It may sound too bold, but I think we can say this way now. We get rid of all known vulnerabilities (we have found few new while testing/refactoring IU). The "exterior perimeter" code was seriously analyzed. All suspicious portions of code (primarily legacy one) were totally revised and rewritten using safe programming approach. Wherever we were in time, we fixed "internal" code as well (we still have a lot of work to do, but this is less critically). We run a number of new tests which try to pass "garbage" into params and checked out how Image Uploader deal with them.
As a result we have released version 5.0.40 (and 4.6.30 - for those who did not upgrade yet). We claim these versions to be secure enough, although we realize that bad things happen and we could overlook something. That's why we reserved some time for security guys to try it. If no more problems are found (I hope for this) we will killbit old vulnerable versions.
You may wonder what the heck is killbit. The idea is simple. As you may know, each ActiveX control (including IU) is identified with CLSID. There is a special section in registry where listed CLSIDs of controls which should not be loaded by IE. "To killbit the control" means to put CLSID of this control into this section. More information on this can be found in Microsoft Knowledge Base.
UPD: For those who is looking for more comprehensive information about killbit and how it works, look into Kill-Bit FAQ posted on Microsoft TechNet blogs: part 1, part 2, and part 3. Thanks to Elazar Broad for these links.
Killbit and Image Uploader
Now, let's see how we will handle this. When we get assured that no more security bugs are found, we release the new version of Image Uploader which will have new CLSID. Hopefully it will happen right after weekends. After that we will urge users to killbit old version with all possible means. In particular:
- Killbit will be automatically set when new Image Uploader is installed.
- We will publish a .reg file which will set killbit. Hopefully security advisory websites will not mind to put it in the issue resolution sections for Image Uploader report.
- The strongest thing - Microsoft will (likely) include this killbit in few month since we publish it into their security bulletin. So it will be installed automatically through their update system.
Killbit and Aurigma customers
Let's examine aftermath of the killbit for our customers.
- Every Image Uploader customer should install update with new CLSIDs. Let me repeat - EVERY customer! It is not a matter of desire to make user's life safer. As soon Microsoft deploy killbit, vulnerable version will just stop working (at least for guys who install updates timely).
- As follows from previous point, there is no big sense to install version 5.0.40 or 4.6.30 unless you would like to test it. You will have to update it in several days anyway.
- New version will have new CLSID, so you should take it into consideration when you will install the update. For most customers it will just mean, that they should overwrite not only .cab and .jar files, but also iuembed.js (do not forget to change version number in initialization code!). If someone changed iuembed.js or pasted it into HTML page, do not forget to change the CLSID.
- Private-label customers will have to contact us and get the latest build. Of course at no cost (provided of course latest build of the same major version).
Additional security shield for private-label versions
When we examined how to make ActiveX more secure we found out that Internet Explorer has a mechanism which allows to make ActiveX control to be usable only on certain websites (domains). Of course we cannot utilize it for standard version (since it is used on thousands websites), but we can easily restrict Image Uploader by specific host domain when we prepare a private-label version.
So even if some security flaw is found in future, no one will be able to exploit it with a private-label version. It will be applicable for standard build only. I cannot refer owners of private-label version, however Image Uploader build of some of them is much more wide-spread that standard one, and these companies are much more public than Aurigma. So journalists from IT magazines will have to look for other source for sensation... :-)
That's all for today. Stay tuned!