1. People still use MSIE?

Dummies!

You're just asking for it, when you use a browser who's command calls are directly embedded in the OS.

Duh.

Posted at 10:50AM on Sep 17th 2007 by Kahni Poitier

2. I'm not clear on this. Does the victim have to be using IE in order to have the SL info compromised? In other words, if I *never* use IE, am I safe from this?

Posted at 11:11AM on Sep 17th 2007 by Cyn Vandeverre

3. More good reason to get FireFox.

http://www.youtube.com/watch?v=M9BON5nd8Fg

Other than that, if you don't drink... then your brain is your best place for password.

Posted at 11:12AM on Sep 17th 2007 by Nacon

4. It's possible that other pieces of software that use MSIE as a component could be vulnerable to this. Some RSS readers for example.

Posted at 11:12AM on Sep 17th 2007 by Tateru Nino

5. Cyn, it is the victim's IE.

Posted at 1:07PM on Sep 17th 2007 by dandellion Kimban

6. I wouldn't lay all the blame at the feet of IE. The fact that the SL client accepts a parameter that will send your login credentials to any given URL, may also be a bit reckless.

Posted at 1:13PM on Sep 17th 2007 by thejonas

7. Indeed, MSIE is not solely to blame here. The login handshake itself is a bit weak.

Posted at 1:14PM on Sep 17th 2007 by Tateru Nino

8. Agreed. theoretically, you could stage a playback attack using nothing more than the xml-rpc call from the grab, as I've outlined in my blogpost on this matter @ http://www.woolysquared.blogspot.com

The joys of taking very closed code opensource suddenly... ah well.

Posted at 2:04PM on Sep 17th 2007 by Patchouli Woollahra

9. Thank you, Dandelion.

Now that this has been discovered, I hope LL will make the login more robust/unsniffable or whatever it is that needs to be done.

Fortunately here at my place, I have an anti-MS home sysadmin, so I'm not likely to ever use IE.

Posted at 3:46PM on Sep 17th 2007 by Cyn Vandeverre

10. Thats true, im suffering this trick. I must be more cautios next time.
Thank you very much for this advice

Posted at 5:46PM on Sep 17th 2007 by Avanti Palmer

11. The fault isn't IE's at all. SL binds the URL prefix secondlife:// in both IE and Firefox. That's SL's action. The login uri and client flags are also that of SL, nothing of IE's.

Mozilla / Firefox does the exact same thing, though it has an extra security wrapper, in that it prompts you before launching SL. However, theres a handy little check box that can disable that warning and thus the exploit is just as viable. Why would it be disabled? If you're using SLurls a lot, then you end up making use of the secondlife:// links and would probably consider them safe.

So yeh, just because you're not using IE, don't consider yourself safe. Heavens forbid if this is still around when we get the web on prims and it gets coupled with multi client functionality, it'll end up launching a second client, log you off, and steal your password, a griefer's dream.

Posted at 5:13AM on Sep 18th 2007 by Ayrn Wake

12. Ayrn Wake: SL can already do multi-client. Try launching the client with command-line option "--multiple".

Posted at 5:33AM on Sep 18th 2007 by KirbyMeister

13. how long has this been out there?
why hasn't an mandatory update been released to fix this hole already?

Posted at 6:48AM on Sep 18th 2007 by TigroSpottystripes Katsu

14. It's existed for at least a couple of years. It's just been found.

Posted at 7:18AM on Sep 18th 2007 by Tateru Nino

15. Yeh, I know SL can do multi client (I use it myself time to time). I said when the exploit makes use of it, and if we ever get webpages on prims, then it'll turn into a griefer toy.

Funny thing is, ok, its existed for years and its only just been found, its been known about for a few days now. Yet, LL haven't acknowledged it, put out a warning or fix.

Posted at 7:51AM on Sep 18th 2007 by Ayrn Wake

16. I've been informed thru a source I'm not sure I should name, that they have people working on fixing it already


and I think the reason they haven't made an official annoucement about it yet is due to that mentality of not talking about security holes till they have fizxed it to prevent the news about the vulnerability from spreading to the ears of more malicious people as well preventing panic and over reation from less informed people and stuff like that...dunno

Posted at 12:47PM on Sep 18th 2007 by TigroSpottystripes Katsu

17. Finally announced on the linden blog.

Oh, and with further testing, Firefox doesn't actually result in the bug. Firefox will launch SL like a secondlife:// usually does, the flags get appended to the location address. IE on the other hand adds the flag to the program as if running it through a shortcut. However, I'm not sure in this case which behaviour can be seen as correct, it does mean the exploit is only effecting IE (unless someone goes and tests other browsers to see what happens, I'm not sure if SL binds to opera and the like).

Posted at 2:21PM on Sep 18th 2007 by Ayrn Wake

18. heh, since they started talking about it way before a fix is released, I guess my first guess was wrong, now I guess the delay was more due to internal bureaucracy than due to politics about hiding holes till they are fixed :)

Posted at 2:58PM on Sep 18th 2007 by TigroSpottystripes Katsu

19. there is an unofficial patch on JIRA
http://jira.secondlife.com/browse/VWR-2508

Posted at 9:34PM on Sep 18th 2007 by dandellion Kimban

20. According to the development list, we should have a fix for this very soon.

Posted at 8:01AM on Sep 19th 2007 by Tateru Nino