Monday, August 19, 2013

Media exploit affecting SL viewers

Firestorm viewer with preference window open
Cristiano Midnight from Second Life Universe has posted a warning to disable media in viewers, because there is some vulnerability that can be exploited to gain access to accounts.  It is obviously hard for anyone to post detailed information about an exploit without simultaneously alerting the small percentage of people who would like to benefit from such an exploit.  I trust the source of the information, though, and know that Cristiano would not have posted a warning without good reason.

You can disable media before logging into SL by changing your preferences in the viewer at the login screen.  

His second piece of advice is to uncheck the box which asks you to store your password.  Someone on the comments stream on SLU points out that you have to be alert to the fact that the viewer may automatically recheck the box if you don't keep an eye on it.  If you have been using the remember password facility, you should clear your cache too.  This can be selected in the preferences at the login screen, and then you should close your viewer and reopen it to trigger the cache to clear.

I don't know what the exploit may be, or how the viewers are vulnerable by using media on a prim or streaming media.  There has been a general warning not to use media on parcels where you don't trust the source, but I think that warning has been around for so long that people have started to disregard it.  If the vulnerability is even more severe than it was thought to be, it is very important to get the word out.  I don't know if anyone has been affected by the problem... but the best outcome would be that the vulnerability is fixed before that happens.

For those using firestorm, step-by-step:

*Start your viewer, uncheck remember password box
*Click viewer at the top left of your screen, choose preferences
*Preferences window opens.
*Choose Sound and Media in the left hand column - uncheck all the boxes for playing media and sound
*Choose network and cache in the left hand column - click to clear cache and confirm it when the pop up asks you to confirm.
*REMEMBER to OK the changes bottom right of the preferences window.
*Close the viewer by clicking the X and confirm.
*Restart the viewer, check that the remember password box in unchecked.  You will need to log in (making sure the remember password box is unchecked) to make the change to remember password stick.

No comments:

Post a Comment

Comments on this blog are now post-moderated. Please comment in English, because I will delete comments I cannot read or understand.