On these weekends we have released Graphics Mill 5.0. We have already wrote about main changes in this version before, but let me outline

• Post about new features (by Dmitry)
• Post about new licensing policy (by me)

In addition to it, you can find the following information about new release:

• Full change list.
• New pricing and licensing (note, SDK license has different meaning than Windows Forms Developer, and Server Deployment license has different meaning than old Server license).
  
• Download page.
• Std vs. Pro comparison chart. 

For existing customers we offer special upgrade offer:

• If you purchased Graphics Mill after April 2, 2008, you get free upgrade to Std or Pro (on your choice). Note, this is time limited offer - to get a free version, you should contact sales@aurigma.com before June 3, 2008.
  
• If you purchased Graphics Mill before April 2, 2008, you can purchase new version for 60% of the license price (however you need to keep new licensing model).

Any feedback about new version is welcome. 

Just want to follow up Dmitry's post Graphics Mill 5.0: Coming Soon. The upcoming Graphics Mill release will introduce not just new features, but new licensing policy. This is what I would like to tell in this post about.

Briefly speaking, there are two essential changes:

1. Graphics Mill will be splitted into Std and Pro editions.
2. Licensing policy becomes closer to industry standards. 
   

Std and Pro editions

When we analyzed how our customers are using Graphics Mill we have realized that some of advanced features we proud of are useful not for all of our customers. Most of features which make Graphics Mill unique are especially important for customer who build applications for printing business. But these features are not really important for those who develop other kind of applications. Why such customer should purchase unnecessary functionality?

That's why we decided to create two editions:

• Std edition will include all features necessary for general purpose imaging applications. For example:
  • Basic imaging functionality (image resize, crop, rotate, etc).
  • Support of common image formats like JPEG, GIF, PNG, BMP, etc.
  • Visual controls (both for Windows and Web development).
  • Text rendering (including multiline and formatted text), as well as other drawing features.
  • All addons except of Advanced PSD.
    
• Pro edition will include features of Std edition + print business specific functionality, namely:
  • PDF output.
  • Multi-channel and multipage TIFF support.
  • Color management (ICC profiles, etc)
  • CMYK color space and extended pixel formats (16 bits per channel)
  • x64 version
  • OpenMP-powered resize (parallel computations).
  • Advanced PSD addon

As you can notice, we decided to include addons in editions to make things simpler.

Licensing model changes

Our current licensing may seem to be not very consistent. It defines different rules for Windows and Web applications, and may be a bit unclear if you compare it with competitors. This licensing model is a kind of legacy, and it is a time to follow the same rules as other imaging libraries vendors do.

The main thing we did - we separated a right to develop application using Graphics Mill (so-called SDK license) and a right to run application with Graphics Mill in production environment (so-called deployment license). So now the licensing model looks as follows.

• To include Graphics Mill into application of any type you should purchase SDK license (which is licensed per developer).
• To distribute application you should have an appropriate number of deployment licenses:
  • If this is an end-user desktop Windows application, royalty-free deployment license is included into SDK.
  • If this is a web application, deployment license should be purchased per each server.
  • If this is a kiosk application (i.e. target computer is accessible in a public place by multiple people), special deployment licensing is required.

 

So these are the main changes in licensing model of Graphics Mill. If anything is unclear, feel free to post a comment. I will be happy to clarify all your questions.

This post is insired by a pretty sad event. Alex Makhov, one of oldest Aurigma team members, leaves our company today. He brought up our main product Image Uploader from awkward $50-worth ActiveX control version 1.0 to current powerful solution used by many major Web 2.0 players. He did a great job, but he had to move to another city due some family circumstances. So me personally and all Aurigma team wish him good luck with his new life and thank him for all years he spent with us.

But life goes on, and Image Uploader is still actively evolving. Our CTO Dmitry will take care on this project since now. We have a lot of great plans for this product and Alex's leave will not break them. I will be glad to share these plans in my future posts. ;-)

That's all for now. Stay tuned! 

Hi again,

In my previous post I have mentioned about release of Image Uploader 5.1 (and 4.7) which has a number of security fixes (few known heap overflow and a bunch of potential problems). To prevent malicious persons to exploit these issues, we are releasing a killbit for all version and strongly recommend each customer of Image Uploader to get an update (which is free for appropriate major build).

Few words about killbit. I have already gave some comments on what is killbit and why we should use it in the Image Uploader is safe again post. Now let's see how killbit is installed on client machine. There are three ways: 

1. Killbit is set along with new version. So when new ActiveX is downloaded and installed, old CLSIDs become disabled.
   
2. Killbit can be installed manually. To do this just download the AurigmaKillbit.reg file and run it (may require administrative rights). 
   
3. Killbit will be installed with Internet Explorer security updates. I cannot get an exact time frame for this until I get approval from Microsoft, but it will happen not earlier than in 2-3 months.
   

Below is described a list of CLSIDs which are killbited and their alternate CLSIDs.

Old CLSID	                        New CLSID

Standard builds:

6E5E167B-1566-4316-B27F-0DDAB3484CF7	EDFCB7CB-942C-4822-AF14-F0B687409848 - Image Uploader 4 
BA162249-F2C5-4851-8ADC-FC58CB424243	5D637FAD-E202-48D1-8F18-5B9C459BD1E3 - Image Uploader 5 
652623DC-2BB4-4C1C-ADFB-57A218F1A5EE	FB5C74A8-48D0-42A3-B47F-6896F94DFC21 - Upload Items 4
9275A865-754B-4EDF-B828-FED0F8D344FC	59BA14C3-B5CD-4DFF-8256-25961756B9B4 - Upload Items 5
E1A26BBF-26C0-401d-B82B-5C4CC67457E0	D6216AB8-9FF8-47C6-A2E7-49491B39C857 - File Downloader

Private-label builds, Image Uploader 4:

B60770C2-0390-41A8-A8DE-61889888D840	51B7FAF0-B98E-4A0F-9DF6-E31A81836925
44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9	6F9DF050-35BE-4E5E-9293-663D6B526B7F
76EE578D-314B-4755-8365-6E1722C001A2	33DFB28A-9792-4AFC-B594-D589365DF67D
F89EF74A-956B-4BD3-A066-4F23DF891982	CBFF31B5-91C0-4361-98BD-4C56D0F9CDAC
101D2283-EED9-4BA2-8F3F-23DB860946EB	718B3D1E-FF0C-4EE6-9F3B-0166A5D1C1B9
69C462E1-CD41-49E3-9EC2-D305155718C1	208B36BE-4B91-45D5-A636-4E70D745593C
41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA	66AE48D0-2ECE-4F09-886B-3B6C2FD4A985
108092BF-B7DB-40D1-B7FB-F55922FCC9BE	B82F1D98-BE90-42E2-B64D-C7AB48E40B4C
CF08D263-B832-42DB-8950-F40C9E672E27	6B999576-2C81-4811-A912-2270B3D0865A
F1F51698-7B63-4394-8743-1F4CF1853DE1	1DB7FAAD-2582-49C3-807C-42024B031552
905BF7D7-6BC1-445A-BE53-9478AC096BEB	02F654C7-2915-45DF-94E2-8B145A060DF9
916063A5-0098-4FB7-8717-1B2C62DD4E45	4113F622-4901-468F-864E-5480F1C3BC3A
AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4	CAC677B6-4963-4305-9066-0BD135CD9233
AE6C4705-0F11-4ACB-BDD4-37F138BEF289	0C92900E-4D5A-4F04-ACC9-729E1767BBAE
FA8932FF-E064-4378-901C-69CB94E3A20A	A6C3B396-6F73-4CBE-AEF5-A86421AF1B93
3604EC19-E009-4DCB-ABC5-BB95BF92FD8B	E33E2112-8A3F-4B0F-884B-767C1610627E
65FB3073-CA8E-42A1-9A9A-2F826D05A843	83803392-C613-473A-AF42-5C4D07F8FE7B
7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3	F7FC62B7-1E68-4A56-B978-795662B02691
9BAFC7B3-F318-4BD4-BABB-6E403272615A	57F9ADF0-9759-4D97-AB03-8AB5882A2FD5
05CDEE1D-D109-4992-B72B-6D4F5E2AB731	BA3BAF69-72B1-4BCE-BE96-A4D304EAFBB4
977315A5-C0DB-4EFD-89C2-10AA86CA39A5	85A9BDFA-93C0-4F1B-9AB6-B92A90E5B326
1E0D3332-7441-44FF-A225-AF48E977D8B6	72719D4A-11A5-4E33-A131-36DE83DE9C3A
B85537E9-2D9C-400A-BC92-B04F4D9FF17D	37A8A17B-2DDC-4600-BBC6-538C10AED8C0
2C2DE2E6-2AD1-4301-A6A7-DF364858EF01	19E20072-785D-41C3-ADE9-D784325AB7B0
0270E604-387F-48ED-BB6D-AA51F51D6FC3	60541D7A-4EF1-4117-9607-7C1B0EEAAD18
FC28B75F-F9F6-4C92-AF91-14A3A51C49FB	3EF75DF9-FC62-410A-B599-B131D917EC3B
86C2B477-5382-4A09-8CA3-E63B1158A377	A6BF5692-E5E8-4B40-8E5E-819AF5E3AC08
8CC18E3F-4E2B-4D27-840E-CB2F99A3A003	070A0793-B969-4BC7-848B-3FD844554784
68BBCA71-E1F6-47B2-87D3-369E1349D990	2AF2E06E-166C-49C9-8BDF-CD9A8A07089C
8DBC7A04-B478-41D5-BE05-5545D565B59C	B57779BE-8EBE-46A1-A2F1-0BBFF6192B0C
D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6	6C87A126-AC2E-42EF-8A09-39AC05E8FBDF
6CA73E8B-B584-4533-A405-3D6F9C012B56	5F0CE5B2-46E1-4E00-AC64-0C756537D26C
A7866636-ED52-4722-82A9-6BAABEFDBF96	AB3222DF-F6E1-40CB-BB80-1BF999130D7D
B0A08D67-9464-4E73-A549-2CC208AC60D3	3F17C07C-2153-4471-BB74-7554A7310C8C
3D6A1A85-DE54-4768-9951-053B3B02B9B0	0FDC57AC-BB9F-40FF-9921-46D28B712D08
947F2947-2296-42FE-92E6-E2E03519B895	7F4E9A4B-7D73-4D7D-9A37-30100CEE0874
47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB	CD6FB286-3337-45E8-AF97-6AA3802D2F90
B26E6120-DD35-4BEA-B1E3-E75F546EBF2A	5FA63150-FBD6-451D-B014-D55DDED4F2F3
926618A9-4035-4CD6-8240-64C58EB37B07	29C78D18-D3C3-4B8F-B7EF-F5DC2385F82E
B95B52E9-B839-4412-96EB-4DABAB2E4E24	ADFCE7BD-C522-48E7-9D2A-976597629667
CB05A177-1069-4A7A-AB0A-5E6E00DCDB76	DF21EFC6-E614-4C4C-92E7-C94A944E5C5E
A233E654-53FF-43AA-B1E2-60DA2E89A1EC	0F3FEBAA-440F-4003-B2BC-71B9D9C20E72
6981B978-70D9-40B9-B00E-903B6FC8CA8A	7FBBED73-8E99-40BE-894E-F66F6F49D8F0
C86EE68A-9C77-4441-BD35-14CC6CC4A189	8F20884C-68BF-440C-BB5F-13BAC64B8C1C
2875E7A5-EE3C-4FE7-A23E-DE0529D12028	CA9CABF3-48C0-4589-808E-ADE58599DF6C
66E07EF9-4E89-4284-9632-6D6904B77732	A9BEBDF3-2816-44E9-9F64-71EBDE235E15
00D46195-B634-4C41-B53B-5093527FB791	7A53918A-FF36-41E3-96A6-3A7672746CB9
497EE41C-CE06-4DD4-8308-6C730713C646	55D95DEA-6E0F-476B-AE02-57C5F99332F2
7A12547F-B772-4F2D-BE36-CE5D0FA886A1	F83FA5C8-A016-401F-9A45-E582D8BD498F
0B9C0C26-728C-4FDA-B8DD-59806E20E4D9	44BF597A-C391-4162-8976-B00B55C92F56
F399F5B6-3C63-4674-B0FF-E94328B1947D	0D4515D4-1845-4E7C-8E16-79AEEC44AB7C
8C7A23D9-2A9B-4AEA-BA91-3003A316B44D	D428C208-57A8-4A63-BF7F-E7FABE6A9E9B
E6127E3B-8D17-4BEA-A039-8BB9D0D105A2	C6B9830E-35DE-463D-8CFA-E289E317565C
A3796166-A03C-418A-AF3A-060115D4E478	ADA48720-6C9A-4A34-9E3E-5B17556A2B39
73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A	AB4E1C02-3EDB-4A72-B1B8-FD909831C761
93C5524B-97AE-491E-8EB7-2A3AD964F926	A696A6DE-8011-407B-850B-077BE505D11D
833E62AD-1655-499F-908E-62DCA1EB2EC6	7CAE4253-EEEF-42C7-BB94-E65EBF540DB6
285CAE3C-F16A-4A84-9A80-FF23D6E56D68	C4B2AB47-CE9B-4850-A8B6-36F3896E17BF
AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B	4910F815-D322-409F-A6D1-61FAE656E4A0
4614C49A-0B7D-4E0D-A877-38CCCFE7D589	096CBF58-FC7F-433D-9158-27DE6B22D8C7
974E1D88-BADF-4C80-8594-A59039C992EA	B67F4A74-B98A-4F74-AF9E-C422198BB0F8
692898BE-C7CC-4CB3-A45C-66508B7E2C33	BAC8495C-A1FF-48B3-AB22-52544FFA3047
F6A7FF1B-9951-4CBE-B197-EA554D6DF40D	CC7FD10E-8471-4399-B7B0-976BCB84357E
038F6F55-C9F0-4601-8740-98EF1CA9DF9A	89DCF5AD-2D57-4C98-AE18-E4222DFEA4CC
652623DC-2BB4-4C1C-ADFB-57A218F1A5EE	FB5C74A8-48D0-42A3-B47F-6896F94DFC21
9275A865-754B-4EDF-B828-FED0F8D344FC	59BA14C3-B5CD-4DFF-8256-25961756B9B4
6C095616-6064-43ca-9180-CF1B6B6A0BE4	BC9C7884-D1F5-4E67-80F2-C67AE8C62701
E1A26BBF-26C0-401d-B82B-5C4CC67457E0	D6216AB8-9FF8-47C6-A2E7-49491B39C857

Private-label builds, Upload Items 4:

A7866636-ED52-4722-82A9-6BAABEFDBF96	AB3222DF-F6E1-40CB-BB80-1BF999130D7D
B0A08D67-9464-4E73-A549-2CC208AC60D3	3F17C07C-2153-4471-BB74-7554A7310C8C
3D6A1A85-DE54-4768-9951-053B3B02B9B0	0FDC57AC-BB9F-40FF-9921-46D28B712D08
947F2947-2296-42FE-92E6-E2E03519B895	7F4E9A4B-7D73-4D7D-9A37-30100CEE0874
47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB	CD6FB286-3337-45E8-AF97-6AA3802D2F90
B26E6120-DD35-4BEA-B1E3-E75F546EBF2A	5FA63150-FBD6-451D-B014-D55DDED4F2F3
926618A9-4035-4CD6-8240-64C58EB37B07	29C78D18-D3C3-4B8F-B7EF-F5DC2385F82E
B95B52E9-B839-4412-96EB-4DABAB2E4E24	ADFCE7BD-C522-48E7-9D2A-976597629667
CB05A177-1069-4A7A-AB0A-5E6E00DCDB76	DF21EFC6-E614-4C4C-92E7-C94A944E5C5E
A233E654-53FF-43AA-B1E2-60DA2E89A1EC	0F3FEBAA-440F-4003-B2BC-71B9D9C20E72
6981B978-70D9-40B9-B00E-903B6FC8CA8A	7FBBED73-8E99-40BE-894E-F66F6F49D8F0
C86EE68A-9C77-4441-BD35-14CC6CC4A189	8F20884C-68BF-440C-BB5F-13BAC64B8C1C
2875E7A5-EE3C-4FE7-A23E-DE0529D12028	CA9CABF3-48C0-4589-808E-ADE58599DF6C
66E07EF9-4E89-4284-9632-6D6904B77732	A9BEBDF3-2816-44E9-9F64-71EBDE235E15
00D46195-B634-4C41-B53B-5093527FB791	7A53918A-FF36-41E3-96A6-3A7672746CB9
497EE41C-CE06-4DD4-8308-6C730713C646	55D95DEA-6E0F-476B-AE02-57C5F99332F2
7A12547F-B772-4F2D-BE36-CE5D0FA886A1	F83FA5C8-A016-401F-9A45-E582D8BD498F
0B9C0C26-728C-4FDA-B8DD-59806E20E4D9	44BF597A-C391-4162-8976-B00B55C92F56
F399F5B6-3C63-4674-B0FF-E94328B1947D	0D4515D4-1845-4E7C-8E16-79AEEC44AB7C
8C7A23D9-2A9B-4AEA-BA91-3003A316B44D	D428C208-57A8-4A63-BF7F-E7FABE6A9E9B
E6127E3B-8D17-4BEA-A039-8BB9D0D105A2	C6B9830E-35DE-463D-8CFA-E289E317565C
A3796166-A03C-418A-AF3A-060115D4E478	ADA48720-6C9A-4A34-9E3E-5B17556A2B39
73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A	AB4E1C02-3EDB-4A72-B1B8-FD909831C761
93C5524B-97AE-491E-8EB7-2A3AD964F926	A696A6DE-8011-407B-850B-077BE505D11D
833E62AD-1655-499F-908E-62DCA1EB2EC6	7CAE4253-EEEF-42C7-BB94-E65EBF540DB6
285CAE3C-F16A-4A84-9A80-FF23D6E56D68	C4B2AB47-CE9B-4850-A8B6-36F3896E17BF
AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B	4910F815-D322-409F-A6D1-61FAE656E4A0
4614C49A-0B7D-4E0D-A877-38CCCFE7D589	096CBF58-FC7F-433D-9158-27DE6B22D8C7
974E1D88-BADF-4C80-8594-A59039C992EA	B67F4A74-B98A-4F74-AF9E-C422198BB0F8
692898BE-C7CC-4CB3-A45C-66508B7E2C33	BAC8495C-A1FF-48B3-AB22-52544FFA3047
F6A7FF1B-9951-4CBE-B197-EA554D6DF40D	CC7FD10E-8471-4399-B7B0-976BCB84357E
038F6F55-C9F0-4601-8740-98EF1CA9DF9A	89DCF5AD-2D57-4C98-AE18-E4222DFEA4CC

Private-label builds, File Downloader

6C095616-6064-43ca-9180-CF1B6B6A0BE4	BC9C7884-D1F5-4E67-80F2-C67AE8C62701

If you have a private-label version and do not see your CLSID there, please contact us at support@aurigma.com.

UPDATE (03/27/2008):

Few other CLSIDs we added to this killbit (see below). No more changes will be made to it though. 

Also, I have got a confirmation from Microsoft that these CLSIDs will be killbited on June. 

Old CLSID	                        New CLSID

Private-label builds, Image Uploader 4:

A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98	B48C6F3D-3AB9-4DAA-A24C-7D6570FFACEC
5C6698D9-7BE4-4122-8EC5-291D84DBD4A0	23E0446E-BFBD-4E70-97F1-25549A1F284E

Private-label builds, Upload Items 4:

E4C97925-C194-4551-8831-EABBD0280885	0E519CCA-A262-4EC1-BD7F-AEB9168F0EAB
CC7DA087-B7F4-4829-B038-DA01DFB5D879	F7D4E441-BC09-4592-8CC3-75C0558187F5

Hello there,

I have and exciting update about the security issue – we have completed all of our audits and feel we have secured Image Uploader. As I described in my previous posting, today we have released an updated version of Image Uploader ActiveX control, and the version number is 5.1. The main difference with 5.0.40 is that it has different CLSIDs.    

This release has taken us a bit longer than we expected as we have run up against a rather interesting problem. Once we complied the CLSID’s we need to killbit we started to try to contact Private Label and Source Code customers to provide them updated builds of their code. To our amazement many of them seem to be ignoring us!

We strongly advise you if you are a Private Label or Source Code customer that if you have received emails or phone calls from us that you respond to us as soon as possible. For those of you have thank you for your prompt response. But, we should be clear as some point we will have to as a responsible software developer send all CLSIDs that are risk to Microsoft to killbit.

WHEN THIS HAPPENS ALL AT RISK VERSION OF IMAGE UPLOADER will be DISABLED and will not run on the clients computers.

So lets all be good to ourselves and our client computers... Let’s work together and get updated as soon as possible. Please also keep your information in your accounts up to date. If this is mission critical software for your company then we should have very open communication. Don’t ever worry about us sending you spam or pressing you to buy something. We need to be able to communicate with you for the security and safety of you as our customer and your clients as your customer.

Downloads

So now you can upload 4 different versions of Image Uploader:

• Image Uploader 5.1.0 (and above) - safe version with new CLSIDs. This is what people will download by default. Update with this build if you have version 5.0.
  
• Image Uploader 4.7.0 - safe version of 4.x family with new CLSIDs. Update with this build if you have version 4.x.
• Image Uploader 5.0.41 - the latest version of 5.0 with old CLSIDs.
  
• Image Uploader 4.6.31 - the latest version of 4.x family with old CLSIDs.      

Note, all of them are safe, but it is not good idea to keep builds with old CLSIDs too long. The more and more people will install the killbit, and sooner or later Microsoft will include it into the next security update. After that all users who get Windows updates automatically will have problems loading Image Uploader with old CLSIDs. So if for some reasons you need versions with old CLSIDs, you can use it, but not longer than couple months. You should migrate to new builds ASAP.

Migrating to new safe build 

In fact the migration process is very simple, especially if you did not make modifications in iuembed.js. You just update Image Uploader as usual with only one additional action - you overwrite not just .cab and .jar files, but also iuembed.js as well. That's all.

If you modified iuembed.js or embedded it inside your page, it will be slightly more complicated. You will have to find where old CLSID is inserted and replace it by new one. I will post a list of CLSIDs changes in my next post.

Also, you can use activeXClassId property of ImageUploaderWriter control, although I would not recommend this. If you create new page with Image Uploader in future from a scratch, you may forget to insert new CLSID. So the better idea would be to fix iuembed.js. 

 

Well, it sounds we overcome this issue at last. Of course we will not stop keeping an eye on security but we can get back to improving functionality of Image Uploader. We are going to implement new exciting features like video upload and something more. But this is a matter of separate series of blog posts. 

It may sound too bold, but I think we can say this way now. We get rid of all known vulnerabilities (we have found few new while testing/refactoring IU). The "exterior perimeter" code was seriously analyzed. All suspicious portions of code (primarily legacy one) were totally revised and rewritten using safe programming approach. Wherever we were in time, we fixed "internal" code as well (we still have a lot of work to do, but this is less critically). We run a number of new tests which try to pass "garbage" into params and checked out how Image Uploader deal with them.

As a result we have released version 5.0.40 (and 4.6.30 - for those who did not upgrade yet). We claim these versions to be secure enough, although we realize that bad things happen and we could overlook something. That's why we reserved some time for security guys to try it. If no more problems are found (I hope for this) we will killbit old vulnerable versions.

About killbit 

You may wonder what the heck is killbit. The idea is simple. As you may know, each ActiveX control (including IU) is identified with CLSID. There is a special section in registry where listed CLSIDs of controls which should not be loaded by IE. "To killbit the control" means to put CLSID of this control into this section. More information on this can be found in Microsoft Knowledge Base.

UPD: For those who is looking for more comprehensive information about killbit and how it works, look into Kill-Bit FAQ posted on Microsoft TechNet blogs: part 1, part 2, and part 3. Thanks to Elazar Broad for these links.

Killbit and Image Uploader  

Now, let's see how we will handle this. When we get assured that no more security bugs are found, we release the new version of Image Uploader which will have new CLSID. Hopefully it will happen right after weekends. After that we will urge users to killbit old version with all possible means. In particular:

• Killbit will be automatically set when new Image Uploader is installed.
• We will publish a .reg file which will set killbit. Hopefully security advisory websites will not mind to put it in the issue resolution sections for Image Uploader report.
• The strongest thing - Microsoft will (likely) include this killbit in few month since we publish it into their security bulletin. So it will be installed automatically through their update system.

Killbit and Aurigma customers 

Let's examine aftermath of the killbit for our customers.

1. Every Image Uploader customer should install update with new CLSIDs. Let me repeat - EVERY customer! It is not a matter of desire to make user's life safer. As soon Microsoft deploy killbit, vulnerable version will just stop working (at least for guys who install updates timely).
2. As follows from previous point, there is no big sense to install version 5.0.40 or 4.6.30 unless you would like to test it. You will have to update it in several days anyway.
3. New version will have new CLSID, so you should take it into consideration when you will install the update. For most customers it will just mean, that they should overwrite not only .cab and .jar files, but also iuembed.js (do not forget to change version number in initialization code!). If someone changed iuembed.js or pasted it into HTML page, do not forget to change the CLSID.
4. Private-label customers will have to contact us and get the latest build. Of course at no cost (provided of course latest build of the same major version).

Additional security shield for private-label versions

When we examined how to make ActiveX more secure we found out that Internet Explorer has a mechanism which allows to make ActiveX control to be usable only on certain websites (domains). Of course we cannot utilize it for standard version (since it is used on thousands websites), but we can easily restrict Image Uploader by specific host domain when we prepare a private-label version.

So even if some security flaw is found in future, no one will be able to exploit it with a private-label version. It will be applicable for standard build only. I cannot refer owners of private-label version, however Image Uploader build of some of them is much more wide-spread that standard one, and these companies are much more public than Aurigma. So journalists from IT magazines will have to look for other source for sensation... :-)

 

That's all for today. Stay tuned! 

In short 

I got two news - a bad one and a good one.

1. The bad news: we got reported about one more security issue in Image Uploader.
2. The good news: the problem occurs in version 4.5.70 only. All later builds (including version 5) are not affected by this problem.

Now let's see on this a bit more detailed.

Details 

Yesterday I got a message from Elazar Broad - a guy who have posted a security issue report on November. This time he reported that he tested build 4.5.70 and found the heap overflow issue in Action param. He created an exploit which runs calculator app when the page with Image Uploader is opened. You see this is a really serious problem. If hackers created an exploit, they would be able to run anything more dangerous than calc app.

I have bring it to attention of Image Uploader development team immediately. Few hours later we got a call from Computer World - they asked to hear our comments on this. As a result they have published an article about it.

Meanwhile during our investigation we found out that the problem does not affect the latest version. Looking at this more closely, we find out that it has been fixed in the build which was next to famous 4.5.70. After that hotfix release we have audited and refactored a lot of potentially buggy code, and managed to work it out without any clue that we have fixed such serious flaw.

Conclusions 

So everyone who have upgraded Image Uploader to 5.0 or at least to higher build than 4.5.70 can have no worries. Latest builds of Image Uploader (both 4.x and 5.x) are not vulnerable to the problem reported by Elazar. Also, version 3.5 is not vulnerable as well. 

If you have updated to 4.5.70 (or for some reason overlooked previous security update and did not get it), you should either update it to the most recent build of 4.x family or upgrade to version 5.0. Here are links:

• Image Uploader 4.6 SDK - you will find updated .cab file after SDK installation in C:\Program Files\Aurigma\Image Uploader 4.6 Dual\ folder (or wherever you install it).
• Upgrade FAQ with information about upgrade policy and links to appropriate online store items.

If you are not sure what is your version, do not hesitate to contact us.

What Next? 

We always take all these security challenges very seriously. This is only a second security flaw for 5-year history of Image Uploader. For these 5 years hundreds millions of people uploaded files through it, so we have to take care about it.

So both these security holes are the cause for us to look through all our code more thorough. We did make some refactoring after discovering the first security bug, but that time we had on a tight schedule - we was trying to release 5.0 within year 2007, so we stopped when made most obvious improvements. 

Now we have no heavy time limitations, so we are going to make detailed code review with heavy paranoid approach. As a result we will have a version (both 4 and 5) which will be more secure and reliable than ever.

So keep an eye on this and do not forget to update Image Uploader timely!

I am wondering why we did not it much earlier, but it is better to do later than never. I have just created Aurigma community group on Facebook. Everyone who uses/used Aurigma products or just interested are welcome to join us!

Few days ago my colleague Fedor added a short blog post about ASP.NET wrapper control for our product Image Uploader. In fact this control starts the real implementation of our initiative we call Aurigma Forge. I would like to tell about it more detailed. Alex mentioned it earlier but I think it is a high time to give more information about it.

What is Aurigma Forge?

In short this is a series of open-source projects based on our products - Image Uploader and Graphics Mill. We publish these projects on our website and everyone can download them, use, modify, and of course share them with others. At the first step, we will develop them actively ourselves, but we highly encourage everyone to join us. 

How it works? 

It works very simple. For each product line we have a subforum on our forums called Community Projects. Everyone who want to submit a project just create a post with source code and some information about it (how to use it, etc). Other people who are interested to take part in this project just post replies and share with their modifications if necessary.

Currently there is the only one such subforum in Image Uploader block, but we plan to add Graphics Mill community project subforum in the near future.

Initially we planned to deploy source code repository like on sourceforge.net (yes, they inspired the initiative name :) ). But then we thought that it would complicate things. If projects become popular and there will be a lot of contributors, we will definitely make it available. But until then we decided to keep things simpler.

What kind of projects will be launched? 

You may wonder what kind of projects it can be. For now they are:

• Image Uploader related
  • ASP.NET wrapper control which radically simplifies Image Uploader usage for ASP.NET developers.
  • Plugins for different CMS systems like WordPress, DotNetNuke, Cyahoga, Joomla, etc. They will be more or less ready-to-use photo galleries. It may be interpreted as resurrection of Media Gallery product line with new contemporary vision.
• Graphics Mill related
  • Editor for photo gifts (mugs, t-shorts, etc)
  • Real-life app for business card editing (based on Advanced PSD addon)
  • Most of current demo apps - we hope for your feedback so that we could understand what to improve there.

If you have some ideas on other projects do not hesitate to post a comment! Any other feedback is welcome as well.

We have noticeable reworked a portion of website related to Image Uploader pricing and licensing. Since Image Uploader licensing plans became more complicated, we have created a separate section which contains well-structured FAQ describing all possible options:

http://www.aurigma.com/Products/ImageUploader/Licensing.aspx

Also since a number of Image Uploader related online store items are getting exceed all reasonable limits, we have grouped them on the purchase page: 

http://www.aurigma.com/Products/ImageUploader/PricingLicensing.aspx

As always, I highly appreciate any feedback. If something is unclear here or you have any additional questions, do not hesitate to inform me. I will try to explain it better.