Hello everybody!

Just want to let you know that I am going to visit PMA 2010 expo which will take place in Anaheim, CA from Feb 21 through Feb 23. If anyone is interested to meet me and discuss some deals regarding our products or whatever else, feel free to drop me a note at a.simontsev @ aurigma.com.

Hi there,

This is just a quick update. We have opened a toll-free number. Feel free to call us at 800-661-8190.

Old number is still alive, so you can still use it, but I would recommend to use the new one. Phone call are not immediately forwarded from old number, so you will have to wait extra 3-4 rings before we answer you.

Hi there,

As you probably noticed, we have released Image Uploader 6.1 on these weekends. The main reason we did it is to fix the security vulnerabililty reported to us by Microsoft.

Guys from Microsoft Security Response Center contacted us about a week ago and told us that they discovered vulnerability in ATL (Microsoft library which comes with Visual Studio intended to simplify ActiveX development). This vulnerability impacts all ATL-based ActiveX controls, including Image Uploader. Microsoft has included the description of this vulnerability here:

http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

In the version 6.1 we have eliminated this vulnerability. Although Microsoft also released a security update for Internet Explorer which patches this security hole, it is highly recommended to update Image Uploader to the most recent build (6.1.1 or higher). Also, on this week we will release updates for versions 4.7 and 5.7, so if you do not use version 6 yet, you will have a chance to use the safe version anyway.

Now, here is a short FAQ:

Q: Is this vulnerability is dangerous? How malicious persons can use it?

This vulnerability allows to instantiate an arbitrary ActiveX control by passing its CLSID to Image Uploader. So to exploit this vulnerability, a number of requirements should be met:

1. A malicious ActiveX should be installed on a client computer anyhow (through trojans, spyware or anyhow else).
2. A malicious HTML page should be created and either injected via cross-site scripting attack or put to a phishing website.
3. The user with malicious ActiveX and unsafe Image Uploader should run this HTML code.

Q: Microsoft released Internet Explorer update which fixes this problem. Why to update Image Uploader?

After the user installs IE update 972260, this attack will be impossible even with Image Uploader version 6.0 indeed. But you cannot guaranty that all users will install this update. That's why updating Image Uploader decreases the probability of security attacks to your users.

Q: Did you killbit old Image Uploader?

No, this time we decided to make both yours and ours life easier and decided to release safe versions with old CLSIDs. Let me explain why.

The main killbit distribution channel is Microsoft update system. We would just pass all "unsafe" CLSIDs from guys from Microsoft and they would include it into some IE security update, as they have done one year ago. But those users who install IE updates on a regular basis will install aforementioned update 972260 which will eliminate this vulnerability. This way killbit will not increase the security level for them. 

On the other hand, those users, who ignore security updates, would not get killbit update as well. Therefore the killbit would not help them as well.

Q: I am afraid that this Image Uploader update will break something on my website. What you think?

Version 6.1.1 has very few changes comparing to the previous build 6.0.16. So if you use the latest version, you can freely update it. Anyway, if you encounter any problems, feel free to contact our support people. We will be happy to help you.

Q: Does it cost me anything to update? 

No, it is free. You get a free update for the major version you have - for version 4.x you get 4.8, for version 5.x you get 5.8, for version 6.0 you get 6.1.

But if you have, say, version 4.7 and want to get version 6.1 instead of 4.8, you should upgrade as usual. Feel free to contact our sales team for more information.

Q: Is Java version vulnerable as well? 

This problem impacts ActiveX version only. 

Hi there,

We made pretty serious changes in the licensing policy for Image Uploader 6. It is not similar to the old one and someone may be confused with it. However I strongly believe that it is much more straightforward. That’s why I decided to write this post to explain our point of view on the licensing questions.

Single Domain vs. Express/Standard/Professional

From the very first version of Image Uploader, the primary license type was a Single Domain license. It was issued for a website with one full-qualified domain name, and it was limited by a single server. For more servers, a separate license type called Web Farm license was provided (the reason why multiple servers require additional licenses is outlined below). Things were getting complicated when such websites required multiple domains, etc.

Taking into account our past experience with customers’ licensing demands, we have reviewed our licensing system. Now each website requires only one license. This license allows using it with a single server and one domain (other limitations are omitted for brevity, so refer licensing pages for more details on this). If this is not enough, you should extend the license with so-called connectors. There are two kinds of connectors – server connectors and domain connectors.

This license plan is called Standard. It has a sibling – a license plan called Professional. The only difference is that the Professional version includes some additional features primarily interesting to the photo printing companies.

These license plans are more consistent comparing to the Domain and Web Farm licenses. However they may seem pretty expensive for a number of customers. But we wanted to keep Image Uploader affordable for startups and small websites as well. That’s why we offer an Express license plan in addition to Standard/Professional. It is very similar to the old good Domain License, but however it includes fewer technical support features.

I would like to comment this point with support. For a long time, our policy was to provide the same level of technical support to everyone. But in the course of time we got a number of customers who have special requirements for the support - guarantied response time. That’s why we made a difficult decision – we provide unlimited high-quality technical support with guarantied reply in 24 hours to Standard/Professional customers only.

But it does not mean that Express customers do not get any support at all. They still can submit up to 2 cases, and of course they can post messages on forums. According to our statistics, it should satisfy a big number of our customers.

About Server Connectors

Some people wonder why the price for the client-side software like Image Uploader depends on the number of servers, their CPUs, etc. Let me explain.

Ideal fair measure for a software price should be the intensity of its usage. When we talk about common standalone desktop applications, it is easy to estimate – the number of workstations where the software is installed is a good appraisal. That’s why this licensing model is so popular for such kind of applications.

However when we consider such application as Image Uploader, it is not so easy. On one website Image Uploader may be downloaded by 1000 people, on another one – by 1000000 people. And the worst thing is that a website owner is not always able even to calculate this number. The same situation we see if we try to use some similar metric, like amount of uploaded data or something like this.

That’s why we decided to use another metric – the power of the server side which processes the upload (i.e. the number of servers, etc). This value is clear and easily managed by the website owner. And it seems to be fair enough, because it is unlikely that someone will purchase and configure large web farms and let it be idle. So to make the licensing policy scalable, we just deem each additionalserver, CPU, or CPU core as a separate unit which requires purchasing a connector to the main license.

The arguable question here is whether to interpret multi-core CPUs in the same way as multiple single-core CPUs. On the contemporary market all new server CPUs are almost always multi-core, so it may seem not very good idea. But on the other side, it is obviously that 32-core SPARC is not the same as typical multi-core Intel or something like this. So the decision worthy of Solomon would be to set a threshold value for the number of cores which divides typical multi-core CPUs from something special like SPARC. In our case we consider CPUs with up to 8 cores as a single unit.

And the last aspect I would like to discuss regarding server connector is what to do if you use a virtual hosting rather than run it on real servers. This is especially actual because of growing popularity of such services as Amazon EC2, and similar.

Of course we do not have anyone to purchase licenses for all underlying hardware of Amazon EC2. Virtual hosting providers allocate resources in so-called Computing Units. Each such Computing Unit has the power comparable with common server with typical configuration. That’s why we just interpret such Computing Units as servers requiring connectors, not the real underlying hardware.

Single-owner Website vs. SaaS/Commercial Apps

In the previous section I explained how we make the price scalable based on the product usage intensity. But this is not the only parameter which should be considered. One more crucial parameter is whether the website is used by a single owner or itis an application used by multiple third party companies.

Imagine you build Image Uploader into a CMS engine. You host this engine on your server and let your customers an account, and create websites based on it.  From our point of view such usage of Image Uploader may be interpreted as reselling to third parties.

In such situation Express/Standard/Professional license plans do not work here. This is where we use classic license model for software component market. The idea is the following: instead of purchasing a website license with connectors, you purchase SDK licenses per each developer on the application development stage, and when you run it to the production, you purchase deployment licenses per each client.

Depending on your situation and what is preferable for you, you either purchase blocks of deployment licenses which cover all your present and future customers, or acquire a license for each separate customer.  But the general rule is simple – the price depends on the number of your customers, not on the intensity of the software usage.

We divide single-tenant and multi-tenant applications pretty long (at least from version5.0 or even earlier), but earlier it was less obvious, and it lead to misuse of some kind of old licenses. Hopefully now we managed to make it clearer.

Where is an IP license?

One of the main questions our previous customers may have is what an analogue for the IP license is.  This is quite ambiguous question.The answer depends on the nature of the website you run.

1. If you have single-owner website and need the IP license to cover all its domains (e.g. www.example.com, www.example.net, www.example-alias.com, subdomain.example.com etc.), you should switch to Standard or Professional license + appropriate number of domain connectors. If the number of domain connectors is not reasonable, we can provide special connectors for IP address or whole domain tree on aspecial request.

2. If you have a hosted application,you should switch to SDK/deployment model. If the number of clients of your application is more or less constant and do not grow extensively, most likelydeployment fee will be a block of licenses which will cover all your customers for the nearest year or other period of time.

Holders of the old IP license may have a concern about the price of deployment license block or IP connector. However I would like to ensure you that there will be no price skyrocketing. At least its order is the same as for old-fashion IP licensing.  

I hope I shed some light on new license policy and made it clearer. If you have any feedback or would like me to write one more post about some aspect of licensing questions, do not hesitate to leave a comment here.

Hello,

Today I was amazed to learn that Image Uploader is popular enough to cause open-source community to create applications which use Image Uploader. I have discovered an Image Uploader based addon for Drupal - very popular open-source CMS. It is called Aurigma Uploader for ImageField. It allows to upload files as attachments to the pages and stories posted on the website.  This addon was submitted to the Drupal website by Aaron Wolfe.

Although this addon is pretty raw (I had to modify the source code to get it working, and it still displayed some warnings), it was great to learn that such addon exists. I believe it will be improved and people will find it useful.

I had an idea about series of addons for various open-source CMSes, but unfortunately we had not enough resources to get involved into it deeply. I am glad to know that open-source community finds it interesting to do it.

By the way, if Aaron or any other person involved into this addon development need any assistance with it, we will be happy to help. Just let us know. 

I am going to tell some news which are quite important for us. Aurigma has been re-organized. From now onward Aurigma Inc is a Virginia-based company. New address can be found on the Contact Us page.

Our Tacoma, WA office has been closed. Please do not call there anymore. New phone number is 703.348.7804.

To follow up my previous post about Symantec - I got good news. Norton Antivirus does not block Image Uploader anymore. On the next day after Microsoft advisory release guys from Symantec removed Image Uploader from the stop list. I might post it earlier, but I decided to wait for a confirmation from Symantec officials. 

So if anyone got users complaining about Norton Antivirus (or other Symantec apps) blocking Image Uploader, just tell them to get latest updates. It should resolve the issue.

It turned out that vulnerabilities in Image Uploader caused not just killbit problem, but it led to one more aftermath. We are getting more and more complaints from our customer that end users experience issues with Image Uploader if they have Norton Antivirus installed. After some investigations we found out that Symantec especially included Image Uploader to the threat list in one of their updates. And perhaps unlike killbit, Norton affects new secure version.

I have just posted my suggestions how to handle this to Image Uploader FAQ forum:

http://www.aurigma.com/Forums/yaf_postsm9838_Image-Uploader-and-Norton-Antivirus.aspx

We will definitely make some more detailed investigations on this (what exact builds are affected, etc) and publish additional information in that post. Also, we are going to contact Symantec and try to come to some solution.

As I announced a week ago, Microsoft has released security update which includes killbits for old vulnerable builds of Image Uploader. Read Microsoft Security Advisory (953839) for more details on this.

Not just our software has been included into this advisory. It also includes Hewlett-Packard's Instant Support application. According to the story in Computerworld, in earlier advisories Yahoo's and Logitech's software were killbitted.

So now I want to thank all guys from Microsoft Security Response Center I dealt with for their assistance. I highly recommend all ActiveX control vendors (if any of them reading this post ) to contact Microsoft in case of such security issues. It is the best way to eliminate the aftermath of security bugs. Although the really best way is to avoid security flaws at all.

Thanks for attention. I hope this is a last time I tag my post with "security issue" or "killbit", and my further posts will be related to more pleasant things like news about future releases and so on. Stay tuned!

Hi there!

Only one week left before Microsoft release Cumulative Security Update for ActiveX killbits. They scheduled it for August 12, 2008 at approx 10am PST. 

Because of different reasons, we were not included in previous security updates released in April and June. But at last now we got the confirmation from Microsoft that Image Uploader killbits will be included in August issue.

Just reminding that all users who install security updates (i.e. vast majority of Windows users) will not be able to load old insecure version of Image Uploader in the browser. Internet Explorer will just block it. That's why we encourage all Image Uploader customers who did not update Image Uploader yet to update it ASAP. More details about it can be found in my previous post about killbits.

If it is unclear how to update or you have any other technical questions related to this security issue, do not hesitate to submit your question through the help desk system.