Well, at last we know what all the fuss was about with all the sudden software updates over the last week for the Second Life servers that caused so much disruption during the last few days. It appears we were on the money with security fixes, and exploitable vulnerabilities have received urgent attention.
As a result a new Second Life viewer is available for download now -- that's 1.20.17(98669) -- and you can expect a new Release Candidate viewer (RC5) very very soon. Both are likely to be mandatory updates.
So, what's all the fuss about?
|Are you a part of the most widely-known collaborative virtual environment or keeping a close eye on it? Massively's Second Life coverage keeps you in the loop.|
Well, the listed changes all relate to file uploads. File transfers are no longer accepted using UDP for one. The new viewers won't use UDP for uploading of files/assets to the simulators, for another. Lastly, the simulators won't allow file-transfers for any path containing the special string ".." -- smart money says someone actually managed to exploit this one, and perhaps had a go at getting a Second Life simulator to send a file that it wasn't supposed to -- or perhaps to overwrite one.
We'd think that suppressing path separators from file-transfer requests would ostensibly be the way to go, but we assume someone knows what they're doing.
File download links for 1.20.17 are not live on the Second Life website yet, but you can get the viewers for Linux, Windows and Mac right now, and we're expecting viewers for 1.21(RC5) to follow soon enough.
UPDATE 6:30PM SLT: Linden Lab have now updated the website, made the release-candidate viewers available and made all of the viewers a mandatory update 30 minutes after we published here. All previous official and RC version viewers are blocked as of 6:30PM SLT (US Pacific). If you are using an older official viewer (like 1.19) you are out of luck. The information is conspicuously absent from the main blog where most users would look for it.
UPDATE 10:30PM SLT: Linden Lab is witholding the source code for the viewer side of these security fixes until sometime tomorrow. 'Early access to the source code for this fix are available on an as needed basis to developers of some widely available viewers,' says Rob Lanphier, who is the person to contact if you believe you fit the bill. We expect content uploads on the old system to cease working before that source code becomes publicly available.
Update -- backport viewers available: Working third-party 126.96.36.199 viewers with the security patch can be obtained from The Cool SL Viewer site -- Windows users check the right-hand side. Mac users may have to wait a little longer.