Dranzer helps test code for ActiveX vulnerabilities

Dranzer is an open source tool that developers can use to test code for certain kinds of ActiveX vulnerabilities before releasing software to the public

We've covered more than a few news stories here at InfoWorld about vulnerabilities introduced to Windows computers by specific ActiveX controls produced by a variety of vendors. As it happens, one of the things I do as a consultant is to write ActiveX controls in C++ using the ATL libraries, and I know firsthand that testing them thoroughly and building them without potential vulnerabilities can be challenging.

Today the CERT Coordination Center at the Carnegie Mellon Software Engineering Institute announced the release of Dranzer, an open source tool that developers can use to test code for certain kinds of ActiveX vulnerabilities before releasing software to the public. The CERT/CC has been working on Dranzer since 2005 and used it to test more than 22,000 ActiveX controls produced by more than 5,000 organizations. More than 3,000 of those controls contained defects, and more than 700 of those defects appeared to be exploitable vulnerabilities.

[ Cut straight to the key news for technology development and IT management, with our once-a-day summary of the top tech news. Subscribe to the InfoWorld Daily newsletter. ]

CERT/CC then worked with software vendors around the globe to pilot Dranzer as part of their software development and quality assurance phases. Based on feedback from these organizations, they were able to use Dranzer to resolve many vulnerabilities before the ActiveX controls were publicly released.

Now, the CERT/CC has made the tool publicly available so that more organizations that develop software with ActiveX technology can use the tool early in the development phase.

Dranzer is available via SourceForge, and additional information is available at the CERT site. If you build ActiveX controls, I'd urge you to download Dranzer and make it part of your process.

Copyright © 2009 IDG Communications, Inc.