Dranzer: Fuzzing for ActiveX vulnerabilities

The United States Computer Emergency Response Team (US-CERT) has released a new ActiveX fuzzer to help developers pinpoint browser-based security vulnerabilities.
The tool, called Dranzer, lets software developers test ActiveX controls for vulnerabilities before the software is released to the public. It is available as an open-source utility.

The United States Computer Emergency Response Team (US-CERT) has released a new ActiveX fuzzer to help developers pinpoint browser-based security vulnerabilities.

The tool, called Dranzer, lets software developers test ActiveX controls for vulnerabilities before the software is released to the public. It is available as an open-source utility.

From the US-CERT announcement:

Attackers frequently take advantage of vulnerabilities in ActiveX controls to compromise systems using Microsoft Internet Explorer. A programming or design flaw in an ActiveX control can allow an attacker to execute arbitrary code by convincing a user to view a specially crafted web page. Since 2000, we have seen a significant increase in vulnerabilities in ActiveX controls.

We have developed Dranzer, a tool that enables users to examine effective techniques for fuzz testing ActiveX controls. By testing a large number of ActiveX controls, we can provide some insight into the current state of ActiveX security. When we discover new vulnerabilities, we practice responsible disclosure principles and perform the necessary remediation steps.

We have released Dranzer as an open source project on SourceForge to help developers of ActiveX test their controls in their development processes and to invite community participation in making Dranzer a more effective tool. Users must agree to the terms of a license before installing the tool.

The group behind Dranzer has also released a technical document (.PDF) that outlines the history, motivations, and rationale for an open-source fuzz testing tool.

Suggested articles