Verizon Business is providing this scanning service, established in collaboration with ICASI (the Industry Consortium for Advancement of Security on the Internet), for software developers who have built ActiveX controls using the Microsoft® Active Template Libraries (ATL). Developers should first review the Microsoft® Security Bulletin and apply relevant updates. This service can only be performed on software submitted by or with the authorization of its owner or licensor. Software developers should also manually review the source code for their software since the service may not identify all software that is vulnerable and may identify software as vulnerable when it is not.

Verizon Business is offering this service at no charge. It provides an indication as to which controls need attention first. Only controls with a valid Code Signing certificate will be tested, and results will be returned only to email addresses which can be identified as being associated with the company name on theCode Signing certificate.

Consider the following before uploading your control:
  1. Verizon’s testing is intended to provide you with a way to focus your initial attention. ATL has been used in many pieces of code, but the focus here is first on:

    • Code which can be hosted in Internet Explorer (ActiveX Controls)
    • Code which is declared Safe for Initialization
    • Code which is signed with a Code Signing certificate

  2. Verizon’s tests attempt to determine whether the vulnerable function (CComVariant::ReadFromStream) is in the code. This can only be done if ATL was statically linked. Dynamically linked ATL may not have the same signature in the compiled code. If you Dynamically link ATL, carefully perform manual code inspection regardless of our test results.
  3. Verizon’s tests attempt to enumerate all properties via the control's property map. It may miss some. Verizon’s test report will specify which were found, and which of those are vulnerable. You should manually compare this property list with your source code, and inspect any not tested first.
  4. Verizon’s tests cannot validate whether the streams you consume are under your strict control or not. As such, Verizon may indicate a property as vulnerable, when in fact it does not have a realistic attack vector. Consider this fact when determining your risk.
  5. Verizon’s tests may produce false positives or false negatives; manual inspection of your source code is the only definitive way of identifying vulnerabilities.
If you are authorized by the owner or licensor of a signed control that you wish Verizon to test, proceed by signing in with your Windows Live ID. Verizon does not have access to any information associated with your Live ID, but is using it to provide a unique identifier to associate you with your code. You will need to supply an email address in order for Verizon to return test results to you.

  
  Proceed to the test site    
Problems? Email Support
© 2009 Verizon. All Rights Reserved