As you know our certificate is about to be expired. Several days ago we got new 2-years code signing certificate from Thawte and started to resign our software. Today we posted Image Uploader 4.7.16 and File Downloader 2.0.10 signed with new certificate to the site.

The detailed information how to update Image Uploader and File Downloader can be found on our forum.

Done… Today we released new Image Uploader 5.5. I really like the days like this one when all tests already passed, you just need to compile installers, finally check source code in CVS and mark it with a tag. Actually we are late for 7 days, the previous release date was 20, August. But some of the customers who tested out beta version found problems with tumbnail generation. So we had to examine and fix it and then walk through the tests again.

It was long time without updates for Image Uploader. Some of you, our customers, were waiting for new version in hope that it fixes some basic problems in Java version. Now you can download it and install on your servers to try. We are open for your feedback.

You can read about new functionality and bug fixes included into Image Uploader 5.5 in my previous post.

To follow up my previous post about Symantec - I got good news. Norton Antivirus does not block Image Uploader anymore. On the next day after Microsoft advisory release guys from Symantec removed Image Uploader from the stop list. I might post it earlier, but I decided to wait for a confirmation from Symantec officials. 

So if anyone got users complaining about Norton Antivirus (or other Symantec apps) blocking Image Uploader, just tell them to get latest updates. It should resolve the issue.

All of you who read our blog knows a lot about killbit for Image Uploader and Microsoft Security Advisory (953839) that stoppes using of unsafe versions. Andrew wrote about it in his post Killbit has been released at last several days ago.

I just want to accent that this security advisory is related not to Image Uploader only. This update stoppes using of unsafe File Downloader builds also. So if you have File Downloader installed on your site you need to check its version. Version 1.0.110 and all versios 2.x are safe and out of killbit. If you have version before 1.0.110 installed on your site it stops working after Microsoft update 953839 is installed on a computer.

To update your 1.x version of File Downloader to safe one you need to download version 1.0.110 from legacy downloads.

Long time passed since we released the last version of Image Uploader 5.1. Being released 5.1 solved the problem with security in ActiveX version that had high priority at that moment. After that we had time to stop and think in what direction to move the product. We carefully analyzed the customers feedback and found that the product suffers from some specific problems, especially Java version. You all know about these problems: “out of memory” problem, problem with generation thumbnails for some specific images, instability on Mac platform and so on.

So while working on version 5.5 of Image Uploader Dual, we were focusing on two major objectives: stability and performance. This version almost does not include new functionality, nevertheless we did huge work. Some modules of the product have been refactored, some of them have been written from scratch. New fresh view of the product and some new approaches allowed us to make Image Uploader faster and overall better.

ActiveX Version Specific Improvement

• Speed of adding items to upload pane in details view has dramatically increased.
• Handling files on network drives works faster.
• Progress events for “prepare to upload” and “upload” operations have been improved. Now ZIP compressing causes progress events.
• The problems with the support of cameras directly connected to a computer have been fixed.
• Rotation operations have been improved. Now upload pane displays rotated images correctly.
• The problem with cancelling the addition of a whole folder to upload pane has been fixed.
• The problem with displaying subfolders in Windows 2000 has been fixed.
• Now adding and removing files in the upload pane works correctly.
• ShellComboBox synchronizes the path with ImageUploader control now.
• The GoToFolder method accepts paths containing back slashes now.
• The problem with displaying the detailed information about files in detailed view has been fixed.
• A number of minor improvements and bug fixes.

Java Version Specific Improvements

Java version of Image Uploader has been deeply refactored. In this version we were moving in three main directions: increase the speed of the applet, decrease memory consumption, and improve support of the Macintosh platform:

• Applet performance has dramatically increased. Now folder browsing and thumbnail preparation works faster.
• Memory consumption has greatly decreased, reducing the probability of getting the “out of memory” exception.
• Thumbnail generation module has been refactored. Now the probability of uploading icons instead of thumbnails greatly reduced.
• Improved support of Safari and Firefox browsers on Macintosh computers.
• New upload control events added:
  • PackageBeforeUpload – raised right before the package is to be uploaded,
  • PackageError – raised if an error occurred while uploading the current package,
  • PackageComplete – raised upon successful package upload completion.
• Resize quality can be changed again.
• Problems with ShellComboBox control have been fixed.
• The GoToFolder method works correctly now.
• The Action property treats relative paths correctly now.
• The problem with multiple displaying of restriction dialogs has been solved.
• The SaveUploadList and LoadUploadList methods work correctly now.
• The problem with AdditionalFormName is fixed.
• A number of minor improvements and bug fixes.

New version 5.5 will be available on the site during several next days.

It turned out that vulnerabilities in Image Uploader caused not just killbit problem, but it led to one more aftermath. We are getting more and more complaints from our customer that end users experience issues with Image Uploader if they have Norton Antivirus installed. After some investigations we found out that Symantec especially included Image Uploader to the threat list in one of their updates. And perhaps unlike killbit, Norton affects new secure version.

I have just posted my suggestions how to handle this to Image Uploader FAQ forum:

http://www.aurigma.com/Forums/yaf_postsm9838_Image-Uploader-and-Norton-Antivirus.aspx

We will definitely make some more detailed investigations on this (what exact builds are affected, etc) and publish additional information in that post. Also, we are going to contact Symantec and try to come to some solution.

As I announced a week ago, Microsoft has released security update which includes killbits for old vulnerable builds of Image Uploader. Read Microsoft Security Advisory (953839) for more details on this.

Not just our software has been included into this advisory. It also includes Hewlett-Packard's Instant Support application. According to the story in Computerworld, in earlier advisories Yahoo's and Logitech's software were killbitted.

So now I want to thank all guys from Microsoft Security Response Center I dealt with for their assistance. I highly recommend all ActiveX control vendors (if any of them reading this post ) to contact Microsoft in case of such security issues. It is the best way to eliminate the aftermath of security bugs. Although the really best way is to avoid security flaws at all.

Thanks for attention. I hope this is a last time I tag my post with "security issue" or "killbit", and my further posts will be related to more pleasant things like news about future releases and so on. Stay tuned!

Hi there!

Only one week left before Microsoft release Cumulative Security Update for ActiveX killbits. They scheduled it for August 12, 2008 at approx 10am PST. 

Because of different reasons, we were not included in previous security updates released in April and June. But at last now we got the confirmation from Microsoft that Image Uploader killbits will be included in August issue.

Just reminding that all users who install security updates (i.e. vast majority of Windows users) will not be able to load old insecure version of Image Uploader in the browser. Internet Explorer will just block it. That's why we encourage all Image Uploader customers who did not update Image Uploader yet to update it ASAP. More details about it can be found in my previous post about killbits.

If it is unclear how to update or you have any other technical questions related to this security issue, do not hesitate to submit your question through the help desk system.