Hi there,

As you probably noticed, we have released Image Uploader 6.1 on these weekends. The main reason we did it is to fix the security vulnerabililty reported to us by Microsoft.

Guys from Microsoft Security Response Center contacted us about a week ago and told us that they discovered vulnerability in ATL (Microsoft library which comes with Visual Studio intended to simplify ActiveX development). This vulnerability impacts all ATL-based ActiveX controls, including Image Uploader. Microsoft has included the description of this vulnerability here:

http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

In the version 6.1 we have eliminated this vulnerability. Although Microsoft also released a security update for Internet Explorer which patches this security hole, it is highly recommended to update Image Uploader to the most recent build (6.1.1 or higher). Also, on this week we will release updates for versions 4.7 and 5.7, so if you do not use version 6 yet, you will have a chance to use the safe version anyway.

Now, here is a short FAQ:

Q: Is this vulnerability is dangerous? How malicious persons can use it?

This vulnerability allows to instantiate an arbitrary ActiveX control by passing its CLSID to Image Uploader. So to exploit this vulnerability, a number of requirements should be met:

1. A malicious ActiveX should be installed on a client computer anyhow (through trojans, spyware or anyhow else).
2. A malicious HTML page should be created and either injected via cross-site scripting attack or put to a phishing website.
3. The user with malicious ActiveX and unsafe Image Uploader should run this HTML code.

Q: Microsoft released Internet Explorer update which fixes this problem. Why to update Image Uploader?

After the user installs IE update 972260, this attack will be impossible even with Image Uploader version 6.0 indeed. But you cannot guaranty that all users will install this update. That's why updating Image Uploader decreases the probability of security attacks to your users.

Q: Did you killbit old Image Uploader?

No, this time we decided to make both yours and ours life easier and decided to release safe versions with old CLSIDs. Let me explain why.

The main killbit distribution channel is Microsoft update system. We would just pass all "unsafe" CLSIDs from guys from Microsoft and they would include it into some IE security update, as they have done one year ago. But those users who install IE updates on a regular basis will install aforementioned update 972260 which will eliminate this vulnerability. This way killbit will not increase the security level for them. 

On the other hand, those users, who ignore security updates, would not get killbit update as well. Therefore the killbit would not help them as well.

Q: I am afraid that this Image Uploader update will break something on my website. What you think?

Version 6.1.1 has very few changes comparing to the previous build 6.0.16. So if you use the latest version, you can freely update it. Anyway, if you encounter any problems, feel free to contact our support people. We will be happy to help you.

Q: Does it cost me anything to update? 

No, it is free. You get a free update for the major version you have - for version 4.x you get 4.8, for version 5.x you get 5.8, for version 6.0 you get 6.1.

But if you have, say, version 4.7 and want to get version 6.1 instead of 4.8, you should upgrade as usual. Feel free to contact our sales team for more information.

Q: Is Java version vulnerable as well? 

This problem impacts ActiveX version only. 

In the Internet Explorer 8 developers’ blog I found very interesting post IE8 Security Part II: ActiveX Improvements. This post gives the outlook on security approaches and improvements in new Internet Explorer. The most important thing I found was Non-Admin ActiveX. This technology allows installing ActiveX controls not having administrator privileges. The only limitation is that you need to run IE8 under Windows Vista.

I was really interested in this feature and decided to dig into it. I found the documentation on Non-Admin ActiveX feature and created ImageUploader5.cab in accordance with their suggestions. After that I took clear Windows Vista SP1 virtual machine, downloaded the latest IE8 Beta2, and installed it. Then I created small sample page and installed updated cab file on this page. After that I created new user without administrative privileges in Vista and logged in under this user. I launched IE8 and opened my sample page from our internal test server… and it worked. IE8 asked me whether I trusted Image Uploader and then allowed to install Image Uploader. It worked like a charm.

So now Microsoft users have the ability to install ActiveX controls without administrative permissions and Microsoft treats this as safe. Upcoming Image Uploader 6 will be compatible with Non-Admin ActiveX IE8 feature.

All of you who read our blog knows a lot about killbit for Image Uploader and Microsoft Security Advisory (953839) that stoppes using of unsafe versions. Andrew wrote about it in his post Killbit has been released at last several days ago.

I just want to accent that this security advisory is related not to Image Uploader only. This update stoppes using of unsafe File Downloader builds also. So if you have File Downloader installed on your site you need to check its version. Version 1.0.110 and all versios 2.x are safe and out of killbit. If you have version before 1.0.110 installed on your site it stops working after Microsoft update 953839 is installed on a computer.

To update your 1.x version of File Downloader to safe one you need to download version 1.0.110 from legacy downloads.

It turned out that vulnerabilities in Image Uploader caused not just killbit problem, but it led to one more aftermath. We are getting more and more complaints from our customer that end users experience issues with Image Uploader if they have Norton Antivirus installed. After some investigations we found out that Symantec especially included Image Uploader to the threat list in one of their updates. And perhaps unlike killbit, Norton affects new secure version.

I have just posted my suggestions how to handle this to Image Uploader FAQ forum:

http://www.aurigma.com/Forums/yaf_postsm9838_Image-Uploader-and-Norton-Antivirus.aspx

We will definitely make some more detailed investigations on this (what exact builds are affected, etc) and publish additional information in that post. Also, we are going to contact Symantec and try to come to some solution.

As I announced a week ago, Microsoft has released security update which includes killbits for old vulnerable builds of Image Uploader. Read Microsoft Security Advisory (953839) for more details on this.

Not just our software has been included into this advisory. It also includes Hewlett-Packard's Instant Support application. According to the story in Computerworld, in earlier advisories Yahoo's and Logitech's software were killbitted.

So now I want to thank all guys from Microsoft Security Response Center I dealt with for their assistance. I highly recommend all ActiveX control vendors (if any of them reading this post ) to contact Microsoft in case of such security issues. It is the best way to eliminate the aftermath of security bugs. Although the really best way is to avoid security flaws at all.

Thanks for attention. I hope this is a last time I tag my post with "security issue" or "killbit", and my further posts will be related to more pleasant things like news about future releases and so on. Stay tuned!

Hi there!

Only one week left before Microsoft release Cumulative Security Update for ActiveX killbits. They scheduled it for August 12, 2008 at approx 10am PST. 

Because of different reasons, we were not included in previous security updates released in April and June. But at last now we got the confirmation from Microsoft that Image Uploader killbits will be included in August issue.

Just reminding that all users who install security updates (i.e. vast majority of Windows users) will not be able to load old insecure version of Image Uploader in the browser. Internet Explorer will just block it. That's why we encourage all Image Uploader customers who did not update Image Uploader yet to update it ASAP. More details about it can be found in my previous post about killbits.

If it is unclear how to update or you have any other technical questions related to this security issue, do not hesitate to submit your question through the help desk system. 

Hi again,

In my previous post I have mentioned about release of Image Uploader 5.1 (and 4.7) which has a number of security fixes (few known heap overflow and a bunch of potential problems). To prevent malicious persons to exploit these issues, we are releasing a killbit for all version and strongly recommend each customer of Image Uploader to get an update (which is free for appropriate major build).

Few words about killbit. I have already gave some comments on what is killbit and why we should use it in the Image Uploader is safe again post. Now let's see how killbit is installed on client machine. There are three ways: 

1. Killbit is set along with new version. So when new ActiveX is downloaded and installed, old CLSIDs become disabled.
   
2. Killbit can be installed manually. To do this just download the AurigmaKillbit.reg file and run it (may require administrative rights). 
   
3. Killbit will be installed with Internet Explorer security updates. I cannot get an exact time frame for this until I get approval from Microsoft, but it will happen not earlier than in 2-3 months.
   

Below is described a list of CLSIDs which are killbited and their alternate CLSIDs.

Old CLSID	                        New CLSID

Standard builds:

6E5E167B-1566-4316-B27F-0DDAB3484CF7   	EDFCB7CB-942C-4822-AF14-F0B687409848 - Image Uploader 4 
BA162249-F2C5-4851-8ADC-FC58CB424243   	5D637FAD-E202-48D1-8F18-5B9C459BD1E3 - Image Uploader 5 
652623DC-2BB4-4C1C-ADFB-57A218F1A5EE   	FB5C74A8-48D0-42A3-B47F-6896F94DFC21 - Upload Items 4
9275A865-754B-4EDF-B828-FED0F8D344FC   	59BA14C3-B5CD-4DFF-8256-25961756B9B4 - Upload Items 5
E1A26BBF-26C0-401d-B82B-5C4CC67457E0   	D6216AB8-9FF8-47C6-A2E7-49491B39C857 - File Downloader

Private-label builds, Image Uploader 4:

B60770C2-0390-41A8-A8DE-61889888D840   	51B7FAF0-B98E-4A0F-9DF6-E31A81836925
44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9   	6F9DF050-35BE-4E5E-9293-663D6B526B7F
76EE578D-314B-4755-8365-6E1722C001A2   	33DFB28A-9792-4AFC-B594-D589365DF67D
F89EF74A-956B-4BD3-A066-4F23DF891982   	CBFF31B5-91C0-4361-98BD-4C56D0F9CDAC
101D2283-EED9-4BA2-8F3F-23DB860946EB   	718B3D1E-FF0C-4EE6-9F3B-0166A5D1C1B9
69C462E1-CD41-49E3-9EC2-D305155718C1   	208B36BE-4B91-45D5-A636-4E70D745593C
41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA   	66AE48D0-2ECE-4F09-886B-3B6C2FD4A985
108092BF-B7DB-40D1-B7FB-F55922FCC9BE   	B82F1D98-BE90-42E2-B64D-C7AB48E40B4C
CF08D263-B832-42DB-8950-F40C9E672E27   	6B999576-2C81-4811-A912-2270B3D0865A
F1F51698-7B63-4394-8743-1F4CF1853DE1   	1DB7FAAD-2582-49C3-807C-42024B031552
905BF7D7-6BC1-445A-BE53-9478AC096BEB   	02F654C7-2915-45DF-94E2-8B145A060DF9
916063A5-0098-4FB7-8717-1B2C62DD4E45   	4113F622-4901-468F-864E-5480F1C3BC3A
AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4   	CAC677B6-4963-4305-9066-0BD135CD9233
AE6C4705-0F11-4ACB-BDD4-37F138BEF289   	0C92900E-4D5A-4F04-ACC9-729E1767BBAE
FA8932FF-E064-4378-901C-69CB94E3A20A   	A6C3B396-6F73-4CBE-AEF5-A86421AF1B93
3604EC19-E009-4DCB-ABC5-BB95BF92FD8B   	E33E2112-8A3F-4B0F-884B-767C1610627E
65FB3073-CA8E-42A1-9A9A-2F826D05A843   	83803392-C613-473A-AF42-5C4D07F8FE7B
7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3   	F7FC62B7-1E68-4A56-B978-795662B02691
9BAFC7B3-F318-4BD4-BABB-6E403272615A   	57F9ADF0-9759-4D97-AB03-8AB5882A2FD5
05CDEE1D-D109-4992-B72B-6D4F5E2AB731   	BA3BAF69-72B1-4BCE-BE96-A4D304EAFBB4
977315A5-C0DB-4EFD-89C2-10AA86CA39A5   	85A9BDFA-93C0-4F1B-9AB6-B92A90E5B326
1E0D3332-7441-44FF-A225-AF48E977D8B6   	72719D4A-11A5-4E33-A131-36DE83DE9C3A
B85537E9-2D9C-400A-BC92-B04F4D9FF17D   	37A8A17B-2DDC-4600-BBC6-538C10AED8C0
2C2DE2E6-2AD1-4301-A6A7-DF364858EF01   	19E20072-785D-41C3-ADE9-D784325AB7B0
0270E604-387F-48ED-BB6D-AA51F51D6FC3   	60541D7A-4EF1-4117-9607-7C1B0EEAAD18
FC28B75F-F9F6-4C92-AF91-14A3A51C49FB   	3EF75DF9-FC62-410A-B599-B131D917EC3B
86C2B477-5382-4A09-8CA3-E63B1158A377   	A6BF5692-E5E8-4B40-8E5E-819AF5E3AC08
8CC18E3F-4E2B-4D27-840E-CB2F99A3A003   	070A0793-B969-4BC7-848B-3FD844554784
68BBCA71-E1F6-47B2-87D3-369E1349D990   	2AF2E06E-166C-49C9-8BDF-CD9A8A07089C
8DBC7A04-B478-41D5-BE05-5545D565B59C   	B57779BE-8EBE-46A1-A2F1-0BBFF6192B0C
D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6   	6C87A126-AC2E-42EF-8A09-39AC05E8FBDF
6CA73E8B-B584-4533-A405-3D6F9C012B56   	5F0CE5B2-46E1-4E00-AC64-0C756537D26C
A7866636-ED52-4722-82A9-6BAABEFDBF96   	AB3222DF-F6E1-40CB-BB80-1BF999130D7D
B0A08D67-9464-4E73-A549-2CC208AC60D3   	3F17C07C-2153-4471-BB74-7554A7310C8C
3D6A1A85-DE54-4768-9951-053B3B02B9B0   	0FDC57AC-BB9F-40FF-9921-46D28B712D08
947F2947-2296-42FE-92E6-E2E03519B895   	7F4E9A4B-7D73-4D7D-9A37-30100CEE0874
47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB   	CD6FB286-3337-45E8-AF97-6AA3802D2F90
B26E6120-DD35-4BEA-B1E3-E75F546EBF2A   	5FA63150-FBD6-451D-B014-D55DDED4F2F3
926618A9-4035-4CD6-8240-64C58EB37B07   	29C78D18-D3C3-4B8F-B7EF-F5DC2385F82E
B95B52E9-B839-4412-96EB-4DABAB2E4E24   	ADFCE7BD-C522-48E7-9D2A-976597629667
CB05A177-1069-4A7A-AB0A-5E6E00DCDB76   	DF21EFC6-E614-4C4C-92E7-C94A944E5C5E
A233E654-53FF-43AA-B1E2-60DA2E89A1EC   	0F3FEBAA-440F-4003-B2BC-71B9D9C20E72
6981B978-70D9-40B9-B00E-903B6FC8CA8A   	7FBBED73-8E99-40BE-894E-F66F6F49D8F0
C86EE68A-9C77-4441-BD35-14CC6CC4A189   	8F20884C-68BF-440C-BB5F-13BAC64B8C1C
2875E7A5-EE3C-4FE7-A23E-DE0529D12028   	CA9CABF3-48C0-4589-808E-ADE58599DF6C
66E07EF9-4E89-4284-9632-6D6904B77732   	A9BEBDF3-2816-44E9-9F64-71EBDE235E15
00D46195-B634-4C41-B53B-5093527FB791   	7A53918A-FF36-41E3-96A6-3A7672746CB9
497EE41C-CE06-4DD4-8308-6C730713C646   	55D95DEA-6E0F-476B-AE02-57C5F99332F2
7A12547F-B772-4F2D-BE36-CE5D0FA886A1   	F83FA5C8-A016-401F-9A45-E582D8BD498F
0B9C0C26-728C-4FDA-B8DD-59806E20E4D9   	44BF597A-C391-4162-8976-B00B55C92F56
F399F5B6-3C63-4674-B0FF-E94328B1947D   	0D4515D4-1845-4E7C-8E16-79AEEC44AB7C
8C7A23D9-2A9B-4AEA-BA91-3003A316B44D   	D428C208-57A8-4A63-BF7F-E7FABE6A9E9B
E6127E3B-8D17-4BEA-A039-8BB9D0D105A2   	C6B9830E-35DE-463D-8CFA-E289E317565C
A3796166-A03C-418A-AF3A-060115D4E478   	ADA48720-6C9A-4A34-9E3E-5B17556A2B39
73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A   	AB4E1C02-3EDB-4A72-B1B8-FD909831C761
93C5524B-97AE-491E-8EB7-2A3AD964F926   	A696A6DE-8011-407B-850B-077BE505D11D
833E62AD-1655-499F-908E-62DCA1EB2EC6   	7CAE4253-EEEF-42C7-BB94-E65EBF540DB6
285CAE3C-F16A-4A84-9A80-FF23D6E56D68   	C4B2AB47-CE9B-4850-A8B6-36F3896E17BF
AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B   	4910F815-D322-409F-A6D1-61FAE656E4A0
4614C49A-0B7D-4E0D-A877-38CCCFE7D589   	096CBF58-FC7F-433D-9158-27DE6B22D8C7
974E1D88-BADF-4C80-8594-A59039C992EA   	B67F4A74-B98A-4F74-AF9E-C422198BB0F8
692898BE-C7CC-4CB3-A45C-66508B7E2C33   	BAC8495C-A1FF-48B3-AB22-52544FFA3047
F6A7FF1B-9951-4CBE-B197-EA554D6DF40D   	CC7FD10E-8471-4399-B7B0-976BCB84357E
038F6F55-C9F0-4601-8740-98EF1CA9DF9A   	89DCF5AD-2D57-4C98-AE18-E4222DFEA4CC
652623DC-2BB4-4C1C-ADFB-57A218F1A5EE   	FB5C74A8-48D0-42A3-B47F-6896F94DFC21
9275A865-754B-4EDF-B828-FED0F8D344FC   	59BA14C3-B5CD-4DFF-8256-25961756B9B4
6C095616-6064-43ca-9180-CF1B6B6A0BE4   	BC9C7884-D1F5-4E67-80F2-C67AE8C62701
E1A26BBF-26C0-401d-B82B-5C4CC67457E0   	D6216AB8-9FF8-47C6-A2E7-49491B39C857

Private-label builds, Upload Items 4:

A7866636-ED52-4722-82A9-6BAABEFDBF96   	AB3222DF-F6E1-40CB-BB80-1BF999130D7D
B0A08D67-9464-4E73-A549-2CC208AC60D3   	3F17C07C-2153-4471-BB74-7554A7310C8C
3D6A1A85-DE54-4768-9951-053B3B02B9B0   	0FDC57AC-BB9F-40FF-9921-46D28B712D08
947F2947-2296-42FE-92E6-E2E03519B895   	7F4E9A4B-7D73-4D7D-9A37-30100CEE0874
47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB   	CD6FB286-3337-45E8-AF97-6AA3802D2F90
B26E6120-DD35-4BEA-B1E3-E75F546EBF2A   	5FA63150-FBD6-451D-B014-D55DDED4F2F3
926618A9-4035-4CD6-8240-64C58EB37B07   	29C78D18-D3C3-4B8F-B7EF-F5DC2385F82E
B95B52E9-B839-4412-96EB-4DABAB2E4E24   	ADFCE7BD-C522-48E7-9D2A-976597629667
CB05A177-1069-4A7A-AB0A-5E6E00DCDB76   	DF21EFC6-E614-4C4C-92E7-C94A944E5C5E
A233E654-53FF-43AA-B1E2-60DA2E89A1EC   	0F3FEBAA-440F-4003-B2BC-71B9D9C20E72
6981B978-70D9-40B9-B00E-903B6FC8CA8A   	7FBBED73-8E99-40BE-894E-F66F6F49D8F0
C86EE68A-9C77-4441-BD35-14CC6CC4A189   	8F20884C-68BF-440C-BB5F-13BAC64B8C1C
2875E7A5-EE3C-4FE7-A23E-DE0529D12028   	CA9CABF3-48C0-4589-808E-ADE58599DF6C
66E07EF9-4E89-4284-9632-6D6904B77732   	A9BEBDF3-2816-44E9-9F64-71EBDE235E15
00D46195-B634-4C41-B53B-5093527FB791   	7A53918A-FF36-41E3-96A6-3A7672746CB9
497EE41C-CE06-4DD4-8308-6C730713C646   	55D95DEA-6E0F-476B-AE02-57C5F99332F2
7A12547F-B772-4F2D-BE36-CE5D0FA886A1   	F83FA5C8-A016-401F-9A45-E582D8BD498F
0B9C0C26-728C-4FDA-B8DD-59806E20E4D9   	44BF597A-C391-4162-8976-B00B55C92F56
F399F5B6-3C63-4674-B0FF-E94328B1947D   	0D4515D4-1845-4E7C-8E16-79AEEC44AB7C
8C7A23D9-2A9B-4AEA-BA91-3003A316B44D   	D428C208-57A8-4A63-BF7F-E7FABE6A9E9B
E6127E3B-8D17-4BEA-A039-8BB9D0D105A2   	C6B9830E-35DE-463D-8CFA-E289E317565C
A3796166-A03C-418A-AF3A-060115D4E478   	ADA48720-6C9A-4A34-9E3E-5B17556A2B39
73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A   	AB4E1C02-3EDB-4A72-B1B8-FD909831C761
93C5524B-97AE-491E-8EB7-2A3AD964F926   	A696A6DE-8011-407B-850B-077BE505D11D
833E62AD-1655-499F-908E-62DCA1EB2EC6   	7CAE4253-EEEF-42C7-BB94-E65EBF540DB6
285CAE3C-F16A-4A84-9A80-FF23D6E56D68   	C4B2AB47-CE9B-4850-A8B6-36F3896E17BF
AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B   	4910F815-D322-409F-A6D1-61FAE656E4A0
4614C49A-0B7D-4E0D-A877-38CCCFE7D589   	096CBF58-FC7F-433D-9158-27DE6B22D8C7
974E1D88-BADF-4C80-8594-A59039C992EA   	B67F4A74-B98A-4F74-AF9E-C422198BB0F8
692898BE-C7CC-4CB3-A45C-66508B7E2C33   	BAC8495C-A1FF-48B3-AB22-52544FFA3047
F6A7FF1B-9951-4CBE-B197-EA554D6DF40D   	CC7FD10E-8471-4399-B7B0-976BCB84357E
038F6F55-C9F0-4601-8740-98EF1CA9DF9A   	89DCF5AD-2D57-4C98-AE18-E4222DFEA4CC

Private-label builds, File Downloader

6C095616-6064-43ca-9180-CF1B6B6A0BE4   	BC9C7884-D1F5-4E67-80F2-C67AE8C62701

If you have a private-label version and do not see your CLSID there, please contact us at info@aurigma.com.

UPDATE (03/27/2008):

Few other CLSIDs we added to this killbit (see below). No more changes will be made to it though. 

Also, I have got a confirmation from Microsoft that these CLSIDs will be killbited on June. 

Old CLSID	                        New CLSID

Private-label builds, Image Uploader 4:

A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98   	B48C6F3D-3AB9-4DAA-A24C-7D6570FFACEC
5C6698D9-7BE4-4122-8EC5-291D84DBD4A0   	23E0446E-BFBD-4E70-97F1-25549A1F284E

Private-label builds, Upload Items 4:

E4C97925-C194-4551-8831-EABBD0280885   	0E519CCA-A262-4EC1-BD7F-AEB9168F0EAB
CC7DA087-B7F4-4829-B038-DA01DFB5D879   	F7D4E441-BC09-4592-8CC3-75C0558187F5

Hello there,

I have and exciting update about the security issue – we have completed all of our audits and feel we have secured Image Uploader. As I described in my previous posting, today we have released an updated version of Image Uploader ActiveX control, and the version number is 5.1. The main difference with 5.0.40 is that it has different CLSIDs.    

This release has taken us a bit longer than we expected as we have run up against a rather interesting problem. Once we complied the CLSID’s we need to killbit we started to try to contact Private Label and Source Code customers to provide them updated builds of their code. To our amazement many of them seem to be ignoring us!

We strongly advise you if you are a Private Label or Source Code customer that if you have received emails or phone calls from us that you respond to us as soon as possible. For those of you have thank you for your prompt response. But, we should be clear as some point we will have to as a responsible software developer send all CLSIDs that are risk to Microsoft to killbit.

WHEN THIS HAPPENS ALL AT RISK VERSION OF IMAGE UPLOADER will be DISABLED and will not run on the clients computers.

So lets all be good to ourselves and our client computers... Let’s work together and get updated as soon as possible. Please also keep your information in your accounts up to date. If this is mission critical software for your company then we should have very open communication. Don’t ever worry about us sending you spam or pressing you to buy something. We need to be able to communicate with you for the security and safety of you as our customer and your clients as your customer.

Downloads

So now you can upload 4 different versions of Image Uploader:

• Image Uploader 5.1.0 (and above) - safe version with new CLSIDs. This is what people will download by default. Update with this build if you have version 5.0.
  
• Image Uploader 4.7.0 - safe version of 4.x family with new CLSIDs. Update with this build if you have version 4.x.
• Image Uploader 5.0.41 - the latest version of 5.0 with old CLSIDs.
  
• Image Uploader 4.6.31 - the latest version of 4.x family with old CLSIDs.      

Note, all of them are safe, but it is not good idea to keep builds with old CLSIDs too long. The more and more people will install the killbit, and sooner or later Microsoft will include it into the next security update. After that all users who get Windows updates automatically will have problems loading Image Uploader with old CLSIDs. So if for some reasons you need versions with old CLSIDs, you can use it, but not longer than couple months. You should migrate to new builds ASAP.

Migrating to new safe build 

In fact the migration process is very simple, especially if you did not make modifications in iuembed.js. You just update Image Uploader as usual with only one additional action - you overwrite not just .cab and .jar files, but also iuembed.js as well. That's all.

If you modified iuembed.js or embedded it inside your page, it will be slightly more complicated. You will have to find where old CLSID is inserted and replace it by new one. I will post a list of CLSIDs changes in my next post.

Also, you can use activeXClassId property of ImageUploaderWriter control, although I would not recommend this. If you create new page with Image Uploader in future from a scratch, you may forget to insert new CLSID. So the better idea would be to fix iuembed.js. 

Well, it sounds we overcome this issue at last. Of course we will not stop keeping an eye on security but we can get back to improving functionality of Image Uploader. We are going to implement new exciting features like video upload and something more. But this is a matter of separate series of blog posts. 

It may sound too bold, but I think we can say this way now. We get rid of all known vulnerabilities (we have found few new while testing/refactoring IU). The "exterior perimeter" code was seriously analyzed. All suspicious portions of code (primarily legacy one) were totally revised and rewritten using safe programming approach. Wherever we were in time, we fixed "internal" code as well (we still have a lot of work to do, but this is less critically). We run a number of new tests which try to pass "garbage" into params and checked out how Image Uploader deal with them.

As a result we have released version 5.0.40 (and 4.6.30 - for those who did not upgrade yet). We claim these versions to be secure enough, although we realize that bad things happen and we could overlook something. That's why we reserved some time for security guys to try it. If no more problems are found (I hope for this) we will killbit old vulnerable versions.

About killbit 

You may wonder what the heck is killbit. The idea is simple. As you may know, each ActiveX control (including IU) is identified with CLSID. There is a special section in registry where listed CLSIDs of controls which should not be loaded by IE. "To killbit the control" means to put CLSID of this control into this section. More information on this can be found in Microsoft Knowledge Base.

UPD: For those who is looking for more comprehensive information about killbit and how it works, look into Kill-Bit FAQ posted on Microsoft TechNet blogs: part 1, part 2, and part 3. Thanks to Elazar Broad for these links.

Killbit and Image Uploader  

Now, let's see how we will handle this. When we get assured that no more security bugs are found, we release the new version of Image Uploader which will have new CLSID. Hopefully it will happen right after weekends. After that we will urge users to killbit old version with all possible means. In particular:

• Killbit will be automatically set when new Image Uploader is installed.
• We will publish a .reg file which will set killbit. Hopefully security advisory websites will not mind to put it in the issue resolution sections for Image Uploader report.
• The strongest thing - Microsoft will (likely) include this killbit in few month since we publish it into their security bulletin. So it will be installed automatically through their update system.

Killbit and Aurigma customers 

Let's examine aftermath of the killbit for our customers.

1. Every Image Uploader customer should install update with new CLSIDs. Let me repeat - EVERY customer! It is not a matter of desire to make user's life safer. As soon Microsoft deploy killbit, vulnerable version will just stop working (at least for guys who install updates timely).
2. As follows from previous point, there is no big sense to install version 5.0.40 or 4.6.30 unless you would like to test it. You will have to update it in several days anyway.
3. New version will have new CLSID, so you should take it into consideration when you will install the update. For most customers it will just mean, that they should overwrite not only .cab and .jar files, but also iuembed.js (do not forget to change version number in initialization code!). If someone changed iuembed.js or pasted it into HTML page, do not forget to change the CLSID.
4. Private-label customers will have to contact us and get the latest build. Of course at no cost (provided of course latest build of the same major version).

Additional security shield for private-label versions

When we examined how to make ActiveX more secure we found out that Internet Explorer has a mechanism which allows to make ActiveX control to be usable only on certain websites (domains). Of course we cannot utilize it for standard version (since it is used on thousands websites), but we can easily restrict Image Uploader by specific host domain when we prepare a private-label version.

So even if some security flaw is found in future, no one will be able to exploit it with a private-label version. It will be applicable for standard build only. I cannot refer owners of private-label version, however Image Uploader build of some of them is much more wide-spread that standard one, and these companies are much more public than Aurigma. So journalists from IT magazines will have to look for other source for sensation... :-)

That's all for today. Stay tuned! 

In short 

I got two news - a bad one and a good one.

1. The bad news: we got reported about one more security issue in Image Uploader.
2. The good news: the problem occurs in version 4.5.70 only. All later builds (including version 5) are not affected by this problem.

Details 

Yesterday I got a message from Elazar Broad - a guy who have posted a security issue report on November. This time he reported that he tested build 4.5.70 and found the heap overflow issue in Action param. He created an exploit which runs calculator app when the page with Image Uploader is opened. You see this is a really serious problem. If hackers created an exploit, they would be able to run anything more dangerous than calc app.

I have bring it to attention of Image Uploader development team immediately. Few hours later we got a call from Computer World - they asked to hear our comments on this. As a result they have published an article about it.

Meanwhile during our investigation we found out that the problem does not affect the latest version. Looking at this more closely, we find out that it has been fixed in the build which was next to famous 4.5.70. After that hotfix release we have audited and refactored a lot of potentially buggy code, and managed to work it out without any clue that we have fixed such serious flaw.

Conclusions 

So everyone who have upgraded Image Uploader to 5.0 or at least to higher build than 4.5.70 can have no worries. Latest builds of Image Uploader (both 4.x and 5.x) are not vulnerable to the problem reported by Elazar. Also, version 3.5 is not vulnerable as well. 

If you have updated to 4.5.70 (or for some reason overlooked previous security update and did not get it), you should either update it to the most recent build of 4.x family or upgrade to version 5.0. Here are links:

• Image Uploader 4.6 SDK - you will find updated .cab file after SDK installation in C:\Program Files\Aurigma\Image Uploader 4.6 Dual\ folder (or wherever you install it).
• Upgrade FAQ with information about upgrade policy and links to appropriate online store items.

If you are not sure what is your version, do not hesitate to contact us.

What Next? 

We always take all these security challenges very seriously. This is only a second security flaw for 5-year history of Image Uploader. For these 5 years hundreds millions of people uploaded files through it, so we have to take care about it.

So both these security holes are the cause for us to look through all our code more thorough. We did make some refactoring after discovering the first security bug, but that time we had on a tight schedule - we was trying to release 5.0 within year 2007, so we stopped when made most obvious improvements. 

Now we have no heavy time limitations, so we are going to make detailed code review with heavy paranoid approach. As a result we will have a version (both 4 and 5) which will be more secure and reliable than ever.

So keep an eye on this and do not forget to update Image Uploader timely!