Important: Current SL client browser/media-on-a-prim potentially vulnerable

Chalice Yao

The Purple
Sep 20, 2018
64
Somewhere Purple, Germany
Greetings.

Currently, there is an actively used exploit against Chrome and Chromium, which affects all versions except the very latest, 72.0.3626.121:
Google Chrome Zero-Day Vulnerability CVE-2019-5786 actively exploited in the wild

Now, the LL SL Client uses "Dullahan", an LL-written library that uses 'CEF', an embedded Chromium engine to display HTML content on prims, for the internal client browser, etc.
The current version used by most viewers (LL, Firestorm etc) is based on CEF 3.3325.1750.gaabe4c4 / Chromium 65.0.3325.181.

TL;DR: The current internal SL browser is potentially vulnerable to an actively used exploit. Don't browse non-LL websites on it. Disable media on prims or set it to click-activation and check first if you trust the prim URL before clicking it.

EDIT:
I opened a SEC JIRA with LL, just in case.


EDIT 2:
My SEC is a duplicate, LL is already checking/watching the issue. If the exploit is feasable doing through the SL browser/HTML is still unclear.
Better be safe than sorry, for now.
 
Last edited:

Clara D.

FOR PRESIDENT 2020!
Dec 24, 2018
235
Phoenix, AZ, USA
So, Firefox is safe, though?

Also up for discussion: "Browser Safety" add-ons. I'm currently using Malwarebytes to supplement FF's Malicious Site warning and Ublock Origin because AFAIK Windows Security only covers Edge/IE.

FF: Malwarebytes Browser Extension – Get this Extension for Firefox (en-US)
Chrome: Malwarebytes Browser Extension

More Infos: https://blog.malwarebytes.com/malwarebytes-news/betas/2018/07/introducing-malwarebytes-browser-extension/

uBlock Origin:
FF: uBlock Origin – Get this Extension for Firefox (en-US)
Chrome: uBlock Origin
 
Last edited:

nebula

NOPE
Oct 4, 2018
22
Greetings.

Currently, there is an actively used exploit against Chrome and Chromium, which affects all versions except the very latest, 72.0.3626.121:
Google Chrome Zero-Day Vulnerability CVE-2019-5786 actively exploited in the wild

Now, the LL SL Client uses "Dullahan", an LL-written library that uses 'CEF', an embedded Chromium engine to display HTML content on prims, for the internal client browser, etc.
The current version used by most viewers (LL, Firestorm etc) is based on CEF 3.3325.1750.gaabe4c4 / Chromium 65.0.3325.181.

TL;DR: The current internal SL browser is potentially vulnerable to an actively used exploit. Don't browse non-LL websites on it. Disable media on prims or set it to click-activation and check first if you trust the prim URL before clicking it.

EDIT:
I opened a SEC JIRA with LL, just in case.


EDIT 2:
My SEC is a duplicate, LL is already checking/watching the issue. If the exploit is feasable doing through the SL browser/HTML is still unclear.
Better be safe than sorry, for now.
You can do it and I thought I posted about this a long time ago. Very glad you are getting this fixed. Thank you Chalice!
 

Andi

Luskwood Staff
Sep 20, 2018
35
Lusk
A little update: Today LL posted on the OpenSource-Dev Mailing List that they have prepared a new version of Dullahan, asking viewer creators to incorporate it. Watch out for new viewer versions.
I shall be awaiting!