Sunday, May 4, 2008

ACE releases security risk info as a warning:

On Friday Intlibber Brautigan announced on the ACE Ancapistan website that a sercurity risk had been discovered that could allow those with specialised knowledge to recover the ATM scripts in bytecode format and transform them back into LSL scripting when ATMs were taken over parcel or sim borders.
Mr Brautigan informed Soft Linden of this vulnerability. However this breach was not unknown in fact it had been reported as much as a couple of months ago, Linden lab did not see fit to inform the residents. A patch was sent out about 4 weeks ago, but, because it was kept so quiet there may be many who didn't know of this and they may need to update their scripts.
Mr Brautigan also tried to inform SLeXchange of the possible threat with little response at the time, since then this message has appeared on the SLX forum:
"I just wanted to post here to reassure you all that there is no reason to worry; there is no security breach. Your account information, your items, and your L$ and USD are safe.
SL Exchange has been a viable and reliable service functioning securely with and within Second Life for almost four years. Shortly after first launching the site it became obvious that LSL scripts should not be "trusted" to A) work correctly or B) be secure. It is for that reason that the bulk of our security as well as nearly all of our logic / intelligence resides on our own servers. Furthermore, these routines have been specifically engineered and fine-tuned over the years so that problems with Second Life such as technical failures, security exploits, or whatever else, will have the least effect possible to SL Exchange."

Hopefully with the patch in place and very few people actually able to take advantage of this hole not too much damage has/will be done.
Its good to see some warning others of the possible threat though - maybe there is hope for human nature out there in our little world of SL.

0 comments:

Post a Comment

Blog Archive