Recently we got a report that Image Uploader suffers from buffer overrun vulnerability. A BID was submitted by Elazar Broad to http://www.securityfocus.com, and he emailed us to inform about it. I am taking an opportunity to thank Elazar for all his help with it. Here is this BID:
It happened on weekends, so we had to go to the office on Sunday. Fortunately the problem was not difficult to locate and fix. So we have released version 4.5.70 which does not have this proble, and now we are informing all our customers to update Image Uploader on their websites.
You may wonder why this issue is so important. The problem is that buffer overrun vulnerability means that malicious persons can execute arbitrary code (including malware of course) on each computer where Image Uploader is installed. Many millions of people who visit websites of our customers are under the risk. If you are interested what buffer overrun is, here is a Wikipedia article:
So we urge everybody who uses Image Uploader to upload files to their websites to install the latest version. It is downloadable from the Image Uploader download page.
Now here is a small FAQ.
Q: What versions of Image Uploader are vulnerable?
A: All Image Uploader builds of 4.x family, except of 4.5.70 of course.
Q: What about previous versions?
However if you received version 3.x after we officially discontinued it, please contact us. We need to check it out.
Q: Where to download the fixed version?
A: First of all, you can download the latest version from the Image Uploader download page:
Q: How to install the update?
A: The update installation process is the same as described in documentation. In short:
Q: Is the update free?
- Download the latest .cab file (it should be version 4.5.70 or later).
- Replace it on your server.
- Update the version number in Image Uploader initialization block. It should be looking like this: iu.activeXControlVersion = "4,5,70,0";
A: This is a minor update. According to our upgrade policy, minor updates are free.
Q: I still have questions. Where I can get more information?
A: Please email us at firstname.lastname@example.org.