Security Update to Second Life viewers: 2008-10-06

The Cool Sl Viewer has lots of Nicholaz patches applied to it, along with the old interface, and is available on all platforms, 1.19, 1.20 and 1.21.

Take a look.

With a security fix the code would be really nice to have out quick...

I am sorry to do this, but I am sick and tired of hearing a few things and people bragging.




Mac users:

For all you MAC users.... I have said this in the past and will continue to say this,. you all need to stop you BS on which OS is better and which is worse. I personally use UNIX, lets see if you can do that , MAC users. Other then that no one really cares anymore. Why? Because of things like this. All Windows users hear is how poor you are because you cannot BUY an OS much less know how to work the one that you bought, AND, not to mention that you cannot HACK it like you can linux or MAC OS. Yeah, great... maybe some of you can, but please, by all means.. we are sick of hearing about your apple or mac. I don't think that I've seen many Windows users go around bragging as much as you want-a-bes do.

Go to work for LL and / or shut up!

[Note] Not all are this way. Mainly and mostly children.

Second Life:
LL has gone way to far this time. They are acting like MS is by FORCING you to an upgrade.
80% of the MS upgrades are not needed and still they force them upon us. Just like this one. There is no security issue, if there was they would tell us like they did in that past with , what was the last one... oh yah... Qucik time.. yah.. see there... all over the sites.. I say we we call (get their attention) LL on this and have them prove to us what the "security issue" IS... or supposed to be, sence they are so open with other things MORE secure then software!?!

Viewer 1.20 to current 1.20.17:
The shit still isn't fixed in this viewer. Inventory still boched up. Wouldnt you think they would FIX issues in a viewer before they released it??? Oh wait... yes I made several jira reports about the inventory issue.. and still no resolution YET. Wake up LL and get busy on fixing your wonderful program before you run EVERYONE off and then LOSE your ass in $$$ and then blame someone else.

Inventory issue:
Step 1 > Open inventory.
Step 2 > Move inventoty window to upper left or right of the screen
Step 3 > Minimize Inventory (NOT CLOSE) goes to lower left of screen (Drag to upper right/left of screen)
Step 4 > Maximize Inventory, goes back to upper right / left corner.
Step 5 > Minimize inventory. Goes BACK down to lower left of screen.

I dont know about some of you, but I do alot of building and when I need the inventory some where on my screen. thats where I want the damn thing. NOT where LL wants to put it. this used to work in ALL versions until Torley's BABY came out (1.20) which by the way,. is a piece os shit in my opinion. half the crap don't work and I can give a shit less about the GD sunsets and all the pretty pictures.
Bottom line here Linden Labs......
WHY DONT YOU ASK US WHAT WE WANT INSTEAD OF FORCING CRAP ON ALL OF US AT THE SAME TIME.
Granted that you have given us choices on SOME things, that we can control, but not ALL the things WE NEED to control.
I also understand that this is ALWAYS a work in progress... like one user said.. for sake of god.. slow down and make the code tight before releasing another botched viewer out.

This update would probably not even had been FORCED on anyone if you would have re examined the code in the first place before releasing the previous viewer.


[ rant off ]
have a nice day!

Yep, apparently they wanted to get the viewers out ASAP and needed an extra day to pack up sources. They did offer to get something out to maintainers of widely used third party viewers yesterday on request, public availability is supposed to happen some time today.

Perhaps they care more than you think and want as most as possible users to update before they publish the vulnerability and open the doors for eventual attacks? This is a mandatory update unlike the last one. This means for me it is something serious that can be exploited.

Perhaps there are also more security issues in the pipeline after all the server updates of the last days?

LL offered the patch sources to developers of well known alternative viewers. It's not a secret. They simply don't make it available to everybody out there and that is probably a good thing. CV will likely be updated when Rob wakes up and reads his email .

So calm down please.

I said it before LL need to fix there release handling, or more of the people around gets more pissed.

The release note contains all that is needed to write the exploit, keeping the code away only slows down updates of viewers connected to the grid. Imho LL doesn't to good security thinking here. But then I'm only paranoid security expert. I was hoping to back port the fixes to Nicholaz viewer and make the users of that happy. Well as the code isn't there when i have time, it will have to wait, next possible day is sunday I think.

A bit more education ...
They recently abandoned 10.3 macs .... suppose it is time to run Nicholaz on it so I will not get the "forced to upgrade" message.

Nice upgrade LL ... works great, stable, and now even more secure. I'm on a mid-level PC not a gaming machine and all is right with my SL. If everyone with issues would a) document them and b) work with LL to fix them, I think you'd get back online sooner than posting rants in a forum. Ok enough forum time .. it's time to go back to playing.

(edit) Oh, and nice explanation for the rolling restarts!

Right on spot!

Where is those sources then they are needed?
Not everyone runs mainstream precompiled viewers for different reasons, so sourcecode NOW please (if it's such a distasterous security issue that there is a need to force an update... why not put the sources out FIRST?) !!!

Because LL doesn't not yet after all this time with OS release have a working release handling for code and binaries. Something I discussed solutions with Zero Linden about a year ago.

LL Need a process where source for download and binaries are made at the same time with the same command. It should not be possible to make a binary release with out releasing the code from the inside. Why, to minimize errors, automagic in computer are good ant making stuff like this right, for humans it's boring and repetitive. That kind of task we are extremely good at failing at.

When I try to do this it stops sburtly! Although I have turned off all of my security sheilds and firewalls? can you help! won't let me connect unless I download!!

The settings as described on the Wiki page are *NOT* equivalent to the settings of the legacy renderer, because they tell to disable bump maps and shinies while these *ARE* available in v1.19.0 and previous versions...



*Fact* is that at equivalent rendering quality (i.e. like described on the Wiki but *WITH* bump maps and shinies), the Windlight renderer is much slower (10 to 50% depending on the 3D environment of the sim) on "old" computers (single core processors and/or 7600GT or earlier graphic cards), while it is as fast or even slightly faster (10-30%) on modern hardware (dual cores or better, 8800GT or better).

Worst, with the Windlight renderer on an "old" computer, the frame rate in 3D demanding locations with lots of avatars (a night club, for example) drops down dramatically over time (in one hour or so you can drop from 15fps to an unusable 2fps !!!). This does *NOT* happen with the legacy renderer, or only after many hours (i.e. when the memory leaks start to take their toll).

This is why v1.19.0.5 is still the very best viewer for "old" (we are speaking of only 3 years old computers, here...) machines and why I think LL would be well inspired to keep maintaining v1.19.0.5, and at the very least with the security updates...

Henri.

But that wouldn't be "Pragmatic" LL is trying to make SL more "Relevant". They don't want average everyday people any more. They want they hardcore types who update their machines every 6 months, along with the Corporates.

Also, I agree with your assesment of the WL to non WL viewer comparison, even if I don't fully grasp the terminology. It isn't the same and I wish people would stop propogating that myth.

I've installed the 19.0 version and it seems to be about as usable as the Nicholaz Be-w is on my machine. I didin't have time to do a lot with it yet, but so far so good.

I am never happy with a mandatory update. But if we have to update due to security problems, LL has no other choice. Believe me my friends: If you get bitten by a security flaw you may be very sorry indeed!

Having said all that... Maybe it is time LL starts supporting older versions by releasing branched versions of those, containing all the old code plus ONLY the security fix.

Then people would complain that LL is spending too much time supporting too many versions.

It's not free to foward support for old versions..

Since Windlight is the major stumbling block for a lot of us, I don't see any reason why the latest non WL Official Viewer can't be supported indefinitely. Is it that difficult? Or does LL not value keeping that segment of it's customer base enough to make the effort?

After back porting the patch to 1.19.4 now, I can say it nothing in it that isn't in the release not to help an attacker with writing an exploit. The not so fun situation soon comes when I have my fixed Nicholaz build, but have to wait for LL to released the code before I can release my binaries as it was requested I not share the trivial patch and can't send out the binary fix with out the source code according to GPL....

I recommend doing this anyway, unless you are on land owned by people you trust. There are unpleasant things that people can do once they know your IP address and your avatar's identity that aren't "security holes".

Frame rate is not the only measure of quality. For example, Windlight without shaders disables water rendering completely... there's no fallback (say to Runitai's excellent depth-sensitive water) and the ocean becomes a flat blue plane. Is there any possibility of improving the fallback for Windlight water to something less bland?

Unfortunately, Apple has chosen to create the security horror known as "internet enabled disk images". Wait... Linden Labs doesn't use internet-enabled disk images.

Oh, you mean "don't install the update, just send me to the download page"?

Well, yeh, I agree, but that doesn't have anything to do with whether it's Windows, Mac, Linux, BeOS, Amiga, or anything else. Or whether it's using a DMG, ZIP, or self-extracting executable.

I don't use the "Download" link in the SL client, I always go to the website and download it myself, and when I run Apple's "Software Update" (which does the same thing, annoyingly enough) I select "Download Only", and do the install on my time.

For info, I updated the Cool SL Viewer (http://sldev.free.fr/) with two new releases (for Linux only for now. Windoze and Mac builds will follow soon) :

v1.20.17.0 CoolRelease 1 (thanks to Rob Linden for having provided me with the patch)
v1.19.0.5 CoolRelease 31 (yes, it was possible and easy to port the patch to v1.19.0.5).

Yet the sources and patches will not be published before LL publishes their own sources.

Hmmm, surely Linden Labs (as the copyright owner) can authorize a pre-release without source.

Though it'll probably take them longer to do that than get the source out.

You should have voted for those Jira posts.
(not that it would have done any good)

Honestly, I also wish we could get the old IM window back, I really hate the new "Communicate" interface. And I want the Groups and Friends buttons back. That's really the only reason that I use Cool SL.

As somebody has pointed out, it is *not* free to continue to support multiple versions of the clients. Nor is it free to continue to support MacOS 10.3. Particularly in the latter case, the number of people still using Leopard with SL is very tiny. We have finite resources, and have to weigh a lot of things when deciding where to allocate them. If our decisions are not optimum for you -- well, we're sorry about that, but unfortunately it's not possible to do what is best for everybody at the same time.

However, there's another important point here. The SL client *is* open source. You don't *have* to connect using the official SL viewer. If you prefer a viewer modified and built by somebody else, by all means use that! That is the beauty of open source. It means that even if LL is stopping official support for pre-Windlight viewers, we are not preventing pre-Windlight viewers from using Second Life... we're only preventing the versions we have distributed in the past, which we now know are not safe.

(However, we *do* strongly recommend that you make sure that any viewer you are using has the security patch in it, or is otherwise not vulnerable. And, of course, make sure you trust the person who build the viewer (or trust people who have reviewed the code to the viewer-- it being GPL, nobody can distribute a viewer based on the open source code without also distributing the code).)