Note: This was resolved on the Public Issue Tracker, but never closed on the blog until now.Our apologies for any concern this untidy loose end may have caused. — teeple, 28 Mar 2008.
Due to a URL handler vulnerability, we advise not browsing unknown websites with Internet Explorer. Do not click on ‘secondlife://’ urls on web pages with Internet Explorer or Internet Explorer based browsers. If Second Life starts without your intervention, please change your password on the secondlife.com site immediately.To prevent this exploit prior to an official fix, un-check ‘Remember password’ in the login screen of the Second Life client and never log in unless you manually started Second Life yourself.Second Life is configured to handle ‘secondlife://’ protocol urls. Internet Explorer, and browsers based on Internet Explorer, copy all information from a src or href attribute to launch the SecondLife application. Using this, a malicious website can specify an iframe or anchor tag which redirects login through a server not under Linden Lab control.We have a client side fix for this undergoing Quality Assurance. We expect to deploy the new 18.104.22.168 client this week and make it a required upgrade. Before the official client is available, the patch will be submitted to the sldev mailing list in the hopes that the open source developers can assist in making sure this unusually short turnaround from development to release is of high quality.Firefox does not exhibit this behavior, and is not a vulnerable configuration on Windows.Known affected configuration: Second Life 22.214.171.124 and earlier on Windows.Mac: not vulnerableLinux: not vulnerableAnother Workaround:You can remove the association for the secondlife:// protocol until we release a fixed client by deleting the registry entry. This requires manual editing of your windows registry, and is not for the faint of heart, and there is no implied or expressed warranty on following these instructions. However, it worked for me. Do the following at your own risk:Run the ‘regedit’ program by clicking on the Start menu, clicking on ‘Run…’, entering regedit in the ‘Open:’ combo-box, and finally clicking ‘OK’. Find HKEY_CLASSES_ROOTsecondlifeshellopencommand in the registry editor. Right click on the ‘Default’ value in the rightmost pane and select delete. At the confirmation alert box, click ‘Yes’ and close regedit.The next time you install Second Life, the registry entry will be restored, so this is only a temporary workaround.