VTubing Software Live2D Reports Security Vulnerability in Live2D Cubism Core
Live2D, the VTubing software, has announced a security vulnerability in its Live2D Cubism Core. This vulnerability allows for the execution of malicious code through modified MOC3 files.
Live2D is actively investigating this issue with the guidance of external security experts. They are also working on developing a software version that will fix this vulnerability within the next few days.
According to Live2D Inc., “This vulnerability occurs when an application runs a maliciously modified MOC3 file.”Read more…
The execution of the modified MOC3 file in the target Cubism Core may result in out-of-range memory writes, leading to application crashes.
To ensure security, Live2D advises users to continue using MOC3 files generated by trusted sources or themselves without any concerns.
To protect themselves from malicious MOC3 files, Live2D recommends users take the following precautions:
- Avoid opening MOC3 files from unknown sources.
- Only open MOC3 files obtained from trusted sources.
- Keep applications that utilize MOC3 files regularly updated.
VTube studio, a popular VTubing app, shared Live2D’s findings and offered the following advice:
- Most Live2D tracking apps are affected.
- Only specifically crafted MOC3 files are impacted. Files received from riggers or trusted individuals are safe.
- This includes Live2D Models and Live2D Items in VTube Studio.
- Exercise caution when loading model files from strangers online, for now.
- Keep Live2D apps updated at all times.
While the vulnerability is being investigated, VTube Studio has temporarily suspended the downloading of Live2D models and assets from its workshop to ensure the safety of its users. These features will be reactivated once the vulnerability has been resolved.