Production Second Life viewer 1.20.16 available now [updated]

A new Second Life viewer is available. Not a release candidate, but an update to the 1.20 series -- what's generally referred to as an 'official' or production viewer. The version number for this release is 1.20.16 (97603), and only contains one listed change over 1.20.15.

The lone change appears to be security-related. The text of the change (not yet available in Wiki release notes) is "Discard messages sent over UDP that should not be trusted."

It isn't clear exactly which messages those are, precisely, and whether they might be sent from servers or spoofed from other hosts (or if they should simply be being carried on another transport protocol) -- however if it was important enough to release a fresh production viewer with just this one change, it is likely to be an important upgrade for users.

The new viewer is available for download now for Linux, Windows, or Mac (universal binary). We assume that if you've had problems running the 1.20.15 viewer, 1.20.16 will not work any better for you.

Linden Lab has not yet announced this release on any of its blogs.

	Are you a part of the most widely-known collaborative virtual environment or keeping a close eye on it? Massively's Second Life coverage keeps you in the loop.

Update: Linden Lab has since announced that this represents a major security update. A new release candidate (1.21.RC3) is available as well.

Linden Lab has released an optional update to the Second Life viewers today to address a potential security issue. Recently an audit identified a possible vulnerability. If a malicious user were able to obtain the IP address and port of a Resident's viewer, then the malicious user could forge data packets to the Resident's computer. This could be done in a way to cause the viewer to return enough information about its session to allow the attacker to initiate various server-side operations as if they were the Resident, including L$ transactions.

To eliminate this vulnerability, we have now updated the Second Life servers to transmit the messages over an encrypted channel (HTTPS). Now that the server upgrade is complete, we are releasing updated viewers that only accept these messages when transmitted over an encrypted channel. Once you have downloaded the update, if a malicious third party were to attempt to send messages over the old channel (UDP), they would be ignored.

All previous versions remain vulnerable to the exploit. Users unable to upgrade to 1.20.16 or 1.21(RC3) should seek out a patched third-party viewer providing the same protocol changes, as soon as one becomes available.

While the exploit requires an attacker to know or guess the IP address of a Second Life user, this data is relatively easy to obtain in practice.