Security Update to Second Life viewers: 2008-10-06

Today, we released an important update that improves the security of the Second Life viewer for all Residents. This update eliminates a recently discovered issue, and we’re requiring that all Residents download and install it to ensure that everyone remains secure while using Second Life. You will be prompted to download and install the update when you log-in, or you can get it from this Downloads page:

http://secondlife.com/support/downloads.php

More details about the improvements included in this update are available below.

-----

Linden Lab has released a Security Update to the Second Life viewer software today to address a potential security issue. This Security Update includes an additional security patch related to the Security Update issued on 26-Sept-2008.

Available for:

Second Life Viewer 1.20.15 / 1.20.16
Second Life Release Candidate Viewer 1.21.4

Description:

We recently updated the Second Life server and viewers to enhance the communications code. All transfer operations are now restricted to files that the user has expressly chosen, and specific directories that the viewer uses for transferring data. For the safety of all Second Life users, we are releasing this updated viewer to all Residents.

Potential vulnerabilities had been identified in those message communications directed at a Second Life viewer over the previous protocol. By taking advantage of this vulnerability, while extremely difficult technically, a malicious user could potentially use the viewer to access files on the victim’s computer. We currently have no evidence of this vulnerability ever being exploited.

This Security Update 2008-10-06 is required to continue to log-in to Second Life. By downloading the update, you will upgrade the software on your computer to version 1.20.17:

* Second Life Release Viewer 1.20.17

For Residents who use the Release Candidate viewer, you are required to update to RC5, which also includes other latest bug fixes:

* Second Life Release Candidate Viewer 1.21 RC5

Earlier versions of Second Life (1.19.1, 1.19, and before) include the serious vulnerabilities and are no longer supported. You will be prompted to upgrade to the latest version on your next login.

For any Residents who prefer / have been using earlier versions that do not include WindLight rendering, we have created a page on the Second Life Wiki that explains how to turn all related graphics settings to “Low,” effectively turning off WindLight in the current official viewer:

https://wiki.secondlife.com/wiki/Turn_off_WindLight_rendering

The source code for these new 1.20 and 1.21 RC5 viewers will be made available via the usual open source channels.

Will alternative viewers using different channel be locked out too?

Do these security issues affect users of non LL clients? (Nicholaz, CoolSL, Restrained-Life, etc).

On a similar and related note.. Are libSecondlife-based clients (like JVA Bot, Sleek, MetaBot, etc) in jeopardy of the same kind of exploits?

What sorts of "safety tips" can you provide to people connecting via these older/alternate clients, who may be unwilling, or due to graphics issues or bot-status are unable, to switch over to the new client?

That's the first thing I thought. I have to use Nicholaz (which is based on a year-old SL client) because the new client melts my computer.

Potentially other clients are vulnerable. It will depend on the details of those clients. We will have a new open source code drop soon with the fixes in it; anybody who has distributed a client based off of that open source code drop would be strongly advised to apply the patch. You will need to contact the people who build and maintain the clients other than the official SL viewers to get patched versions.

If you *must* use a vulnerable client-- and we strongly recommend against this-- connect only to SL or to trusted OpenSim sites; do not connect to random OpenSim servers unless they are run by people whom you specifically trust. You must also disable your streams entirely in preferences (both audio and media), to protect your IP address.

Please do see the wiki page on adjusting the settings for the 1.20 client. I know I found myself that I actually did better with Windlight on a very low-spec machine. I know that doesn't mean necessarily everybody else will, but give it a try.

Potentially other clients are vulnerable. It will depend on the details of those clients. We will have a new open source code drop soon with the fixes in it; anybody who has distributed a client based off of that open source code drop would be strongly advised to apply the patch. You will need to contact the people who build and maintain the clients other than the official SL viewers to get patched versions.

If you *must* use a vulnerable client-- and we strongly recommend against this-- connect only to SL or to trusted OpenSim sites; do not connect to random OpenSim servers unless they are run by people whom you specifically trust. You must also disable your streams entirely in preferences (both audio and media), to protect your IP address.

Please do see the wiki page on adjusting the settings for the 1.20 client. I know I found myself that I actually did better with Windlight on a very low-spec machine. I know that doesn't mean necessarily everybody else will, but give it a try.

The highlighted bit has a little confused here, Ramzi.

You're talking about things like the cache or install location? What about locations where things like textures are uploaded-to/downloaded-from? There's some bit of context that I think I'm missing here..

Glad to see this fixed. I know y'all have been saying that this stuff is really unlikely to happen but thanks (and to Prospero, too) for working the weekend anyway.

Update is working fine. Thanks.

They could affect non LL clients. Likely all of the viewers that use an older codebase such as Nicholaz unless they have been updated recently to address this issue. The Meerkat viewer updated this weekend and is no longer vulnerable.

Older libsecondlife based clients may also be vulnerable to this issue under some conditions but it isn't certain that they are. A release of libopenmetaverse(new name of libsecondlife) is due out some time this week that addresses this issue but it is not a drop in replacement for most bot apps.

The only thing you can do if you are unable to update for some reason is to run a proxy in front of your client or bots and block the UDP packets that allow an attacker to get your session information.

Thank you linden lab for your fast speed on getting this big issue fixed!

Appreciate all the hard work!

Are we still using UDP following this update?

More from the release notes that might help explain:

If .. was in there, apparently the viewer could be tricked into sending all sorts of arbitrary files :/

LL says they have no evidence of this security breach having been used.

Is there any reason to think they would have any evidence of it having been used?

If someone accessed your hard drive and found where you store your passwords and social security numbers and such in plain text, and waited a few months before using them, would there be any way to tell where they got your information from?

I've been using 1.19 for months because it's the only way I can use Search on my Mac. The 1.20 viewer hangs and exits whenever the Search button is pressed. This has still not been fixed. And since I can now no longer use 1.19, no more Search for me.

This makes coming to SL much less appealing.

R.C.

Presumably the information would be transferred over SL's servers. It is likely (although not necessarily the case) that Linden Labs has not yet observed any strange packets being passed over their networks, but who knows.

Allow me to educate Linden Labs about security on a Macintosh:

Do *not* mount a disk image and then perform a copy without asking me. In fact, just distribute the disk image. We Mac folk are smart. And in fact part two: Just tell me to do the download and I will manage the file system of my computer on my own, thank you very much.

Has this vulnerability been present since day 0?

If this info was going through LL and being received by a modified SL viewer would it have been stored in a notecard or arrive as a skin or what?

The issues are fixed in libopenmetaverse (formerly libsecondlife) SVN, and a new 0.6.0 release is being pushed out this week.

This so doesn't work. Do this and you're stuck with the default lighting, which is NOT comparable to what was on the non-WL viewers and, in fact, is not actually usable if you want any quality of experience. "OK, you can have ugly blotchy shadows, walk around in the dark, or glow orange...woohoo!"

where can i find the release notes?

Thanks Linden Labs for putting me out of business and wasting hundreds of dollars. Last time you did one of these FORCED updates I couldn't log in for a week...and it cost me...this time I have lots of land and if I cannot log in soon I will not be able to pay my tier andbe evicted...


Thanks Linden Labs for being so understanding. BTW, security is just fine without shutting out thosands of residents...

I put a security advise on my blog for the users of Cool Viewer. CV does not (!) require you to do the mandatory update. It will be patched as soon as the sources become available. For the time being please connect only to SL or trusted OpenSim sites as Prospero suggested and disable all media streams.

try adding --channel "blah" to the shortcut or use an alternative viewer, or figure out why you can't run the new viewer and update your pc if that turns out to be the problem.

personaly I would go for the alternate viewer option because those have other fixes too making sl more stable and fun

Yeah but what about the people who HATE the new interface (change of friendsbutton and too big im windows) so much that we do not want to use a newer version and then simply switch off windlight? LL listened to the people about the UI but still did the changes they liked themselves. And the Nicholaz viewer runs way way better on lower end machines (due to still around memory leaks I guess.) I work in SL fulltime and need a reliable workhorse viewer, not a goodlooking slow, crashing, sometimes working one. That is why I, and thousends of others, are on "Nicholaz Bleeding Edge" based on the 1.18 LL viewer. This is another hit on the head and LL is wondering why Opensim products are getting so popular.

Probably has, maybe someone has only recently worked out how to exploit it, or they are exploiting it peoples unprotected accounts as we complain?