Linden Lab suggests viewer security vulnerability disclosure group

by Tateru Nino Dec 27th 2008 at 11:00AM

Filed under: Exploits, News items, Second Life

Over on the Second Life viewer development mailing list, there's a spirited discussion in progress about the suggestion of a notification list for viewer security vulnerabilities. The principle idea is that distributors of third-party viewers would get slightly earlier notification of vulnerabilities and exploits in the viewer code so that they could have secured versions of their Second Life viewers available to the general public at approximately the same time as secured versions of the first-party viewer become available.

Linden Lab has invited debate on what sorts of people it would be reasonable to disclose the information to (for example, perhaps only those who had signed a non-disclosure agreement). The topic has, naturally enough, brought out considerable debate as to whether such a group is necessary or even desirable.

As a general rule, a majority of Second Life users never become aware of actual security vulnerabilities in the viewer, or if they do, rarely take any action to mitigate or prevent exploitation of the vulnerability (in such cases where such mitigation is actually possible). Among the users, tales of security exploits abound like urban myths, with few having any basis in fact (certain days of the year are particularly prone to such tales).

In such cases, public disclosure of security vulnerabilities prior to patched viewers becoming available advantages the would-be exploiter and disadvantages the majority of users.

On the other hand, such disclosures allow a minority of users (who become aware of the problem and are able to do something about it) to take mitigating action to prevent themselves from falling victim to the exploit.

This is in contrast to late-disclosure, where a patched viewer is available immediately at the time of disclosure, but has left all of the users ignorant of the problem (except those who might already be exploiting it).

As for the exploiters, frequently all it takes is a slight hint about the nature of the issue (packet spoofing, buffer overflows that allow certain things) for them to be able to identify and produce a software exploit within only hours. Indeed, the majority of software exploits that are patched are ones that are already being exploited. It's the actual exploitation that draws attention, and once the vague nature of it is known, it isn't hard to identify the problem.

Unfortunately, it may be rather harder to fix than to find.

A recent round of such fixes took nearly two weeks to successfully deploy (and had plenty of issues of its own) and probably took at least as long to develop the fixes in the first place. It also left third-party viewers (and users of same) behind, as they were not made aware of necessarily incompatible changes before those changes were deployed.

What do you think, should Linden Lab disclose the details before starting to fix things? Should they disclose to third-party viewer teams before the general public? Or should they patch their own viewer first, and let the third-parties scramble to catch up later?

Are you a part of the most widely-known collaborative virtual environment or keeping a close eye on it? Massively's Second Life coverage keeps you in the loop.

Tags: exploit, exploits, linden-lab, second-life, sldev

Reader Comments (Page 1 of 1)

Tabliopa Underwood said on 11:24AM 12-27-2008

Personally I think Linden Lab should publicly reveal all exploits they find out about at the time they do. People are spending real money on and in this game. If one person knows about something that is detrimental then I think we should all know. Then we can take our own steps to protect ourselves until Linden Lab fix it.

If Linden Lab dont want everyone to know then noone should know outside of them and the discoverer who reports it to them. If the plan is to tell some other people then I would like to be one of those other people please.

Prokofy said on 12:24PM 12-27-2008

I'll post here what Rob Lamphier (Rob Linden) is refusing to let through and "moderating off" this list, which differs little from what Tabliopa says:

I'm truly failing to see why only one group of select and special coders get to know when there is a security vulnerability, and the rest of the public using Second Life does not get that knowledge.

The coders fooling around with various open-source versions of the viewer have the least to lose. Security vulnerabilities don't harm them. They harm merchants, creators, ordinary users with credit cards tied to their accounts, and so on far more than they harm the one class of SL that usually makes sure their work is never hackable -- scripters.

So I'm failing to see why we need to have yet another example of FICing, and elevating one class of SL residents above others -- and with no demonstrable purpose.

Gwyneth Llewelyn said on 6:25PM 12-27-2008

Military technology is usually disclosed to the "civilians" a few years after it has become "state of the art" (10 years in some countries, I believe). The reasoning is about the same: you don't wish your enemies to have a clue on what you've just been able to develop. In the mean time, your allies are (often) informed about the technology you've developed, on a "need to know" basis only.

The software industry uses in general a similar concept. Hardly any company publishes announcements of the exploits they've patched *before* they are, well, patched. It's almost always an after-the-fact announcement. The exception being when someone finds out about an exploit, and, instead of using it to malicious purposes, releases the information publicly (either for others to use it for malicious purposes, or simply to put pressure on companies to patch the exploit more quickly).

There is *usually* a difference in the open source community, where exploits are *usually* publicly announced to a wide audience which is expected to provide a patch as soon as possible. But it's a different model of "crowdsourced" software development.

Linden Lab is one of those companies having a foot on either side. On one hand, on their *closed source* software (the servers), they are able to just publish the exploits after they get fixed. On the other hand, on their *open source* software (the clients), they could hypothetically crowdsource some help to fix those exploits *if* the developer community is made aware of them. But then again, this would mean that malicious use of those exploits would be widely available to every cracker and script kiddie out there — until a fix is available, which often takes months or years.

Taking a look at the SLdev mailing list it seems that this is the sort of question that gets a different answer depending on who's writing about it :) The way Rob puts it, the purpose of LL to have this "early warning list" is less to crowdsource developers to fix the exploits for them, but more for third-party developers to be able to fix their viewers at the same time as LL. Well, Jacek argues (quite well) that third-party developers are not hampered by LL's long-winded development procedures: if they get a fix for an exploit, they can deploy it as quickly as LL can send that patch ("in a few hours"). What this means is that the "early warning list" is pretty useless — LL is assuming that everybody else is as slow as them and "requires time" to apply a patch. They don't. They can do it *instantly*. With that reasoning in place, an "early warning list" doesn't really make much sense.

The other aspect of creating this "early warning list" would obviously to be a cry for help for developers to contribute code to fix the exploit. Well, Rob apparently is not considering that at all. In fact, reading the SLdev list, it seems that on most times, when external developers find an exploit by chance, they are *much quicker* than LL to patch their own viewers, and in some cases, even post the patch to the pJIRA (where LL often "buries" it in an attempt to avoid drawing too much attention until their own developer team can implement the fix on LL's own viewers — a process usually taking several months).

So, at the end of the day:

- publishing known exploits WITHOUT workaround information seems to be quite reckless; the public in general ought NOT to be made aware of those. On the other hand, IF there is a known workaround, it ought to be released immediately
- giving "advance warning" to a list of developers (specially if LL already has a patch and is NOT looking for help to developing one) is pretty useless. Developers are instantaneously quick to reply to a patch as soon as it's made available, so no "advance warning" is really *very useful*. The fear that the "wrong" people get the advance warning and are able to use the exploit for malicious purposes (even if in a very short timeframe) far outweights the advantage of giving a few honest developers advance warning for something they'll be able to fix pretty quickly anyway

So the more reasonable approach seems to be:

- don't give anyone "advance warning" at all, UNLESS there is a simple workaround for the exploit: in that case, publishing the workaround ASAP *publicly* is quite a sensible move!

As a side-note, it would also be great for LL to create a "Mythbusters" webpage where, from a position of authority, they could dispel some popular urban myths . A typical one is the belief that by writing in chat the word "!quit" every few minutes will prevent CopyBot to copy your content ;)

Yo Brewster said on 9:08PM 12-27-2008

You're 100% correct Gwyneth - what would LL gain from disclosing a viewer vulnerability to the outside world? Revealing any of this info prior to coming out with a patch would indeed be reckless. It is however very normal that it takes LL much longer to implement updates simply because their audience is a bit larger then those of any other 3rd party viewer.

Tabliopa Underwood said on 1:15AM 12-28-2008

I just pick up on the kinda exploit that does the most damage imo. A person discovered a way to get free advertising listing. Another person discovered another way to do same thing. They report to Linden Lab and were told that Linden Lab already knew for quite a while about it. And that one day they will fix. So those people went public and LL fix straightaway.

The people who get hurt here are the people who bought adverts during this period not knowing that other people were getting the same and higher listings for free. They were bidding and paying their own real money against nothing.

Is a big call for Linden Lab to tell people about this kinda thing ya as it will cost them money. But is not right really to continue to take money in these circumstances. Specially when there was a fix but it wasnt considered important enough to fix urgently simply because not everyone knew about it.

These kinds of exploits that impact on other peoples money should be advised immediately I think. Is not a security issue at all really. Its more a market disclosure thing I think.

Sim crashy thingys ??? Thats kinda military stuff so ya I can see why Linden Lab maybe not want to share that until they have a fix in place.

Tateru Nino said on 1:18AM 12-28-2008

Well, things that crash sims or are exploits in server-side code wouldn't be included for disclosure under this proposal.

Of course, the whole thing becomes moot if exploits aren't fast-tracked to fixes.