VaM 1.22.0.6 Security Patch
Added 2024-12-07 20:51:32 +0000 UTCImportant Info! Please READ!
Please update immediately to the 1.22.0.6 security patch. A security hole with the plugin system was reported to us earlier this week by community member @TBD. A huge thank you to them for bringing this to our attention privately so we could address it properly without allowing others to utilize the exploit while we worked on a patch and additional safety on the Hub. The 1.22.0.6 patch addresses this security hole. We highly recommend everyone update to 1.22.0.6 immediately as the security hole could be used by a malicious plugin creator to run unauthorized programs on your computer when that plugin is loaded or running. For those that can't update for whatever reason, we strongly suggest you disallow loading of any plugins from sources you don't recognize or disable plugins completely. These options are in the User Preferences Security tab inside VaM (see screenshot below). In addition to releasing this patch, we have scanned all plugins uploaded to the Hub, and as expected, none of them are using this exploit. We have taken further measures to prevent releasing code to the Hub that uses this exploit in case users are not aware or not able to update to 1.22.0.6. You can be assured that plugins downloaded from the Hub are safe from this exploit, but we would encourage you to be extra careful of plugins hosted outside of the Hub as we cannot check those. If you are using 1.22.0.6 the unsafe method gets automatically mapped to a new safe method so it seamlessly works with older plugins that used this method in a non malicious way. 1.22.0.6 blocks all malicious uses of this method. It is therefore highly recommended to update to 1.22.0.6 even if you are only using plugins from the Hub, and it is especially critical to update to 1.22.0.6 if you use plugins that are not hosted on the Hub.
More Info
The security patch released yesterday (1.22.0.4) addressed the immediate security issue, but it was too restrictive and broke many popular plugins. There was also an accidental change to the shadowing CG code which caused changes in lighting on models. As such, we removed that patch and have issued this one as a replacement. 1.22.0.6 properly fixes the security hole and does not have the accidental shadowing code change.
This is a good reminder that running plugins is potentially dangerous even with our security sandbox in place. You can disable or restrict plugins in the User Preferences Security tab shown below. By default, all plugin loading prompts you if you want to load a specific plugin or not. It is highly recommended you only load plugins from sources you trust. When plugins load, they alert you, and you can deny loading them once or always as needed. Please review all the info in the Security tab to be sure you are comfortable with your settings. The ? buttons next to the checkboxes show additional info of each setting.
Comments
bilgisayardan oynucam karaktere istediğimiyapa bilirmiyim
Hamza Aslan
2025-08-20 20:19:09 +0000 UTCThank you 😊
sirviceman one
2025-02-17 17:04:00 +0000 UTCYes this patch is legit and you should update to it. If you have any continued worries, you can completely disable plugins, but in doing so you will lose out on a lot of great community content.
Meshed VR
2024-12-08 16:22:52 +0000 UTCThank you! We take security seriously. All we have learned from VaM1 will be applied to VaM2 security since we want to support community plugins and addons in VaM2. We think community addons are what really make VaM special so we don't want to drop support for this important feature.
Meshed VR
2024-12-08 16:20:38 +0000 UTCIt is a long lived security flaw that affects everyone not running 1.22.0.6 which is why we want everyone to update. The hasty 1.22.0.4 was put out to address the flaw as soon as possible, and the hasty release is the reason there were issues with it. We corrected the issues in 1.22.0.4 in 1.22.0.6. To provide some comfort to users not running 1.22.0.6, we did scan all of the plugins that have been uploaded to the Hub (where most people get their content), and none of them take advantage of this flaw. We also have taken additional steps to improve upload screening on the Hub such that new resources or updates submitted will be rejected if they try to utilize this flaw.
Meshed VR
2024-12-08 16:19:28 +0000 UTCRun VaM_Updater.exe found in your install folder.
Meshed VR
2024-12-08 16:15:02 +0000 UTCIt is in the VaM folder with the program.
Wayne Dunn
2024-12-08 16:02:27 +0000 UTCWell played Meshed. You and the team are very much appreciated. I have never seen a group of people act so quickly. My hats off to you folks.
Wayne Dunn
2024-12-08 16:01:49 +0000 UTCIs this a long-lived security flaw that affects everyone or just what you released in the last day or so in your flurry of updates?
jfleming
2024-12-08 07:23:09 +0000 UTClink ?
manuel amavizca
2024-12-08 05:40:35 +0000 UTCA link to the updater would be nice.
Mogens Hansen
2024-12-08 03:58:57 +0000 UTCI mean that was my first reaction as well. :)
Meshed VR
2024-12-08 02:46:49 +0000 UTCWow. Thank you! We are doing our best, and the community is amazing.
Meshed VR
2024-12-08 02:45:59 +0000 UTCHi VR just wanted to confirm is this patch legit big shout to who discovered it just want to live a life that is mine without any dramas
J Totterman
2024-12-08 01:07:25 +0000 UTCthank you so much
pzychob1tch26
2024-12-08 00:25:53 +0000 UTCEvery time I look at this program and community I am thoroughly impressed. The creators and devs are always working behind the scenes non stop and all of us MFrs appreciate the hell out of you guys
Steven Meyer
2024-12-07 23:58:27 +0000 UTCThank you for your concern
SpamBize
2024-12-07 23:25:19 +0000 UTCmerci pour votre réactivité
Fafa95
2024-12-07 21:05:18 +0000 UTCOh shit
pangolin
2024-12-07 20:58:08 +0000 UTC
