Phoebe Avro Posted June 26, 2014 Share Posted June 26, 2014 LL still owe me 10,000L$ from a sec project jira i made about virus infected jpeg on their website the jire was answered very quick saying they would look into it that jpeg and the whole webpage has since been removed but where is my 10,000L$ reward that the wiki says your get? i even said i would donate it to relay of life and the sofie lancaster foundation in sl!This happened several years ago and the Jira is still open!copy paste:- Descriptionhttp://solutionproviders.secondlife.com/Avast blocks a url and jpg reporting them as infectedActivity AllCommentsWork LogHistoryActivityTransitions Summary Phoebe Avro added a comment - 09/May/12 9:46 PMhttp://virtualitalians.com/images/logoSP... is the url that's reported Soft Linden added a comment - 09/May/12 9:46 PMThank you for the report, Phoebe. We're having a look now. Phoebe Avro added a comment - 01/May/13 5:40 PMSince the webpage on the LL website is now removed! do i get the 10,000L$ ^^ if i do i will donate it to relay of life! and the Sophie Lancaster Foundation at the world goth fair By the dates you can see i waited a year before adding another commentso where is the cash? some notes:-Technically a Virus or malware is a security exploit if it is present upon their site. It would potentially allow for the user's identity to be comprimised or real life financial issues if left unchecked.Therefore it falls squarely within the SEC bountyIt could potentially allow for keyloggers to be installed in the viewer thus potentially opening up the residents real life identity to exposure and could cause the viewer(client) to be remotely monitored or controlled.In essence it could be a highly targeted attack, You are viewing a page about SL, perhaps you have an SL viewer installed. Install malware that looks for common SL Libraries, infect them with keylogger or remote monitor/control software without user consent. I mean seriously how many are aware of the text track on image files? Or the fact that under some conditions programming code can be run from them by opening the file and viewing it. Phoebe Avro Link to comment Share on other sites More sharing options...
KarenMichelle Lane Posted June 26, 2014 Share Posted June 26, 2014 This is a really old exploit which was, to be honest, very rarely encountered [and exploited] in the wild. The "junk" text in the affected image file [2005] or .wmf meta text area [2007] only affected specific platforms of Windows XP and Server 2000. The perfect storm of a particular patch history and the availability of other exploits to use the possible buffer over run executable code thread left in memory, made this a over publicized issue back in it's day. These were server-side exploits that could be trigger when an compromised image was viewed by the affected 1) rendering .dll or 2) processed by a media .sll on a particular windows PC with jscript running?. I remember all the rage directed at this exploits discovery and the useless conspiracy theories regarding the flawed design assumptions. I mean basically someone wrote code that got confused when the meta-data area was longer that x number of bytes. This was a tempest in a teapot. Overblown from the beginning by self serving "experts" that equated the potential of an exploit with a [veiled] reality. The actual reality was, other than a lot of lab projects, the worst thing I recall about this decibel was the "phoning home" exploit that allowed the remote data collector know an infected graphic [or media file] was located on a PC with a [gasp] discovered IP address. Those holes were plugged quickly. So what exactly are you referring to. You believe Linden Lab owes you L$10,000 [$37.50 USD] - Really? Because you asked them to take down a picture with a possible exploit in it? Seriously? Link to comment Share on other sites More sharing options...
Sassy Romano Posted June 26, 2014 Share Posted June 26, 2014 I reported one about Google ads in the forums being used to side load .apk's onto android phones. They took action with Google, problem went away. I didn't get my L$10,000 either. Link to comment Share on other sites More sharing options...
Phoebe Avro Posted June 26, 2014 Share Posted June 26, 2014 LL should remove the section of the wiki that states they pay 10.000L$ then Link to comment Share on other sites More sharing options...
Perrie Juran Posted June 26, 2014 Share Posted June 26, 2014 I think the problem here is in understanding what is meant by "Exploits" when they are mentioned in the Wiki. http://wiki.secondlife.com/wiki/Security_issues Exploits refer to "holes in the code" that allow people to accomplish one or more of the four listed problems. For example, there is a setting in Land to prohibit 'object entry.' If you found a way using LSL functions to bypass that, then that would be an "exploit." (I saw that happen with a particular griefer attack. LL had scripts shut down on my SIM while they cleaned up that mess). The above is just my opinion but I think I'm correct. Did you try contacting Soft about this? And yes, I'm aware we could get off into a hole side discussion about why they don't clarify this. Link to comment Share on other sites More sharing options...
Theresa Tennyson Posted June 26, 2014 Share Posted June 26, 2014 Perrie Juran wrote: I think the problem here is in understanding what is meant by "Exploits" when they are mentioned in the Wiki. http://wiki.secondlife.com/wiki/Security_issues Exploits refer to "holes in the code" that allow people to accomplish one or more of the four listed problems. For example, there is a setting in Land to prohibit 'object entry.' If you found a way using LSL functions to bypass that, then that would be an "exploit." (I saw that happen with a particular griefer attack. LL had scripts shut down on my SIM while they cleaned up that mess). The above is just my opinion but I think I'm correct. Did you try contacting Soft about this? And yes, I'm aware we could get off into a hole side discussion about why they don't clarify this. And if they paid L$10,000 for notifying them about images with malicious data, what would prevent someone from putting up one of these images themselves and then notifying the lab about it to collect the reward? Link to comment Share on other sites More sharing options...
Whirly Fizzle Posted June 26, 2014 Share Posted June 26, 2014 I've filed a few SEC issues, some of which were fixed. I only got paid a bounty for one of them. The issue I was paid a bounty for was by far the most serious issue I reported to SEC though and it was fixed within an hour. I guess they only pay out for the really evil stuff. Not complaining, I was chuffed to get my first bounty :matte-motes-grin: Link to comment Share on other sites More sharing options...
KarenMichelle Lane Posted June 26, 2014 Share Posted June 26, 2014 Phoebe Avro wrote: LL should remove the section of the wiki that states they pay 10.000L$ then OK lets see.... Issues pertaining to the security of Second Life should be sent to Linden Lab via special mechanism described below. Please help us keep Second Life secure by ensuring that possible security exploits aren't broadly advertised before a fix is available. So just what constitutes a security issue? If an issue poses any of the following threats to Second Life, its Residents or content, then it is an exploit and should be reported: exposes real life Resident identity without consent destroys content permits unauthorized access to Second Life/Linden Lab resources compromises a client or server host subjecting it to remote control When reporting an exploit, please provide as much detail as possible, Including the environment used (e.g. Windows XP Service Pack 2, Nvidia 6800 etc ) and the complete reproduction case. Linden Lab offers a L$10,000 bounty for each previously unknown exploit that can be verified. Please report issues as soon as they are discovered! Filing issues There are two ways to file security reports: In the SEC project on jira.secondlife.com (PREFERRED). It's VERY IMPORTANT that you file issues in the SEC project, which is the only project set up so that only the reporter and Linden Lab can view the issue. Via email: security@lindenlab.com Warning: The SEC project (and security mailing list) is ONLY for reporting security exploits that might compromise a Residents identity or the Second Life Grid. All other requests including account issues and account security via this address will not be addressed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Did your filed report specifically identify one of these 4 categories of security issues? Probably not. A picture with a over long metadata field on a wiki page controlled by LL would not qualify. Why? Because the supporting LSL code or JScript code needed to trigger the junk [potentially] left in memory can't be run since the website is not compromised. Just the presence of a picture with a mal-formed metadata field is harmless without the associated triggering scripting. All your AV software did was warn you about a mal-formed picture on the website. The snippet of code that the AV signature comparing software found was only a partial identification of a over-long metadata field. Since the wiki web site is otherwise secure no real threat was in reality prevented. Was the Linden Research staff being cautious to remove the offending wiki article and picture. Sure. Was a disaster prevented. Not really. Link to comment Share on other sites More sharing options...
Facebook
Instagram
Twitter
YouTube
Flickr
Recommended Posts
Please take a moment to consider if this thread is worth bumping.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now