Important Plugin Security Update - VaM 1.20.77.6 Patch Released. (Patreon)
Content
Last week there was a post on the Reddit VAMScenes sub claiming hackers were going to target the VaM application (https://www.reddit.com/r/VAMscenes/comments/ldd8ze/warning/). While the threat did not seem to be very credible, we chose to be on the safe side and spent several days on further restricting what plugins can do. We strongly recommend you update to this patch immediately if you have plugins enabled. We have closed off much more of the system code even if there was not an obvious threat in some of those areas. Plugins should not have to use what we closed off, and we tested dozens of plugins to make sure they did not break with the new restrictions.
In addition to the new plugin code restrictions, VaM will now also ask you when a plugin first tries to load if you want to allow it. You can choose to always allow which will then be saved as a user preference for that specific version of the plugin and be remembered. It is suggested you only allow plugins from creators and download sources you trust even with the new restrictions that are in place. This new opt-in system is only for plugins loaded from var packages. Plugins locally developed in the Custom/Scripts folder or otherwise distributed are not on the opt-in system. All plugins, however, are under the new code restrictions mentioned in first paragraph.
If you are uncomfortable with any of the risk involved in using plugins, we recommend you disable them and use VaM without them. This is the default behavior. As it says in the user preference page when you enable plugins, you are accepting that risk by enabling plugins:
On a lighter note, this patch also includes a few other bug fixes and usability tweaks listed below in the Release Notes section.
Getting This Release:
If you already have VaM and would like to update to 1.20.77.6, simply launch VaM_Updater.exe, and click button at bottom to update. If you don't yet have VaM, see the download post here:
https://www.patreon.com/posts/downloading-and-32794384
Release Notes:
Features:
- Plugins - improved security - more restrictions on what system code plugins can call
- Plugins - Per plugin opt-in - improves security by prompting user if they want to approve using it the 1st time a plugin attempts to load
Tweaks:
- Usability - grabbing a node that is in "lock" state now keeps the forces the same as lock while grabbing instead of using the regular on state forces. Prevents jerking of the node when moving.
- Usability - Scene Misc sliders replaced with updated versions that allow typing in the value and have increment buttons
- Usability - Person percent spring/damper sliders now have +- buttons for finer control
- Usability - UIToggle atom - now the whole panel acts as the toggle for easier selection
- Usability - added new user preference for setting the world UI height in VR to accommodate different user heights and also sitting VR experience
- Usability - pointers are now always shown when controller select button/touchpad is touched in play mode and UI is closed to make it easier to interact with in-game UI elements. User preference that can be turned off if old behavior is desired.
Bug Fixes:
- Fixed major load performance issue with really long load times when the current scene had a lot of atoms in it
- CyberApartment shelves now have proper collision