in the normal blue dialog box. Also, you are always able to
inspect the transaction log to see recent transactions. This would allow
you to notice and report these actions for violating the Second Life
Terms of Service.
This type of malicious action would constitute a violation of the Terms
of Service, and would be against the law in some locations. At this time
we have no evidence that this vulnerability was ever exploited.
To eliminate this vulnerability, we have now updated the Second Life
servers to transmit the messages over an encrypted channel (HTTPS). Now
that the server upgrade is complete, we are releasing updated viewers
that only accept these messages when transmitted over an encrypted
channel. Once you have downloaded the update, if a malicious third party
were to attempt to send messages over the old channel (UDP), they would
be ignored.
Again, we have no indication to date that this security issue has ever
been exploited or is being exploited currently. However, we strongly
encourage Second Life Residents to update to the latest viewer with the
security patches in place. The viewers are:
* Second Life Release Viewer 1.20.16 (this updates 1.20.15, released on
July 24th)
* Second Life Release Candidate Viewer 1.21 RC3 (this updates RC2 and
includes additional bug fixes as part of the usual release candidate cycle)
Older viewers (such as the 1.19 series) are not being required to
upgrade to version 1.20.16, but we encourage Residents to update if
possible to take advantage of the latest bug and security fixes.
The updated source code for these new 1.20 and 1.21 RC viewers is being
made available via the usual open source channels.
For discussion about the issue, please visit the Second Life Forum:
http://forums.secondlife.com/forumdisplay.php?f=350
More information about the SLDev
mailing list