Important: Current SL client browser/media-on-a-prim potentially vulnerable

Chalice Yao

The Purple
Joined
Sep 20, 2018
Messages
99
Location
Somewhere Purple, Germany
SL Rez
2007
Joined SLU
Dec 2007
SLU Posts
9108
Greetings.

Currently, there is an actively used exploit against Chrome and Chromium, which affects all versions except the very latest, 72.0.3626.121:
Google Chrome Zero-Day Vulnerability CVE-2019-5786 actively exploited in the wild

Now, the LL SL Client uses "Dullahan", an LL-written library that uses 'CEF', an embedded Chromium engine to display HTML content on prims, for the internal client browser, etc.
The current version used by most viewers (LL, Firestorm etc) is based on CEF 3.3325.1750.gaabe4c4 / Chromium 65.0.3325.181.

TL;DR: The current internal SL browser is potentially vulnerable to an actively used exploit. Don't browse non-LL websites on it. Disable media on prims or set it to click-activation and check first if you trust the prim URL before clicking it.

EDIT:
I opened a SEC JIRA with LL, just in case.


EDIT 2:
My SEC is a duplicate, LL is already checking/watching the issue. If the exploit is feasable doing through the SL browser/HTML is still unclear.
Better be safe than sorry, for now.
 
Last edited:

Clara D.

FOR PRESIDENT 2020!
Joined
Dec 24, 2018
Messages
699
Location
Phoenix, AZ, USA
SL Rez
2006
Joined SLU
Back in the day.
SLU Posts
100000000
So, Firefox is safe, though?

Also up for discussion: "Browser Safety" add-ons. I'm currently using Malwarebytes to supplement FF's Malicious Site warning and Ublock Origin because AFAIK Windows Security only covers Edge/IE.

FF: Malwarebytes Browser Extension – Get this Extension for Firefox (en-US)
Chrome: Malwarebytes Browser Extension

More Infos: https://blog.malwarebytes.com/malwarebytes-news/betas/2018/07/introducing-malwarebytes-browser-extension/

uBlock Origin:
FF: uBlock Origin – Get this Extension for Firefox (en-US)
Chrome: uBlock Origin
 
Last edited:

nebula

NOPE
Joined
Oct 4, 2018
Messages
25
SL Rez
2007
Joined SLU
2009
Greetings.

Currently, there is an actively used exploit against Chrome and Chromium, which affects all versions except the very latest, 72.0.3626.121:
Google Chrome Zero-Day Vulnerability CVE-2019-5786 actively exploited in the wild

Now, the LL SL Client uses "Dullahan", an LL-written library that uses 'CEF', an embedded Chromium engine to display HTML content on prims, for the internal client browser, etc.
The current version used by most viewers (LL, Firestorm etc) is based on CEF 3.3325.1750.gaabe4c4 / Chromium 65.0.3325.181.

TL;DR: The current internal SL browser is potentially vulnerable to an actively used exploit. Don't browse non-LL websites on it. Disable media on prims or set it to click-activation and check first if you trust the prim URL before clicking it.

EDIT:
I opened a SEC JIRA with LL, just in case.


EDIT 2:
My SEC is a duplicate, LL is already checking/watching the issue. If the exploit is feasable doing through the SL browser/HTML is still unclear.
Better be safe than sorry, for now.
You can do it and I thought I posted about this a long time ago. Very glad you are getting this fixed. Thank you Chalice!
 

Chalice Yao

The Purple
Joined
Sep 20, 2018
Messages
99
Location
Somewhere Purple, Germany
SL Rez
2007
Joined SLU
Dec 2007
SLU Posts
9108
A little update: Today LL posted on the OpenSource-Dev Mailing List that they have prepared a new version of Dullahan, asking viewer creators to incorporate it. Watch out for new viewer versions.
 

Andi

Luskwood Staff
Joined
Sep 20, 2018
Messages
38
Location
Lusk
SL Rez
2009
Joined SLU
11-04-2010
SLU Posts
782
A little update: Today LL posted on the OpenSource-Dev Mailing List that they have prepared a new version of Dullahan, asking viewer creators to incorporate it. Watch out for new viewer versions.
I shall be awaiting!
 

Spirits Rising

Voice of Reason/Quite Blunt
Joined
Sep 21, 2018
Messages
94
Location
Akron, OH
SL Rez
2006
Joined SLU
08/24/2014
SLU Posts
1476
*awaits emergency update releases*
 

nebula

NOPE
Joined
Oct 4, 2018
Messages
25
SL Rez
2007
Joined SLU
2009
I am very happy to hear this is getting fixed:)