With this tab, you are able to group highlighted parts of a build together. The Groups tab often gets overlooked, but it’s essential to managing big builds. Make big builds easier by using the groups tab Hide (L): Temporarily hide a brick without removing it, which makes it easier to build underneath or behind the blocking brick.Hinge Align (H+shift): Connect two selected bricks with a single connector.Hinge (H): Rotate a brick that’s connected with a single-stud connector or hinge.Paint (B): Change the color of your selected brick to your desired color.Clone (C): Make an instant copy of your previously selected brick.Selection (V): Use this tool to select a single brick within your screen.Another option is using the keyboard shortcuts, which are the same whether you have LEGO Digital Designer for iPad or Windows. You access these functions from the toolbar at the top of the page. However, there are a lot of useful little functions that make your builds easier. Technically, you don’t need to know anything else. How do I escalate this to TLG directly? The support center says they are crowded with christmas emails and have half of their staff on vacation, so I don't think this is an appropriate channel.Once you get the hang of selecting and placing bricks, it’s time to start building anything you want. We are not talking about a week or a month, but about more than 3/4 of a decade. I do not understand why a company which is dedicated to quality like TLG does use such insecure libraries for such a long time when bugfixed versions already exist. 'Arbitrary Code Execution' means that an attacker can do everything with your computer you are allowed to, too: Send spam on your behalf, install keyloggers and backdoors sniffing your online banking accounts, place bogus ebay offers with your account, control a botnet (with your IP address appearing in log files) and so on and so on. Just do google for 'zlib exploit' or 'libpng exploit' and you'll see that it is not too difficult to use it for malicious purposes at all. I mean, LXF files are nothing but ZIP files with the suffix '.LXF' fixes for those zlib holes exist for more than seven years. I'll betcha there are already tons of exploits for those libraries, so it won't be difficult at all to adjust them for LXF files as well. An attacker having already crafted exploits for these widely spread libraries might use LXF files as an additional attack vector with no extra effort. LDD itself might be niche software, but it relies on commonly used open source libraries. I think LDD is a "niche" software, and it is very difficult tha someone will use it for malicious purpose. I would, however, feel more secure if the next update of LDD incorporates the latest releases of the respective third party libraries used. According to public reports, this vulnerability can be exploited to execute arbitrary code " I get slightly nervous.ĭo I have to omit any LXF file from an untrusted online source like Eurobricks or Brickshelf for security reasons? How serious are those threats? Is this an attractive attack vector for malware currently used? Is there any official statement from TLG about this issue that Google doesn't find? Or do I panic with no cause? ![]() A remote attacker be able to exploit this vulnerability by supplying the inflate() routine with specially crafted compressed data. Especially when states "This vulnerability only affects zlib versions 1.2.1 and 1.2.2. ![]() ![]() I'm unfortunately no expert in evaluating the practical severeness of such holes and I lack in any criminal intent, but as LXF files are simply renamed ZIP files containing a PNG thumbnail of the model, I wonder how easily a malicious LXF file might be crafted to exploit one or more of these holes. These issues were fixed peu à peu between 20 ( ).įor zlib 1.2.2 its website ( ) says: "Version 1.2.3 (July 2005) eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately." And as old software tends to be insecure software I dug a bit further and voilà: both are known to expose security holes. Both are from 2004 and are thus quite old. Although I assume that the Eurobricks community consists mostly of friendly and honourable people, I noticed that the 'About' dialog of LDD 4.3.5 states that LDD currently uses libpng 1.2.8 and zlib 1.2.2. I'm a bit concerned about the security of LDD and its LXF files.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |