Another security problem - oh, not again

posted by Andrew on 31 January 2008, 13:51

In short

I got two news - a bad one and a good one.

The bad news: we got reported about one more security issue in Image Uploader.
The good news: the problem occurs in version 4.5.70 only. All later builds (including version 5) are not affected by this problem.

Now let's see on this a bit more detailed.

Details

Yesterday I got a message from Elazar Broad - a guy who have posted a security issue report on November. This time he reported that he tested build 4.5.70 and found the heap overflow issue in Action param. He created an exploit which runs calculator app when the page with Image Uploader is opened. You see this is a really serious problem. If hackers created an exploit, they would be able to run anything more dangerous than calc app.

I have bring it to attention of Image Uploader development team immediately. Few hours later we got a call from Computer World - they asked to hear our comments on this. As a result they have published an article about it.

Meanwhile during our investigation we found out that the problem does not affect the latest version. Looking at this more closely, we find out that it has been fixed in the build which was next to famous 4.5.70. After that hotfix release we have audited and refactored a lot of potentially buggy code, and managed to work it out without any clue that we have fixed such serious flaw.

Conclusions

So everyone who have upgraded Image Uploader to 5.0 or at least to higher build than 4.5.70 can have no worries. Latest builds of Image Uploader (both 4.x and 5.x) are not vulnerable to the problem reported by Elazar. Also, version 3.5 is not vulnerable as well.

If you have updated to 4.5.70 (or for some reason overlooked previous security update and did not get it), you should either update it to the most recent build of 4.x family or upgrade to version 5.0. Here are links:

Image Uploader 4.6 SDK - you will find updated .cab file after SDK installation in C:\Program Files\Aurigma\Image Uploader 4.6 Dual\ folder (or wherever you install it).
Upgrade FAQ with information about upgrade policy and links to appropriate online store items.

If you are not sure what is your version, do not hesitate to contact us.

What Next?

We always take all these security challenges very seriously. This is only a second security flaw for 5-year history of Image Uploader. For these 5 years hundreds millions of people uploaded files through it, so we have to take care about it.

So both these security holes are the cause for us to look through all our code more thorough. We did make some refactoring after discovering the first security bug, but that time we had on a tight schedule - we was trying to release 5.0 within year 2007, so we stopped when made most obvious improvements.

Now we have no heavy time limitations, so we are going to make detailed code review with heavy paranoid approach. As a result we will have a version (both 4 and 5) which will be more secure and reliable than ever.

So keep an eye on this and do not forget to update Image Uploader timely!

security, bug, image uploader, security issue

Elazar 2/2/2008 11:36:17 AM

Hey Andrew,
Just quick correction, both ImageUploader 4.5.50 and 4.5.70 are vulnerable along with the MySpaceUploader control. Additionally, the issue is stack-based not heap-based as I originally thought. The vulnerability with the FaceBook control is heap-based, it is possible to overwrite one of the addresses passed RtlFreeHeap()

Elazar

Andrew 2/3/2008 11:12:35 PM

Yes, you are right about older versions. I just meant that newer versions do not have problems with Action param. Few other params are having this problem though. We have already fixed it, but we would like to clean up it completely before releasing an official fix.

Eric 2/6/2008 1:21:44 PM

The CERT vulnerability notice lists version 5.0.30 as being affected. Any word on when a patch will be available?

Andrew 2/6/2008 6:06:55 PM

Hi Eric,

Yes, few other params turned out to be vulnerable. We have already fixed it, but we decided ot hold on with update to make sure that no other issues left. We plan to finish the code review and tests on the next week.

Pedersen 2/7/2008 1:22:34 AM

Does the Classid (f.x. {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}) change when the version changes?

Andrew 2/8/2008 9:52:25 PM

Yes, we will change all CLSIDs because current CLSIDs will be blocked with killbit.

Btw, I think it makes sense to tell a bit about nearest plans.

Right now we are preparing an update. We have already done all modifications which should highly improve the security and now testing it. I think we will release it right after weekends (if no issues occur during unit testing tomorrow). This one will have old CLSIDs. Although we are pretty sure that no more security issues will be found there, we will wait a bit before changing CLSIDs. If some bugs are found there we will reduce the headache with killbits.

If no more issues will be discovered, a week after that we will release one more version with new CLSIDs. There will be update both for version 4 and 5. To get rid of vulnerable versions we will use killbit. We are contacting with guys from MS and hopefully they will include it into one of security updates for Windows.

Of course we will not stop after that update. We are going to look through all 100K+ lines of code, revise it, and rewrite an arguable and potentially unsecure code using secure programming patterns, so there will be one more update in a months after that. I do not know whether we will change CLSIDs there, it will depend on results.

Anyway, keep tuned. I will post information about this here.

Elazar 2/12/2008 2:47:16 AM

Hey Andrew,
If you plan on changing classid's, there is a way to redirect users to the new classid using the "Phoenix bit" while they can still reference the old one. See:

blogs.technet.com/.../...AQ_3A00_-Part-1-of-3.aspx
blogs.technet.com/.../...AQ_3A00_-Post-2-of-3.aspx
blogs.technet.com/.../...AQ_3A00_-Part-3-of-3.aspx

Elazar

Andrew 2/13/2008 4:48:34 PM

Elazar,

Thanks for your input and these links for Kill-Bit FAQ! It is really interesting and useful.

We will definitely use AlternateCLSID, although it is not so critical to us. Image Uploader is rarely used using <object> tag syntax directly. Since there is a Java applet sibling which has the same API, we have a special JavaScript wrapper which automatically creates instantiation code depending on client browser. A side effect of this approach is that customers do not have to specify CLSID explicitly - it is specified in this JavaScript.

So we will just recommend people to update this JavaScript along with .cab file. Most of customers will update CLSID in their HTML this way.

But anyway Phoenix bit (what an ingenious term!

) will be useful for those who will ignore our recommendation or made too many modification in the wrapper script to overwrite it...

Amia Miley 2/21/2010 12:33:00 AM

This post is pretty old, so I guess al the issues have been fixed by now?

Image Editing Service 2/25/2010 4:25:11 PM

Considerably, the article is in reality the greatest on this noteworthy topic. I agree with your conclusions and will eagerly look forward to your next updates. Saying thanks will not just be sufficient, for the wonderful clarity in your writing. I will immediately grab your rss feed to stay privy of any updates. Pleasant work and much success in your business dealings!

buy real viagra pills online 3/1/2010 7:53:37 PM

The availability of Viagra pills on the internet means that the online pharmacies are now being patronised by most people who want to buy Viagra cheap. Not only does the internet offer a more affordable option than the local pharmacies for Viagra pills, they are also more convenient in terms of the confidentiality they offer customers.

dennis 3/2/2010 7:52:12 AM

I love to post on blogs all night long

Briana Swartzman 3/2/2010 11:04:31 AM

This is a marvelous web site, im thankful I stubled onto this. Ill be back again in the future to check out other posts that you have on your blog.

Jeff Dell 3/3/2010 4:10:05 AM

This is a super post man

Jeff Dell 3/3/2010 4:11:27 AM

Really good post

MBA Interviews 3/4/2010 4:24:55 AM

This post is pretty old I am sure the issues have been addressed?

first time home buyer tax credit new stimulus 3/7/2010 12:55:43 PM

[...] blogs.aurigma.com/.../...blem---oh,-not-again.aspx Another security problem - oh, not again - The more we can use trackbacks, pingbacks, and backlinks in our posts, the better. In layman's terms, this is a grant which does not need to be repaid unless you sell the home within the first three years. More specifically, this is a dollar by dollar reduction... home buyer tax credit economic stimulus - http://stimulushomebuyer.info[...]

fast weight loss diets 3/12/2010 6:05:28 PM

John you are obviously proud of your study as you should be. It is very well written. appreciation for the time you put into this. I will dig and try to find some complimenting facts to add. Thanks again.

make simple dream 3/14/2010 7:14:57 PM

hmm i do not know about CERT Certificate, but this is a good post i found on here.thank you

Karenmobile 3/15/2010 7:15:07 AM

I had a couple of issues with the uploader myself, but it works now after a couple tweaks.

Savings Calculator 3/16/2010 5:32:52 PM

Do not limit yourself. Lots of guys limit themselves to what they believe they can do. Keep in mind that you can go as far as your mind lets you.

Categories

Tags

Calendar

Recent comments