CERT releases Dranzer, a new tool to reduce ActiveX vulnerabilities

The CERT Coordination Center (CERT/CC announced the release of Dranzer, an open source tool that software developers can use to test code for certain kinds of ActiveX vulnerabilities before software products are released to the public.

Dranzer offers developers the ability to conduct simple, fast testing of ActiveX controls during the quality assurance phase. This testing allows the developers to identify and reduce vulnerabilities, such as buffer overflows.

The CERT/CC first began development of Dranzer in 2005. With the market proliferation of ActiveX- a technology that allows online services to enhance the web browsing experience for end users – the CERT/CC started using Dranzer to identify key ActiveX vulnerabilities.

Overall, the CERT/CC tested more than 22,000 ActiveX controls produced by more than 5,000 organizations. More than 3,000 of those controls contained defects, and more than 700 of those defects appeared to be exploitable vulnerabilities.

The CERT/CC then worked with software vendors around the globe to pilot Dranzer as part of their software development and quality assurance phases. Based on feedback from these organizations, they were able to use Dranzer to resolve many vulnerabilities before the ActiveX controls were publicly released.

Now, the CERT/CC has decided to make the tool publicly available so that more organizations that develop software with ActiveX technology can use the tool early in the development phase.