Important Security Patch: VaM 1.22.0.12 Released
Added 2025-02-07 19:33:20 +0000 UTCSummary:
If you use plugins in VaM, please update immediately to VaM 1.22.0.12 to get important security updates
Background:
We were alerted by community member SPQR of an additional security risk in the plugin system still present in our last release. We always appreciate when members of the community contact us directly when they find security risks and provide details to aid us with creating a patch to address them.
The plugin system is the system that allows you to load 3rd party community created code within VaM. In security patches like this one we are adding additional restrictions to this plugin system to prevent 3rd party code from having access to things they shouldn't have access to.
In additional, our last release broke a couple of community created plugins due to a mistake in one of the security restrictions we put in. We wanted to put a patch out to address this and allow those plugins to work again.
We will continue to patch VaM1 over time as needed for security updates while VaM2 continues to be the main focus.
How to get the patch:
Simply run VaM_Updater.exe in your VaM install folder and click the button at the bottom right to update to 1.22.0.12.
Security risks addressed in this patch:
Plugins could use a specific method to write files outside of VaM's secure sandbox. We have blocked this additional method that was discovered. Plugins are normally restricted to only being able to write to specific folders in your VaM install folder.
Blocked additional methods for plugins to access specific parts of our internal code that plugins should not have access to.
Additional Fix/Tweak:
Fixed one of the restrictions introduced in the last patch that broke a few plugins. We now allow a specific safe method exception that was needed by those plugins.
Recommendations if you use plugins in VaM:
Immediately patch to 1.22.0.12
Use the "Allow Plugins Network Access" preference with caution, as it poses the most risk in usage of all the user preferences. This option is disabled by default.
Never run VaM with administrator privileges.
If you are still concerned about security risks, you can disable plugins completely. Plugins are disabled by default. If you do use plugins consider running VaM with a dedicated user account that you don't use for anything else besides VaM. An alternative is to run VaM in a sandbox application like sandboxie.
Only load content from sources you trust.
More Info:
We are done actively looking for security holes and do not have any more security patches planned. We will, however, make more patches as needed if we are alerted to additional risks.
We have scanned all of the Hub-hosted plugins, and as expected, none of the Hub-hosted plugins are using any of these methods in a malicious way.
At this time, we are not giving more specifics on exactly what the patch restricts to give users time to apply the patch to their installs before malicious actors have a chance to act on this info.
Comments
Le jour ou j'ai découvert VaM, cela est devenu plus qu'un exutoire. J'aimerais retélécharger VaM1 car, je rencontre des difficultés, depuis la reconfiguration de mon PC vers Windows 11. Est-ce que quelqu'un aurait un lien, s'ils vous plaît?
Rico
2025-05-10 15:16:44 +0000 UTCI mentioned a couple of options in the post. Run using a dedicated user account just for VaM or use a container app like sandboxie. Or disable plugins altogether, although that would severely limit the number of community created scenes you could use without issues since most scenes rely on plugins.
Meshed VR
2025-02-18 11:59:22 +0000 UTCVaM can run full screen or in a window (hit Alt+Enter to switch). It should support ultra-wide already? Unfortunately I don't have one to test with, but I might be able to fake that resolution on my 4k monitor.
Meshed VR
2025-02-18 11:55:08 +0000 UTCWhat are best practices to reduce risk? Would running in a container be advisable?
JJ
2025-02-18 04:25:14 +0000 UTCIs there anyway we can get a ultra wide resolution (3440x1440) for pc since ultra wide monitors a pretty common nowadays?
Michael Price
2025-02-15 23:28:03 +0000 UTCThat is very good advice.
Meshed VR
2025-02-08 14:09:54 +0000 UTCI haven't heard about that or seen that. I'm not sure what would cause that. We haven't changed the user confirm code at all. Can you try a clean install in a new folder without any community content loaded? Please PM me if you can't figure it out. There may be some info in the log files that could help.
Meshed VR
2025-02-08 14:08:14 +0000 UTCAdditional security layer is to NOT download vam plugins outside the hub. If you really have to, make sure its from reputable source.
Torsimus Bacchus
2025-02-08 11:41:47 +0000 UTCsince this patch i’ve been having this bug where the “allow load of plugins from *plugin name*” wont go away after allowing. i’ve restarted, re-installed, idk what to do im lost
Oderaa
2025-02-08 08:01:27 +0000 UTCYes, thank you! That is exactly it. These are preventative measures. We were on a security kick. Our 1.22.0.8 security patch actually prompted a community user to try to poke more holes in the plugin system and they found one that is addressed in this patch. So I would say these things come in bursts. We believe we are done making security patches for a while.
Meshed VR
2025-02-07 20:37:06 +0000 UTCI can see how it looks that way. Please note all of these fixes are to the plugin system. This system is off by default and comes with a warning about turning it on. This is the system that allows you to load 3rd party community created code within VaM. In these security patches we are adding additional restrictions to this plugin system to prevent 3rd party code from doing things it shouldn't. One way to look at this is VaM was already blocking 1000s of ways for 3rd party code to do things that could be used in a malicious way (like overwriting files). After these 3 patches, it now blocks 5 or 6 more. We have no indication these methods were ever used anywhere. These are all preemptive fixes, and most of these methods are very obscure (which is why they were not found previously). For this specific burst of releases, we had back-to-back alerts from community members about discovered risks in the plugin system, and we also decided to do our own comprehensive security review in the middle using new tools that were not previously available. So that is why there are 3 patches in a short succession. I can always issue a refund to anyone who is still concerned and does not want to use the software. Please DM me if you would like to do so.
Meshed VR
2025-02-07 20:32:06 +0000 UTCThese updates are a result of preventative measures. They are just on a security blitz right now, none of these vulnerabilities have been exploited, but as soon as they mention them out loud like this, it's best to get the patch. It's unlikely anyone would bother to exploit something that has just been patched, especially when updates are automatic like this, but still a good idea.
Brent McNeil
2025-02-07 20:23:59 +0000 UTCNo offence but I just became a member a couple weeks ago. If I would have known the program was so unsafe I would not have made the purchase. I have already updated 3 times for security reasons. I can only imagine what Vam2 will have in store.
J Renaud
2025-02-07 19:57:37 +0000 UTC
