Verizon Business is offering a free scanning service to help software developers more quickly determine whether any controls and components they built using Microsoft's Active Template Libraries (ATL) are vulnerable to the issues identified in the emergency security update issued by Microsoft on Tuesday.
The scanning service, along with a self-diagnostic questionnaire, is available online. It is designed to scan compiled code and produce a list of properties where the ATL vulnerabilities might exist, said Russ Cooper, senior security strategist with Verizon Business.
Microsoft's ATL is used by software developers to create items such as Active X controls for Windows systems. Microsoft yesterday issued an emergency security bulletin for several remote code execution vulnerabilities in the public versions of the ATL included with Visual Studio. The update was timed to beat a scheduled presentation today at the Black Hat Security Conference, where researchers are planning to release more details about the flaws. At least one attack using an ATL vulnerability has been seen in the wild, according to Microsoft.
Verizon's code-testing service gives developers who have used ATL in their controls a way to determine which part of their code they need to be checking first so they can prioritize any remediation efforts, Cooper said. It is a "really complex situation" trying to find out whether controls and components developed using ATL can be exploited, he said. The conditions under which vulnerable code might be exploited "aren't obvious on the surface," he said. "We can look for snippets of code inside the finished code that help us identify if [the control] has the potential to be exploited."
Though the scan can help developers identify potential issues much faster than a manual scan would, Verizon's code tester does not eliminate the need for a manual code review, Cooper said. Nor does it offer any guarantee against false positives or false negatives.
"If you know how the code is written, it will tell you if the code is affected or not", but a final determination still needs to be based on manual inspection he said. Verizon plans to compile a white list of controls and components that were scanned and found not to be vulnerable to the ATL flaws. But to get on the white list, developers will need to first attest that they also completed a manual code review and found no vulnerabilities, he said.
The free scan is available only to the owners, licensors or authorized users of the software that needs to be tested. Those wishing to scan their code using the Verizon service will also need to have Windows Live ID and the software's Code Signing certificate.
0 comments:
Post a Comment