A security issue was discovered in the Second Life 1.19.0(4) viewer released yesterday. Although we have no information indicating that it is being exploited, residents who downloaded the optional 1.19.0(4) viewer should update to 1.19.0(5). Earlier supported versions - 1.18.5(3), 1.18.4(3), 1.18.3(5) and 1.18.2(1) are unaffected and may still be used.

We have updated the “version manager” which is what our login system uses to enforce what versions can be used to log in login information. This will block only version 1.19.0(4) from logging in.

NOTE: We are seeing a bug where the login “splash” page is erroneously reporting that users of all versions are being informed that they need to upgrade. This is incorrect - users with 1.18.5(3), for example, may log in. This bug is in our web site code and will be corrected as quickly as possible. We believe this issue was due to caching on both the client and the server and have corrected it.

Additionally, the Second Life 1.19.0(5) viewer also addresses an issue with upgrading from 1.18.x viewers where the voice chat preferences would not be preserved.

We are aware L$ are traded on a number of third party sites. While some of these sites may be reliable, others deal in fraudulent L$ — L$ that were created not with any resources, value, or labor, but rather bought with a phished account, stolen credit card or PayPal account. You therefore purchase these third party L$ at your own risk: if they are discovered to be fraudulent — in effect phony — we will recoup them from your account. We must do so, in order to avoid tacitly (and financially) encouraging a practice that harms Second Life sellers, phishing victims, and Linden Lab itself.

(more…)

As I indicated in a prior posting, we became aware of a serious flaw in Apple’s QuickTime software that could cause maliciously crafted movies to either crash your Second Life viewer or, more seriously, to execute arbitrary code contained within the stream. We had warned to take caution when enabling movie playback within the viewer.

The good news is Apple has recently released a patch for this issue and it will appear in Apple’s Software Update utility as QuickTime 7.3.1 or it is available here as a separate download for your system. If you have not already done so, it’s important to apply that patch as soon as possible to protect yourself from this exploit when using any application or browser, not just Second Life.

We have now released a version of the viewer that will verify you are running a version of QuickTime that is safe from exploits of this type.

(more…)

We were alerted a short time ago that a QuickTime exploit has been discovered which may allow an attacker to crash or exploit the Second Life viewer. The Second Life viewer uses Apple QuickTime to play videos and streaming media. This exploit affects QuickTime usage on every platform that uses it, and to date, Apple has not released a fix for the exploit.

At this time we advise that you disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue. To do this, just open the Preferences dialog, and uncheck the “Play Streaming Video When Available” checkbox on the “Audio & Video” tab.

We do have the ability to turn off all videos on the grid, but have instead chosen to respect the existing in-world content and experiences which rely on streaming video, as we know that many of you enjoy these. We do recommend that you employ caution when using QuickTime in Second Life, only enabling it in environments that you trust, and are familiar with.

We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker. This will include account termination and legal action if appropriate, as well as the appropriate assistance for affected Residents.

The bug is in QuickTime, and not in the Second Life viewer. When Apple has submitted a fix, we will integrate it into the viewer as quickly as possible, and will notify everyone once this has been done.

Note:  This was resolved on the Public Issue Tracker, but never closed on the blog until now.Our apologies for any concern this untidy loose end may have caused. — teeple, 28 Mar 2008.

Due to a URL handler vulnerability, we advise not browsing unknown websites with Internet Explorer. Do not click on ’secondlife://’ urls on web pages with Internet Explorer or Internet Explorer based browsers. If Second Life starts without your intervention, please change your password on the secondlife.com site immediately.To prevent this exploit prior to an official fix, un-check ‘Remember password’ in the login screen of the Second Life client and never log in unless you manually started Second Life yourself.Second Life is configured to handle ’secondlife://’ protocol urls. Internet Explorer, and browsers based on Internet Explorer, copy all information from a src or href attribute to launch the SecondLife application. Using this, a malicious website can specify an iframe or anchor tag which redirects login through a server not under Linden Lab control.We have a client side fix for this undergoing Quality Assurance. We expect to deploy the new 1.18.2.1 client this week and make it a required upgrade. Before the official client is available, the patch will be submitted to the sldev mailing list in the hopes that the open source developers can assist in making sure this unusually short turnaround from development to release is of high quality.Firefox does not exhibit this behavior, and is not a vulnerable configuration on Windows.Known affected configuration: Second Life 1.18.2.0 and earlier on Windows.Mac: not vulnerableLinux: not vulnerableAnother Workaround:You can remove the association for the secondlife:// protocol until we release a fixed client by deleting the registry entry. This requires manual editing of your windows registry, and is not for the faint of heart, and there is no implied or expressed warranty on following these instructions. However, it worked for me. Do the following at your own risk:Run the ‘regedit’ program by clicking on the Start menu, clicking on ‘Run…’, entering regedit in the ‘Open:’ combo-box, and finally clicking ‘OK’. Find HKEY_CLASSES_ROOTsecondlifeshellopencommand in the registry editor. Right click on the ‘Default’ value in the rightmost pane and select delete. At the confirmation alert box, click ‘Yes’ and close regedit.The next time you install Second Life, the registry entry will be restored, so this is only a temporary workaround.

On June 14, we posted about creating Strong Passwords. If you haven’t yet reconsidered your password, do it now. This will help reduce your risk of the subject of today’s post—being phished.

Phishers, as defined by wikipedia,

“attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email or instant messaging, and often directs users to give details at a website, although phone contact has been used as well.

How do you know if your account may be compromised?

• If you can’t access your account
• If you suddenly notice a reduced available balance on the payment source you have on file.

What should you do?

Contact us immediately!

Here are the steps:

1. Login to your account.
   • Login to the Support Portal.
   • If you cannot log into your account, use our Guest Access Log In.
2. Submit a Ticket
   • In the Ticket Type Field, select “Special Questions – Basic Account or Guest Login” from the drop down menu
   • Then select “ My account has been shut off and I don’t know why”
   • Fill in the rest of the fields as directed.
   • Copy the Tracking Number for your new ticket
   • You will receive an email containing your ticket information.
3. Call the Fraud number: 800-860-6990

How will Linden Lab resolve your compromised account?

First, Linden Lab will place your account on hold, and investigate the relevant transactions. This may take a few days in some cases. Once we have finished the investigation, we will send you an email explaining our conclusion and explaining the action that will be taken with respect to your account. As a reminder, all transactions involving $L are subject to Linden’s Terms of Service (TOS)

[Update] Thanks for the comments–some needed clarifications. Here’s the connection between phishing and safeguarding your account, on two fronts.

Message: Don’t re-use your SL password on other sites.

Message: Do not give your password to ANYONE…a friend, a partner or a Linden.

Other Resources to Help Safeguard Your Account

Geeks.com
Wikipedia
Microsoft: Protect Yourself

Know any other helpful anti-phishing sites and strategies? Help your fellow Residents and add your recommendations to the comments below.

A resident recently identified a security issue where you could read the source code of certain LSL scripts when you did not have permission to do so. We are deploying new server code that fixes this issue. We have also used this opportunity to fix a common server crash. Thank you for your patience as we restart all the regions.

UPDATE: This was completed at around 4:30am PDT.

We know that May was Strong Password Month, but that doesn’t mean you need a strong Password *just* in May. Truth is, you need a strong password all the time. There’s nothing worse than trying to log into your account only to find out there’s someone already using it. Or logging in and finding your Linden Dollars drained. So in an effort to prevent such happenings here’s a gentle reminder: Make sure your password is secure. How can you do so? Well…

• Use a combination of numbers and letters. Six characters or more = a good idea.
• Do not give your password to anyone. This means friends, family, loved ones or Linden employees. Pets too, you never know.
• Do not use the same password on 3rd party websites that you use for your Second Life account. Especially if the site is Second Life related.
• Do not follow links that ask for your Second Life account name and password. This is just asking for trouble.

If you need to change your password, click here.

There’s no better way to protect yourself than having a password you know is secure. Furthermore, sharing accounts and passwords is against our Terms of Service, so for the betterment of everyone who uses Second Life, keep your password… and your account, safe.

The introduction of verified age and identity in Second Life is certainly a momentous change — though many of the comments posted to the announcement have been positive, and this type of verification has long been requested by business owners and content providers as the most direct way to improve trust and safety in Second Life, it’s clear that there are several points of concern that need to be addressed:

Age and identity verification will be completely voluntary. Residents who choose not to verify their identity will have access to all PG and M (Mature) rated regions of Second Life save for those individual parcels expressly identified by their creators as containing adult content. Adult content flags on the Mainland will be parcel-based, meaning that unverified accounts will be restricted only from the specific parcels containing adult material, not from Mature regions in general. ‘Adult Content’ is that which is overtly, graphically, or explicitly sexual in nature or intensely violent.

Linden Lab will not store any specific, identifying information. We’ll keep less exact information as a way to allow Residents, if they should so choose, to share verified aspects of their identity with others in Second Life — ie, not an exact date of birth, but an age (over 30) and not a specific address, but a city and country. Such sharing will, of course, be completely voluntary. Our verification provider will assess the consistency of the provided information and return a match code; at that point, a Resident becomes verified. The entire process takes less than two minutes, and will be available internationally. Our verification provider will only use information to provide a match code.

Age and identity verification fees will be assessed only once, at the point of verification — there will be no ongoing monthly or maintenance fees associated with verification. A mechanism will be provided to extend a successful verification to multiple accounts. Premium accounts will pay a very nominal fee; less than L$10, perhaps just $L1. Basic users will be able to access the service at a higher, though still one time, price.

Age and identity verification will replace ‘Payment Information’ in-world. Credit cards do not provide an adequate means of age and identity verification, making real and robust age and identity verification vital. Land owners will be free to allow or disallow access to their owned parcels based on this verified or unverified status.

Linden Lab is committed to enabling the safest and most enjoyable experience possible in Second Life. The introduction of age and identity provides Residents with new tools to determine how they interact with the world, how the content they create is accessed, and allow for a new level of trust within in-world relationships.

We will shortly begin beta testing an age and identity verification system, which will allow Residents to provide a one-time proof of identity (such as a driver’s license, passport or ID card) and have that identity verified in a matter of moments.

Second Life has always been restricted to those over 18. All Residents personally assert their age on registration. When we receive reports of underage Residents in Second Life, we close their account until they provide us with proof of age. This system works well, but as the community grows and the attractions of Second Life become more widely known, we’ve decided to add an additional layer of protection.

(more…)