Friday, April 17, 2009

CERT Releases Free Tool To Reduce ActiveX Vulnerabilities

http://www.sei.cmu.edu/about/press/releases/dranzer.html

The CERT Coordination Center® (CERT/CC) at the Carnegie Mellon Software Engineering Institute (SEI) today announced the release of Dranzer, an open source tool that software developers can use to test code for certain kinds of ActiveX vulnerabilities before software products are released to the public.

Dranzer offers developers the ability to conduct simple, fast testing of ActiveX controls during the quality assurance phase. This testing allows the developers to identify and reduce vulnerabilities, such as buffer overflows.

The CERT/CC first began development of Dranzer in 2005. With the market proliferation of ActiveX– a technology that allows online services to enhance the web browsing experience for end users – the CERT/CC started using Dranzer to identify key ActiveX vulnerabilities.

"We used it internally first as part of our development and testing phase by testing publicly available ActiveX controls and working with the vendors whose ActiveX controls were identified as having vulnerabilities," said Will Dormann, senior member of the technical staff with CERT/CC.

Overall, the CERT/CC tested more than 22,000 ActiveX controls produced by more than 5,000 organizations. More than 3,000 of those controls contained defects, and more than 700 of those defects appeared to be exploitable vulnerabilities.

The CERT/CC then worked with software vendors around the globe to pilot Dranzer as part of their software development and quality assurance phases. Based on feedback from these organizations, they were able to use Dranzer to resolve many vulnerabilities before the ActiveX controls were publicly released.

Now, the CERT/CC has decided to make the tool publicly available so that more organizations that develop software with ActiveX technology can use the tool early in the development phase.

"By releasing the tool to the broader community, we are arming software developers and vendors with a tool [Dranzer] that will assist in reducing vulnerability remediation costs, reducing risks to customers, minimizing negative press, and increasing consumer trust in a company’s product," Jeffrey Carpenter, technical manager of the CERT/CC said. "At the end of the day, we want to prevent vulnerabilities from making it into software before it is released. Fixing vulnerabilities after the release is expensive for both vendors and technology users."

The tool is available via SourceForge at http://dranzer.sourceforge.net. Additional information about Dranzer is available at http://www.cert.org/vuls/discovery/dranzer.html.

No comments:

Post a Comment