During last several weeks we are getting complaints from client that their users, who do not have administrator privileges, cannot install or launch Image Uploader ActiveX in Internet Explorer. This problem was caused by changes in Internet Explorer logic and appears after installing one of Microsoft updates. To resolve this problem, your Image Uploader should be updated to the most recent version 7.0.28 (released on May 11, 2011).

In short 

I got two news - a bad one and a good one.

1. The bad news: we got reported about one more security issue in Image Uploader.
2. The good news: the problem occurs in version 4.5.70 only. All later builds (including version 5) are not affected by this problem.

Details 

Yesterday I got a message from Elazar Broad - a guy who have posted a security issue report on November. This time he reported that he tested build 4.5.70 and found the heap overflow issue in Action param. He created an exploit which runs calculator app when the page with Image Uploader is opened. You see this is a really serious problem. If hackers created an exploit, they would be able to run anything more dangerous than calc app.

I have bring it to attention of Image Uploader development team immediately. Few hours later we got a call from Computer World - they asked to hear our comments on this. As a result they have published an article about it.

Meanwhile during our investigation we found out that the problem does not affect the latest version. Looking at this more closely, we find out that it has been fixed in the build which was next to famous 4.5.70. After that hotfix release we have audited and refactored a lot of potentially buggy code, and managed to work it out without any clue that we have fixed such serious flaw.

Conclusions 

So everyone who have upgraded Image Uploader to 5.0 or at least to higher build than 4.5.70 can have no worries. Latest builds of Image Uploader (both 4.x and 5.x) are not vulnerable to the problem reported by Elazar. Also, version 3.5 is not vulnerable as well. 

If you have updated to 4.5.70 (or for some reason overlooked previous security update and did not get it), you should either update it to the most recent build of 4.x family or upgrade to version 5.0. Here are links:

• Image Uploader 4.6 SDK - you will find updated .cab file after SDK installation in C:\Program Files\Aurigma\Image Uploader 4.6 Dual\ folder (or wherever you install it).
• Upgrade FAQ with information about upgrade policy and links to appropriate online store items.

If you are not sure what is your version, do not hesitate to contact us.

What Next? 

We always take all these security challenges very seriously. This is only a second security flaw for 5-year history of Image Uploader. For these 5 years hundreds millions of people uploaded files through it, so we have to take care about it.

So both these security holes are the cause for us to look through all our code more thorough. We did make some refactoring after discovering the first security bug, but that time we had on a tight schedule - we was trying to release 5.0 within year 2007, so we stopped when made most obvious improvements. 

Now we have no heavy time limitations, so we are going to make detailed code review with heavy paranoid approach. As a result we will have a version (both 4 and 5) which will be more secure and reliable than ever.

So keep an eye on this and do not forget to update Image Uploader timely!

Recently we got a report that Image Uploader suffers from buffer overrun vulnerability. A BID was submitted by Elazar Broad to http://www.securityfocus.com, and he emailed us to inform about it. I am taking an  opportunity to thank Elazar for all his help with it. Here is this BID:  

http://www.securityfocus.com/bid/26537

It happened on weekends, so we had to go to the office on Sunday. Fortunately the problem was not difficult to locate and fix. So we have released version 4.5.70 which does not have this proble, and now we are informing all our customers to update Image Uploader on their websites.

You may wonder why this issue is so important. The problem is that buffer overrun vulnerability means that malicious persons can execute arbitrary code (including malware of course) on each computer where Image Uploader is installed. Many millions of people who visit websites of our customers are under the risk. If you are interested what buffer overrun is, here is a Wikipedia article:

http://en.wikipedia.org/wiki/Buffer_overrun 

So we urge everybody who uses Image Uploader to upload files to their websites to install the latest version. It is downloadable from the Image Uploader download page. 

Now here is a small FAQ.

Q: What versions of Image Uploader are vulnerable? 

A: All Image Uploader builds of 4.x family, except of 4.5.70 of course.

Q: What about previous versions?

A: This issue appeared when we added possibility to navigate to the arbitrary folder through the JavaScript. This feature was introduced in the 4.0 version. So if you are using version 3.5 or earlier, this issue does not affect you. 

However if you received version 3.x after we officially discontinued it, please contact us. We need to check it out.

Q: Where to download the fixed version?

A: First of all, you can download the latest version from the Image Uploader download page:

http://www.aurigma.com/Products/ImageUploader/FreeTrial.aspx

Q: How to install the update?

A: The update installation process is the same as described in documentation. In short:

1. Download the latest .cab file (it should be version 4.5.70 or later).
2. Replace it on your server.
3. Update the version number in Image Uploader initialization block. It should be looking like this: iu.activeXControlVersion = "4,5,70,0";

A: This is a minor update. According to our upgrade policy, minor updates are free.

Q: I still have questions. Where I can get more information?

A: Please email us at info@aurigma.com.