Fixing flaws not as easy as it looks says Fortify Software

Fortify Software, the application vulnerability specialist, says a set of ActiveX security bugs reported this week prove the firm's observations that security flaws are likely with almost any piece of applications software.

This latest ActiveX flaw centres on the Snapshot Viewer ActiveX control, which is a feature of most versions of Microsoft Office Access, said Rob Rachwald, Fortify's director of product marketing.

Microsoft is tackling the problem, which seeks to lure Access users to a modified Web page that then attempts to execute the attack code within Internet Explorer, but I think that Microsoft is doing its best to solve the flaw in a timely and effective manner, he added.

According to Rachwald, it is interesting to note that Adam Shostack, one of Microsoft's IT security gurus, has commented recently on the difficulty of going back and fixing code that was never designed with a software development life-cycle.

Although Microsoft is doing a really good job of finding and fixing issues since it has placed a new emphasis on security, it's still a difficult task to find all bugs, he explained.

For more on the Access ActiveX security flaw: http://tinyurl.com/6xtynn
For more on Fortify Software: www.fortifysoftware.com