Vulnerability Detection in ActiveX Controls through Automated Fuzz Testing
January 2008 • White Paper
Will Dormann, Daniel Plakosh
In this 2008 paper, the authors explore results of a test of a large number of Active X controls, which provides insight into the current state of ActiveX security.
Abstract
Vulnerabilities in ActiveX controls are frequently used by attackers to compromise systems using the Microsoft Internet Explorer web browser. A programming or design flaw in an ActiveX control can allow arbitrary code execution as the result of viewing a specially-crafted web page. In this paper, we examine effective techniques for fuzz testing ActiveX controls, using the Dranzer tool developed at CERT. By testing a large number of ActiveX controls, we are able to provide some insight into the current state of ActiveX security.