Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Telegram Find&Fuck Waifus ThePornDude
Home Artists Posts Import Register

Important Plugin Security Update - VaM 1.20.77.6 Patch Released. (Patreon)

Published:
2021-02-10 21:04:19
Imported:
2021-02

Content

Last week there was a post on the Reddit VAMScenes sub claiming hackers were going to target the VaM application (https://www.reddit.com/r/VAMscenes/comments/ldd8ze/warning/).  While the threat did not seem to be very credible, we chose to be on the safe side and spent several days on further restricting what plugins can do. We strongly recommend you update to this patch immediately if you have plugins enabled. We have closed off much more of the system code even if there was not an obvious threat in some of those areas. Plugins should not have to use what we closed off, and we tested dozens of plugins to make sure they did not break with the new restrictions.  

In addition to the new plugin code restrictions, VaM will now also ask you when a plugin first tries to load if you want to allow it. You can choose to always allow which will then be saved as a user preference for that specific version of the plugin and be remembered. It is suggested you only allow plugins from creators and download sources you trust even with the new restrictions that are in place. This new opt-in system is only for plugins loaded from var packages. Plugins locally developed in the Custom/Scripts folder or otherwise distributed are not on the opt-in system. All plugins, however, are under the new code restrictions mentioned in first paragraph.

If you are uncomfortable with any of the risk involved in using plugins, we recommend you disable them and use VaM without them. This is the default behavior. As it says in the user preference page when you enable plugins, you are accepting that risk by enabling plugins:

On a lighter note, this patch also includes a few other bug fixes and usability tweaks listed below in the Release Notes section.

Getting This Release:

If you already have VaM and would like to update to 1.20.77.6, simply launch  VaM_Updater.exe, and click button at bottom to update. If you don't yet have VaM, see the download post  here:

https://www.patreon.com/posts/downloading-and-32794384

Release Notes:

Features:

  • Plugins - improved security - more restrictions on what system code plugins can call
  • Plugins - Per plugin opt-in - improves security by prompting user if they want to approve using it the 1st time a plugin attempts to load

Tweaks:

  • Usability - grabbing a node that is in "lock" state now keeps the forces the same as lock while grabbing instead of using the regular on state forces. Prevents jerking of the node when moving.
  • Usability - Scene Misc sliders replaced with updated versions that allow typing in the value and have increment buttons
  • Usability - Person percent spring/damper sliders now have +- buttons for finer control
  • Usability - UIToggle atom - now the whole panel acts as the toggle for easier selection
  • Usability - added new user preference for setting the world UI height in VR to accommodate different user heights and also sitting VR experience
  • Usability - pointers are now always shown when controller select button/touchpad is touched in play mode and UI is closed to make it easier to interact with in-game UI elements. User preference that can be turned off if old behavior is desired.

Bug Fixes:

  • Fixed major load performance issue with really long load times when the current scene had a lot of atoms in it
  • CyberApartment shelves now have proper collision

Comments

TempestVR

Will this affect the ability of VaM to access serial ports? This is a very important feature for me as my robot control plugins depend on it.

Lamp

Thank you for addressing this, regardless. Also, could we get an arrow to select the next object on custom unity assets? Would save a few clicks instead of opening the drop down menu and scrolling to the next object.

meshedvr
>>53354079

System.Net is still open if that is what you are using. System.IO has always been closed.

meshedvr
>>53355330

Not planning any more 1.X releases at this time as we are full time on 2.X now. This 1.X patch was only done due to security concerns. Will keep this in mind for 2.X although the system will be quite different.

Anonymous

Thanks for your diligence Meshed! Great work as always. I can assure you as someone who has written a lot of c# code in Unity and imported that compiled code as dll's to be used inside VaM, that the file system is OFF LIMITS - I've tried every possible way that I'm aware of within Unity's implementation of C# and it's libraries to store data on a user's system outside of the filemanagersecure class and/or JSON storables, not for malicious purposes, but just for my own peace of mind and exploration of persistence between scene loads with compiled unity code (dll's). It is restricted. I'm not a coder by trade, but I am great at breaking stuff, and I feel comfortable unequivocally stating the above.

PixelPorts

The warning is bigger than my window in desktop mode, can you fix that?

meshedvr
>>53365444

What resolution are you running? The plugin warning is the same size as some other popups so I would think you would have more trouble than just the new plugin prompts. You can adjust UI Scale on the bottom bar to scale the entire monitor UI down a bit

Megabyte

Thank you! Updated it earlier today, coincidently clicked the update and found one! Glad to know you're keeping on top of this, I certainly didn't.

SCAMP

To be honest, I only download from the HUB nowadays, and the stuff there is 100% good.

PixelPorts
>>53365444

My monitor resolution is 2560x1440p, and im running the game on maximized windowed.

fredricred
>>53380416

Unfortunately many artists have some items linked out side the hub. Many times leaving things missing and errors everywhere.

Anonymous
>>53355330

"Not planning any more 1.X releases at this time as we are full time on 2.X now." Music to my ears.

SamanthaJ
>>53380416

I don't know why you think the hub would be immune to this issue. Anyone can upload and people can include plugins in their VARs.

meshedvr

Open the Package Manager (there is a button for this on the toolbar). Find the package that contains the plugin that you blocked and click on it. Then click on the User Prefs tab. There is a checkbox there to turn off the always allow or always deny settings.

Anonymous

Meshed VR - you guys are awesome. Thanks for keeping us safe. I used to run Honey Select but grew tired of it. I tried VAM and after a couple of days, I was a hair from throwing in the towel and deleting it because of the steep learning curve. Well, I like a good challenge and something inside me said just stick with it. So I did, learning as I went along, and now I'm enjoying it WAY too much! Thanks for an amazing program... from a twice-divorced guy. It's saving me a ton of money by not going out on dates. ;-)

meshedvr
>>54348959

Thank you! We hope to greatly improve new user experience in 2.X and also make the UI and other interaction a lot more intuitive. Thanks for sticking with it!

Anonymous

Sounds good! Is 2.X very far off? And yes, I'm very happy I stuck with it. Thank YOU for making it.

foxhound132

Unfortunately the warnings from packages don't give me enough detail to make an informed decision, as it sometimes only asks if I trust the package itself rather than the plugins contained. While a plugin name doesn't necessarily convey its true intent, it would be helpful to know the name of the plugins I'm accepting or rejecting, if that's possible in a future update. The ideal, moonshot version would have plugins register to access functionality, and the warning could report what they've registered to do.