I can't understand why this isn't posted on the blog - other than the already conjectured only keeping good news on there! But this is an issue everyone should be aware of and as such SHOULD be on the blog:
Today, we released an important update that improves the security of the Second Life viewer for all Residents. This update eliminates a recently discovered issue, and we’re requiring that all Residents download and install it to ensure that everyone remains secure while using Second Life. You will be prompted to download and install the update when you log-in, or you can get it from this Downloads page:http://secondlife.com/support/downloads.php
Linden Lab has released a Security Update to the Second Life viewer software today to address a potential security issue. This Security Update includes an additional security patch related to the Security Update issued on 26-Sept-2008.
Available for:Second Life Viewer 1.20.15 / 1.20.16
Second Life Release Candidate Viewer 1.21.4
Description:We recently updated the Second Life server and viewers to enhance the communications code. All transfer operations are now restricted to files that the user has expressly chosen, and specific directories that the viewer uses for transferring data.
For the safety of all Second Life users, we are releasing this updated viewer to all Residents.
Potential vulnerabilities had been identified in those message communications directed at a Second Life viewer over the previous protocol. By taking advantage of this vulnerability, while extremely difficult technically, a malicious user could potentially use the viewer to access files on the victim’s computer.
We currently have no evidence of this vulnerability ever being exploited.
This Security Update 2008-10-06 is required to continue to log-in to Second Life.
By downloading the update, you will upgrade the software on your computer to version 1.20.17:
* Second Life Release Viewer 1.20.17
For Residents who use the Release Candidate viewer, you are required to update to RC5, which also includes other latest bug fixes:
* Second Life Release Candidate Viewer 1.21 RC5
Earlier versions of Second Life (1.19.1, 1.19, and before) include the serious vulnerabilities and are no longer supported.
You will be prompted to upgrade to the latest version on your next login.
For any Residents who prefer / have been using earlier versions that do not include WindLight rendering, we have created a page on the Second Life Wiki that explains how to turn all related graphics settings to “Low,” effectively turning off WindLight in the current official viewer:
https://wiki.secondlife.com/wiki/Turn_off_WindLight_rendering
The source code for these new 1.20 and 1.21 RC5 viewers will be made available via the usual open source channels.
Again a forum thread has been created for discussion and questions this can be found HERE
On the question of non SL veiwers Prospero Linden had this to say:
Potentially other clients are vulnerable. It will depend on the details of those clients. We will have a new open source code drop soon with the fixes in it; anybody who has distributed a client based off of that open source code drop would be strongly advised to apply the patch. You will need to contact the people who build and maintain the clients other than the official SL viewers to get patched versions.If you *must* use a vulnerable client-- and we strongly recommend against this-- connect only to SL or to trusted OpenSim sites; do not connect to random OpenSim servers unless they are run by people whom you specifically trust. You must also disable your streams entirely in preferences (both audio and media), to protect your IP address.Please do see the wiki page on adjusting the settings for the 1.20 client. I know I found myself that I actually did better with Windlight on a very low-spec machine. I know that doesn't mean necessarily everybody else will, but give it a try.
Hopefully the spate of fixes will now slow down and LL can concentrate on making this client stable, but the questions must be asked - how long has this security issue been an issue? Is this a way to scare everyone into using the official client? This last is pure speculation and probably unjustified as we have all seen the rush to update in the last couple of weeks showing that something has been going on behind the scenes, so it is to be hoped that this hole has now been plugged and we can all log in securely.
Dana
Today, we released an important update that improves the security of the Second Life viewer for all Residents. This update eliminates a recently discovered issue, and we’re requiring that all Residents download and install it to ensure that everyone remains secure while using Second Life. You will be prompted to download and install the update when you log-in, or you can get it from this Downloads page:http://secondlife.com/support/downloads.php
Linden Lab has released a Security Update to the Second Life viewer software today to address a potential security issue. This Security Update includes an additional security patch related to the Security Update issued on 26-Sept-2008.
Available for:Second Life Viewer 1.20.15 / 1.20.16
Second Life Release Candidate Viewer 1.21.4
Description:We recently updated the Second Life server and viewers to enhance the communications code. All transfer operations are now restricted to files that the user has expressly chosen, and specific directories that the viewer uses for transferring data.
For the safety of all Second Life users, we are releasing this updated viewer to all Residents.
Potential vulnerabilities had been identified in those message communications directed at a Second Life viewer over the previous protocol. By taking advantage of this vulnerability, while extremely difficult technically, a malicious user could potentially use the viewer to access files on the victim’s computer.
We currently have no evidence of this vulnerability ever being exploited.
This Security Update 2008-10-06 is required to continue to log-in to Second Life.
By downloading the update, you will upgrade the software on your computer to version 1.20.17:
* Second Life Release Viewer 1.20.17
For Residents who use the Release Candidate viewer, you are required to update to RC5, which also includes other latest bug fixes:
* Second Life Release Candidate Viewer 1.21 RC5
Earlier versions of Second Life (1.19.1, 1.19, and before) include the serious vulnerabilities and are no longer supported.
You will be prompted to upgrade to the latest version on your next login.
For any Residents who prefer / have been using earlier versions that do not include WindLight rendering, we have created a page on the Second Life Wiki that explains how to turn all related graphics settings to “Low,” effectively turning off WindLight in the current official viewer:
https://wiki.secondlife.com/wiki/Turn_off_WindLight_rendering
The source code for these new 1.20 and 1.21 RC5 viewers will be made available via the usual open source channels.
Again a forum thread has been created for discussion and questions this can be found HERE
On the question of non SL veiwers Prospero Linden had this to say:
Potentially other clients are vulnerable. It will depend on the details of those clients. We will have a new open source code drop soon with the fixes in it; anybody who has distributed a client based off of that open source code drop would be strongly advised to apply the patch. You will need to contact the people who build and maintain the clients other than the official SL viewers to get patched versions.If you *must* use a vulnerable client-- and we strongly recommend against this-- connect only to SL or to trusted OpenSim sites; do not connect to random OpenSim servers unless they are run by people whom you specifically trust. You must also disable your streams entirely in preferences (both audio and media), to protect your IP address.Please do see the wiki page on adjusting the settings for the 1.20 client. I know I found myself that I actually did better with Windlight on a very low-spec machine. I know that doesn't mean necessarily everybody else will, but give it a try.
Hopefully the spate of fixes will now slow down and LL can concentrate on making this client stable, but the questions must be asked - how long has this security issue been an issue? Is this a way to scare everyone into using the official client? This last is pure speculation and probably unjustified as we have all seen the rush to update in the last couple of weeks showing that something has been going on behind the scenes, so it is to be hoped that this hole has now been plugged and we can all log in securely.
Dana
0 comments:
Post a Comment