Security bulletin #2 - new Image Uploader security update

As you probably noticed, we have released Image Uploader 6.1 on these weekends. The main reason we did it is to fix the security vulnerabililty reported to us by Microsoft.

Guys from Microsoft Security Response Center contacted us about a week ago and told us that they discovered vulnerability in ATL (Microsoft library which comes with Visual Studio intended to simplify ActiveX development). This vulnerability impacts all ATL-based ActiveX controls, including Image Uploader. Microsoft has included the description of this vulnerability here:

http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

In the version 6.1 we have eliminated this vulnerability. Although Microsoft also released a security update for Internet Explorer which patches this security hole, it is highly recommended to update Image Uploader to the most recent build (6.1.1 or higher). Also, on this week we will release updates for versions 4.7 and 5.7, so if you do not use version 6 yet, you will have a chance to use the safe version anyway.

Now, here is a short FAQ:

Q: Is this vulnerability is dangerous? How malicious persons can use it?

This vulnerability allows to instantiate an arbitrary ActiveX control by passing its CLSID to Image Uploader. So to exploit this vulnerability, a number of requirements should be met:

  1. A malicious ActiveX should be installed on a client computer anyhow (through trojans, spyware or anyhow else).
  2. A malicious HTML page should be created and either injected via cross-site scripting attack or put to a phishing website.
  3. The user with malicious ActiveX and unsafe Image Uploader should run this HTML code.

So it is not easy to attack, but it is still realistic.

Q: Microsoft released Internet Explorer update which fixes this problem. Why to update Image Uploader?

After the user installs IE update 972260, this attack will be impossible even with Image Uploader version 6.0 indeed. But you cannot guaranty that all users will install this update. That's why updating Image Uploader decreases the probability of security attacks to your users.

Q: Did you killbit old Image Uploader?

No, this time we decided to make both yours and ours life easier and decided to release safe versions with old CLSIDs. Let me explain why.

The main killbit distribution channel is Microsoft update system. We would just pass all "unsafe" CLSIDs from guys from Microsoft and they would include it into some IE security update, as they have done one year ago. But those users who install IE updates on a regular basis will install aforementioned update 972260 which will eliminate this vulnerability. This way killbit will not increase the security level for them.

On the other hand, those users, who ignore security updates, would not get killbit update as well. Therefore the killbit would not help them as well.

Q: I am afraid that this Image Uploader update will break something on my website. What you think?

Version 6.1.1 has very few changes comparing to the previous build 6.0.16. So if you use the latest version, you can freely update it. Anyway, if you encounter any problems, feel free to contact our support people. We will be happy to help you.

Q: Does it cost me anything to update?

No, it is free. You get a free update for the major version you have - for version 4.x you get 4.8, for version 5.x you get 5.8, for version 6.0 you get 6.1.

But if you have, say, version 4.7 and want to get version 6.1 instead of 4.8, you should upgrade as usual. Feel free to contact our sales team for more information.

Q: Is Java version vulnerable as well?

This problem impacts ActiveX version only.