[sldev] Security Update to SL Viewers and source code

Ramzi ramzi at lindenlab.com
Fri Sep 26 13:11:03 PDT 2008


Hi SLDEVelopers,

I wanted to mention directly to the SLDEV list that Linden Lab released 
a security update to the official and Release Candidate viewers to 
address a potential security issue. Updated source code is available at:
http://wiki.secondlife.com/wiki/Source_downloads

The full text of the announcement to Second Life Residents is on the 
Status Page of secondlifegrid.net,
and repeated here below for your convenience.

Kind regards,
Ramzi Linden



http://status.secondlifegrid.net/2008/09/26/post256/

*Security Update to Second Life viewers: 26 Sept 2008*

Linden Lab has released an optional update to the Second Life viewers 
today to address a potential security issue. Recently an audit 
identified a possible vulnerability. If a malicious user were able to 
obtain the IP address and port of a Resident’s viewer, then the 
malicious user could forge data packets to the Resident’s computer. This 
could be done in a way to cause the viewer to return enough information 
about its session to allow the attacker to initiate various server-side 
operations as if they were the Resident, including L$ transactions.

In the case of L$ transactions, this action would be visible to you: if 
this were to occur, the viewer would report the transaction after it 
occurred in the normal blue dialog box. Also, you are always able to 
inspect the transaction log to see recent transactions. This would allow 
you to notice and report these actions for violating the Second Life 
Terms of Service.

This type of malicious action would constitute a violation of the Terms 
of Service, and would be against the law in some locations. At this time 
we have no evidence that this vulnerability was ever exploited.

To eliminate this vulnerability, we have now updated the Second Life 
servers to transmit the messages over an encrypted channel (HTTPS). Now 
that the server upgrade is complete, we are releasing updated viewers 
that only accept these messages when transmitted over an encrypted 
channel. Once you have downloaded the update, if a malicious third party 
were to attempt to send messages over the old channel (UDP), they would 
be ignored.

Again, we have no indication to date that this security issue has ever 
been exploited or is being exploited currently. However, we strongly 
encourage Second Life Residents to update to the latest viewer with the 
security patches in place. The viewers are:

* Second Life Release Viewer 1.20.16 (this updates 1.20.15, released on 
July 24th)
* Second Life Release Candidate Viewer 1.21 RC3 (this updates RC2 and 
includes additional bug fixes as part of the usual release candidate cycle)

Older viewers (such as the 1.19 series) are not being required to 
upgrade to version 1.20.16, but we encourage Residents to update if 
possible to take advantage of the latest bug and security fixes.

The updated source code for these new 1.20 and 1.21 RC viewers is being 
made available via the usual open source channels.

For discussion about the issue, please visit the Second Life Forum: 
http://forums.secondlife.com/forumdisplay.php?f=350



More information about the SLDev mailing list