Verizon offers free service to help developers test for Microsoft ATL flaw

Verizon Business is offering a free scanning service to help software developers more quickly determine whether any controls and components they built using Microsoft's Active Template Libraries (ATL) are vulnerable to the issues identified in the emergency security update issued by Microsoft on Tuesday.

The scanning service, along with a self-diagnostic questionnaire, is available online. It is designed to scan compiled code and produce a list of properties where the ATL vulnerabilities might exist, said Russ Cooper, senior security strategist with Verizon Business.

Microsoft's ATL is used by software developers to create items such as Active X controls for Windows systems. Microsoft yesterday issued an emergency security bulletin for several remote code execution vulnerabilities in the public versions of the ATL included with Visual Studio. The update was timed to beat a scheduled presentation today at the Black Hat Security Conference, where researchers are planning to release more details about the flaws. At least one attack using an ATL vulnerability has been seen in the wild, according to Microsoft.

Verizon's code-testing service gives developers who have used ATL in their controls a way to determine which part of their code they need to be checking first so they can prioritize any remediation efforts, Cooper said. It is a "really complex situation" trying to find out whether controls and components developed using ATL can be exploited, he said. The conditions under which vulnerable code might be exploited "aren't obvious on the surface," he said. "We can look for snippets of code inside the finished code that help us identify if [the control] has the potential to be exploited."

Though the scan can help developers identify potential issues much faster than a manual scan would, Verizon's code tester does not eliminate the need for a manual code review, Cooper said. Nor does it offer any guarantee against false positives or false negatives.

"If you know how the code is written, it will tell you if the code is affected or not", but a final determination still needs to be based on manual inspection he said. Verizon plans to compile a white list of controls and components that were scanned and found not to be vulnerable to the ATL flaws. But to get on the white list, developers will need to first attest that they also completed a manual code review and found no vulnerabilities, he said.

The free scan is available only to the owners, licensors or authorized users of the software that needs to be tested. Those wishing to scan their code using the Verizon service will also need to have Windows Live ID and the software's Code Signing certificate.

Google's 'My Location' Tracks PC's Location on Google Maps

Google is making it easier for you to find out where you are, with the introduction of My Location for the desktop. First introduced in late 2007 as a tool for Google Maps for mobile, My Location made it easier to find your way around town by triangulating your position based on surrounding cell towers. My Location for the desktop uses WiFi access point information instead of cell towers, but just like the mobile version, My Location on the desktop drops a little blue dot onto your approximate location in Google Maps.

As Google pointed out in its blog post, My Location for the desktop can be a great tool when you arrive in an unfamiliar town and want to get an idea of where you are. Just click on the dot in the upper left-hand side of the map between the zoom and pan tools, and, after you authorize Google to continue, your location will appear on the map. Google says it takes your privacy very seriously and will never use your location information without your permission.

Once Google has located you, it's easy to survey your surroundings and get a sense of where you are. If you're in town for a conference, you can see how far you'll have to travel to get to your meetings or where that hot restaurant you read about is. Once you're done exploring the map, just click on the My Location button, and the map centers itself back to your location. Click the button again, and the blue dot disappears.

For My Location to work, you need to have a Web browser that supports the W3C Geolocation API such as Google Chrome or Firefox 3.5. If you use Internet Explorer or an earlier version of Firefox you can also download Google Gears to get My Location to work. Google finds your location by getting your Web browser to deliver location information based on the WiFi access points around you. If there aren't enough WiFi points to get a fix on your location, Google can also make an estimate based on you IP address-although these estimations can often be wildly inaccurate.

It's also possible that My Location may not work at all, in which case you can set your default location on Google Maps and then activate the little blue dot. In my tests My Location worked well, I was sitting in a public cafe with several WiFi access points around me. The only problem was my dot kept moving down the block from my location every few minutes and then came back to the correct spot again (I'll have to ask Google if they sell leashes for My Location dots).

In addition to My Location, Google earlier this year introduced Latitude: a social networking version of My Location that lets friends share their locations with each other that works on both Mobile devices and personal computers. If My Location and Latitude aren't enough location fun for you, Google will also let you attach your location to your Gmail signature.

My Location wasn't the only service Google introduced yesterday; the search giant also introduced the ability to search for Creative Commons photos in Google Images.