Important Security Patch: VaM 1.22.0.10 Released

Summary:

• Please update immediately to VaM 1.22.0.10 to get important security updates

Background:

• After the immediate-risk security patch last week, we did more extensive scans and checks of the code and discovered more vulnerabilities when using plugins. We will continue to patch VaM1 over time as needed for security updates while VaM2 continues to be the main focus.

How to get the patch:

• Simply run VaM_Updater.exe in your VaM install folder and click the button at the bottom right to update to 1.22.0.10.

Security risks addressed in this patch:

• Plugins could use specific methods to read or write files outside of VaM's secure sandbox. Plugins are normally restricted to only being able to read or write to specific folders in your VaM install folder. We have blocked many more of these methods.

• Plugins can no longer adjust specific user preferences.

Additional Fix/Tweak:

• We corrected an issue with not including file names when a plugin using cslist files had an error. This was useful to plugin writers for debugging and broke with our previous security patch. This is now working properly again.

Recommendations:

• Immediately patch to 1.22.0.10

• Use the "Allow Plugins Network Access" preference with caution, as it poses the most risk in usage of all the user preferences. This option is disabled by default.

• Never run VaM with administrator privileges.

• If you are still concerned about security risks, consider running VaM with a dedicated user account that you don't use for anything else besides VaM.

• Only load content from sources you trust.

More Info:

• We have scanned all of the Hub-hosted plugins, and as expected, none of the Hub-hosted plugins are using any of these methods in a malicious way.

• At this time, we are not giving more specifics on exactly what the patch restricts to give users time to apply the patch to their installs before malicious actors have a chance to act on this info.