Almost everybody in IT world knows that Microsoft is going to release two new operation systems in this October. It will be brand new Windows 7 and major update for Windows 2008 – 2008 R2. Several months ago we decided to get prepared to these new Windows versions in advance and test our Image Uploader with them.

First of all we were interested in Windows 7 as in a client platform where both Image Uploader ActiveX and Java will be launched in browsers. We have not found any major issues with previous versions of Image Uploader 6.x here.

Secondly we checked Windows 7 and Windows Server 2008 R2 from server platforms point of view. As we all know from Microsoft buzz these upcoming versions of Windows will have new Internet Information Services 7.5. And unfortunately it was a surprise for us here. IIS 7.5 did not want to recognize POST requests sent by Image Uploader 5.x and previous 6.x as a properly formed and returned HTTP error 400. So we had to spend some time and figure out what was wrong with requests. We found the reason and new Image Uploader 6.1.4 will be free of this problem. This new Image Uploader release will be avialable on our site by September, 19. Unfortunately if somebody is going to use Image Uploader with IIS7.5 as a server-side, you will need to have a version of Image Uploader not earlier than 6.1.4.

So Aurigma is ready for new Microsoft releases and upcoming Image Uploader 6.1.4 will be compatible with Windows 7 and Windows 2008 R2.

Hi there,

As you probably noticed, we have released Image Uploader 6.1 on these weekends. The main reason we did it is to fix the security vulnerabililty reported to us by Microsoft.

Guys from Microsoft Security Response Center contacted us about a week ago and told us that they discovered vulnerability in ATL (Microsoft library which comes with Visual Studio intended to simplify ActiveX development). This vulnerability impacts all ATL-based ActiveX controls, including Image Uploader. Microsoft has included the description of this vulnerability here:

http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

In the version 6.1 we have eliminated this vulnerability. Although Microsoft also released a security update for Internet Explorer which patches this security hole, it is highly recommended to update Image Uploader to the most recent build (6.1.1 or higher). Also, on this week we will release updates for versions 4.7 and 5.7, so if you do not use version 6 yet, you will have a chance to use the safe version anyway.

Now, here is a short FAQ:

Q: Is this vulnerability is dangerous? How malicious persons can use it?

This vulnerability allows to instantiate an arbitrary ActiveX control by passing its CLSID to Image Uploader. So to exploit this vulnerability, a number of requirements should be met:

1. A malicious ActiveX should be installed on a client computer anyhow (through trojans, spyware or anyhow else).
2. A malicious HTML page should be created and either injected via cross-site scripting attack or put to a phishing website.
3. The user with malicious ActiveX and unsafe Image Uploader should run this HTML code.

Q: Microsoft released Internet Explorer update which fixes this problem. Why to update Image Uploader?

After the user installs IE update 972260, this attack will be impossible even with Image Uploader version 6.0 indeed. But you cannot guaranty that all users will install this update. That's why updating Image Uploader decreases the probability of security attacks to your users.

Q: Did you killbit old Image Uploader?

No, this time we decided to make both yours and ours life easier and decided to release safe versions with old CLSIDs. Let me explain why.

The main killbit distribution channel is Microsoft update system. We would just pass all "unsafe" CLSIDs from guys from Microsoft and they would include it into some IE security update, as they have done one year ago. But those users who install IE updates on a regular basis will install aforementioned update 972260 which will eliminate this vulnerability. This way killbit will not increase the security level for them. 

On the other hand, those users, who ignore security updates, would not get killbit update as well. Therefore the killbit would not help them as well.

Q: I am afraid that this Image Uploader update will break something on my website. What you think?

Version 6.1.1 has very few changes comparing to the previous build 6.0.16. So if you use the latest version, you can freely update it. Anyway, if you encounter any problems, feel free to contact our support people. We will be happy to help you.

Q: Does it cost me anything to update? 

No, it is free. You get a free update for the major version you have - for version 4.x you get 4.8, for version 5.x you get 5.8, for version 6.0 you get 6.1.

But if you have, say, version 4.7 and want to get version 6.1 instead of 4.8, you should upgrade as usual. Feel free to contact our sales team for more information.

Q: Is Java version vulnerable as well? 

This problem impacts ActiveX version only.