VaM 1.22.0.6 Security Patch
New
December 7
Important Info! Please READ!
Please update immediately to the 1.22.0.6 security patch. A security hole with the plugin system was reported to us earlier this week by community member TBD. A huge thank you to them for bringing this to our attention privately so we could address it properly without allowing others to utilize the exploit while we worked on a patch and additional safety on the Hub. The 1.22.0.6 patch addresses this security hole. We highly recommend everyone update to 1.22.0.6 immediately as the security hole could be used by a malicious plugin creator to run unauthorized programs on your computer when that plugin is loaded or running. For those that can't update for whatever reason, we strongly suggest you disallow loading of any plugins from sources you don't recognize or disable plugins completely. These options are in the User Preferences Security tab inside VaM (see screenshot below). In addition to releasing this patch, we have scanned all plugins uploaded to the Hub, and as expected, none of them are using this exploit. We have taken further measures to prevent releasing code to the Hub that uses this exploit in case users are not aware or not able to update to 1.22.0.6. You can be assured that plugins downloaded from the Hub are safe from this exploit, but we would encourage you to be extra careful of plugins hosted outside of the Hub as we cannot check those. If you are using 1.22.0.6 the unsafe method gets automatically mapped to a new safe method so it seamlessly works with older plugins that used this method in a non malicious way. 1.22.0.6 blocks all malicious uses of this method. It is therefore highly recommended to update to 1.22.0.6 even if you are only using plugins from the Hub, and it is especially critical to update to 1.22.0.6 if you use plugins that are not hosted on the Hub.
More Info
The security patch released yesterday (1.22.0.4) addressed the immediate security issue, but it was too restrictive and broke many popular plugins. There was also an accidental change to the shadowing CG code which caused changes in lighting on models. As such, we removed that patch and have issued this one as a replacement. 1.22.0.6 properly fixes the security hole and does not have the accidental shadowing code change.
This is a good reminder that running plugins is potentially dangerous even with our security sandbox in place. You can disable or restrict plugins in the User Preferences Security tab shown below. By default, all plugin loading prompts you if you want to load a specific plugin or not. It is highly recommended you only load plugins from sources you trust. When plugins load, they alert you, and you can deny loading them once or always as needed. Please review all the info in the Security tab to be sure you are comfortable with your settings. The ? buttons next to the checkboxes show additional info of each setting.
You must be registered to see the links
Tags
