Security Update to Second Life viewers: 26 Sept 2008

WOW I am surprised I have not already seen a thread about this.....

just.... WOW!!

*SNIP*
Linden Lab has released an optional update to the Second Life viewers today to address a potential security issue. Recently an audit identified a possible vulnerability. If a malicious user were able to obtain the IP address and port of a Resident’s viewer, then the malicious user could forge data packets to the Resident’s computer. This could be done in a way to cause the viewer to return enough information about its session to allow the attacker to initiate various server-side operations as if they were the Resident, including L$ transactions.

In the case of L$ transactions, this action would be visible to you: if this were to occur, the viewer would report the transaction after it occurred in the normal blue dialog box. Also, you are always able to inspect the transaction log to see recent transactions. This would allow you to notice and report these actions for violating the Second Life Terms of Service.

This type of malicious action would constitute a violation of the Terms of Service, and would be against the law in some locations. At this time we have no evidence that this vulnerability was ever exploited.
*SNIP*

see the rest on the grid status blog

official linden discussion thread in the forums here

/350/1.html

/me will never listen to another music stream again.

Oh yea, and your I.P. address is not worth protecting and cannot be used against you, right? We hear that over and over again here.

yep

thankfully this is not a way for them to get the IP

but they can get it plenty of other ways, just post on a 3rd party forum and they have it
people can use tools to get it if they really want it badly enough

I don't have tons of lindens in my account, however I will be getting the new client to protect what I do have.


remember... it CAN happen to you

The part where Ramzi says this bogus transaction will be ignored if you have a new viewer sorta puzzles me.

Shouldn't this be "will raise lots of red flags back at LL!!" instead of "will be ignored." ??

Getting a person's IP address wouldn't have been a security breach - they are not secret. To make use of the exploit, a person would also have needed the port number. What the blog didn't say is whether or not SL viewers all use the same port number.

Is this exploit apparent in the current official viewr, or does it go back, to older viewers some of us may be using?

The blog wasn't specific about that, but the inference is that it applies to all older viewers - they recommended getting the new one for older viewers too.

Blog says older viewers aren't affected.

I'm thinking it goes back to every viewer as it seems to be a protocol issue and from what I've read LL is very reluctant to change the communications protocol, and has only done it a few times in SL's history, due to the impact it has on older viewers (the previous times all required updates I believe) and as well as how much work it is to do so and to push out the change to everyone.

where does it say that?

the only mention I see of the old viewers is this...

"Older viewers (such as the 1.19 series) are not being required to upgrade to version 1.20.16, but we encourage Residents to update if possible to take advantage of the latest bug and security fixes."

which to me means if you are using the older viewers, you will not be prompted to update (ie required) but you should anyway (if they are encouraging residents to update, then my guess would be that it means all viewers are affected)

I don't see that in the blog. What I do see is this:-

No viewers are required to be upgraded, and from that it does appear that the exploit can be done with older viewers.

Oh well. You pays your money, you takes your chances. I'm sticking with the BEw. I'l just have to keep the balance in my account low.

Meh, their phrasing pretty much always fails the clarity test, but it sounds to me like the 1.20s are the ones actually affected by this exploit and they're encouraging upgrades on older viewers for OTHER bug and security fixes.

I don't see that either. The ugrade to older viewers specifically says "... and security fixes".

This isn't the only security fix they've ever done, just the most recent one.

I'd still assume that the new one applies.

The way they separated out 'older viewers' is what makes me think differently, but you may be right. Like I said, clarity is not their strong point. *shrug*

I tend to think it affects all viewers

and those using older (and newer) viewers who choose to not update the viewer then get burned by this, will be the ones who complain the loudest and blame SL

Some probably. Not all. At least not me. I'll just keep little money in my account.

This is a security fix for a vulnerability. I don't think an exploit exists in the wild for it at this time.

Personally, I think it would be very difficult to exploit this vulnerability because first, you would need an IP of a logged in Client. The ways of finding that have been discussed before so I will not get in to that. Then, once you have the IP, you must have a "carefully crafted packet" (i.e. part of the exploit) and hit that IP on every port until you find the source port the SL Client is waiting for a response on. This can be up to 65K different ports. Yes there are tools out there that can do the work, such as Metasploit, but without that "carefully crafted packet" part of it, not much can be done by the average script kiddie. Somebody that knew what they were doing could probably have a better chance at it. Good firewall software would alert that something is not right if a tool was hitting your host.

There will eventually be an exploit for this vulnerability and once it's released in the wild, it will be open season! When the July DNS cache poisoning vulnerability method to exploit a DNS was 'accidently' released by the discoverer of the DNS vulnerability in his blog, this is exactly what happened.

So, take a chance and not upgrade if you want, but remember you have been warned!

Better than not running SL at all, in my case anyway.

Hi all
The problem affects all viewers
I'm the dude who discovered the problem and I still say people shouldn't worry about IP addresses. The problem in this case was just the UDP messages are totally unencrypted, so they could be forged without any effort

I'm very pleased to see the problem blogged about!

Here is the latest word on older viewers