SL projects update week 33/1: SL news and BCU exploit

Server Deployments

As always, please refer to the server deployment thread for the latest news and information.

It’s another lightweight week in terms of deployments.

• On Tuesday August 12th, the Main (SLS) channel received the server maintenance package deployed to the RC channel in week 32, which primarily includes the JSON issue “Valid JSON numbers like 0e0 no longer valid after 14.06.26.291532″ (BUG-6657).  As noted in week 32’s report, this “fix” in fact roll backs the fix for an earlier JSON issue (BUG-6466) which appears to have triggered the more recent issue. A fix for both problems is now currently in the works
• There are no RC channel deployments for week 33.

SL Viewer

As I reported here, a new version of the experimental log-in viewer arrived on Friday August 8th. Version 3.7.14.292660 has yet to appear on the Alternate Viewers wiki page, but displays a revised log-in screen which has the log-in credentials moved to the top of the screen.

In addition, for users logging-in to Second Life for the very first time using the viewer (or who have performed a completely clean install), a very simple log-in screen is displayed, which explains to users that they’ll be logged-in to a Learning Island, where they’ll have to find their way to the exit portal in order to proceed to a Social Island (both the Learn Island and Social Island being elements introduced to the new user experience in July 2013).

All other SL viewer versions remain as per the Alternate Viewers wiki page  / my Current Viewer Releases page.

Simulator User Group Meeting

There was no Open-source Development meeting on Monday August 11th or Simulator User Group meeting on Tuesday August 12th, as the Second Life technical team are all attending a planning / brainstorming session. These meetings will resume as usual in week 34, with the Server Beta meeting on Thursday August 14th the next scheduled User Group meeting.

Other Items

Windows BCU Exploit

This isn’t a project update or notification from Linden Lab. I’m including it here for ease of reference.

A note card is circulating from the United Content Creators of SL relating to an exploit using the  Browser Configuration Utility (BCU) which can be found on Windows systems.

BCU is described as a “Search Hook Addin is an Internet Explorer URL search hook that redirects search results when an address or search keyword is entered into the web browser.” Among other things, it is sometimes bundled with Gigabyte motherboards, although there have been reports that it can also be shipped with Asus and other main boards. It’s been a known source of potential annoyance since mid-2009.

According to the UCCSL note card, some people are using BCU as a phishing exploit using profile weblinks, streaming media, media on a prim and perhaps even via bots wearing transparent prims with streaming media. To quote the note card:

This Exploit redirects your Viewer to another website other than SL that will display the normal SL login screen, then tell you that your login credentials are incorrect.   while it is telling you that your login credentials are incorrect, it is collecting your login data. At this time we have found hundreds of web resources that are transmitting this infection, and a large number of user profiles with these links in them.

Apparent signs of infection are that the viewer takes a lot longer to initialize when you try to start it, and it fails to recall your user name, if saved, and the note card refers to an EULA being displayed, which I assume is a reference to the ToS.

The recommended means of dealing with the issues is to:

• Use the Windows Task Manager’s Process tab to see if your computer is running BCU.exe*32 and BCUService.exe (make sure you use Show Process from all users if more than one person uses your computer)
• BCU can generally be removed from a computer without affecting its performance or use, so you may want to check your system and remove the utility altogether, either via the Control Panel > Programs and Features or manually (the utility should be around 356-357 KB in size according to DirectVM)
• Go to the SL website at http://www.secondlife.com, and use the account section of your dashboard to change your password. Logout and log back into the website to confirm your updated password

As further precautionary measures, disable your viewer from playing media automatically and from playing media attached to other avatars (both under Preferences > Sound and Media). Also, if you have a viewer with the media filter installed, make sure you have it enabled so you can check audio streams – but remember the filter doesn’t provide any safeguard against media on a prim, so always be wary of untrusted MOAP sources. Finally, don’t click on links in the profiles or people you don’t know / trust.