I have and exciting update about the security issue – we have completed all of our audits and feel we have secured Image Uploader.
As I described in my previous posting, today we have released an updated version of Image Uploader ActiveX control, and the version number is 5.1. The main difference with 5.0.40 is that it has different CLSIDs.
This release has taken us a bit longer than we expected as we have run up against a rather interesting problem. Once we complied the CLSID's we need to killbit we started to try to contact Private Label and Source Code customers to provide them updated builds of their code. To our amazement many of them seem to be ignoring us!
We strongly advise you if you are a Private Label or Source Code customer that if you have received emails or phone calls from us that you respond to us as soon as possible. For those of you have thank you for your prompt response. But, we should be clear as some point we will have to as a responsible software developer send all CLSIDs that are risk to Microsoft to killbit.
WHEN THIS HAPPENS ALL AT RISK VERSION OF IMAGE UPLOADER will be DISABLED and will not run on the clients computers.
So lets all be good to ourselves and our client computers... Let's work together and get updated as soon as possible. Please also keep your information in your accounts up to date. If this is mission critical software for your company then we should have very open communication. Don't ever worry about us sending you spam or pressing you to buy something. We need to be able to communicate with you for the security and safety of you as our customer and your clients as your customer.
So now you can upload 4 different versions of Image Uploader:
Image Uploader 5.1.0 (and above) - safe version with new CLSIDs. This is what people will download by default. Update with this build if you have version 5.0.
Image Uploader 4.7.0 - safe version of 4.x family with new CLSIDs. Update with this build if you have version 4.x.
Note, all of them are safe, but it is not good idea to keep builds with old CLSIDs too long. The more and more people will install the killbit, and sooner or later Microsoft will include it into the next security update. After that all users who get Windows updates automatically will have problems loading Image Uploader with old CLSIDs. So if for some reasons you need versions with old CLSIDs, you can use it, but not longer than couple months. You should migrate to new builds ASAP.
Migrating to new safe build
In fact the migration process is very simple, especially if you did not make modifications in iuembed.js. You just update Image Uploader as usual with only one additional action - you overwrite not just .cab and .jar files, but also iuembed.js as well. That's all.
If you modified iuembed.js or embedded it inside your page, it will be slightly more complicated. You will have to find where old CLSID is inserted and replace it by new one. I will post a list of CLSIDs changes in my next post.
Also, you can use activeXClassId property of ImageUploaderWriter control, although I would not recommend this. If you create new page with Image Uploader in future from a scratch, you may forget to insert new CLSID. So the better idea would be to fix iuembed.js.
Well, it sounds we overcome this issue at last. Of course we will not stop keeping an eye on security but we can get back to improving functionality of Image Uploader. We are going to implement new exciting features like video upload and something more. But this is a matter of separate series of blog posts.