• Home
  • Report an Incident
  • Read Bulletins
  • Discuss Viruses
• Articles & Guides
  • For Everyone
  • For Sysadmins
  • For IT Managers
  • Recent Articles
• Resources
  • External Advisories
  • Vendor Information
  • Further Reading
• Tools
  • Network Scanner
  • Web Scanner
  • Certificate Authority
• Training
  • LSP Services
  • Unix Systems Support Group
  • Windows: End-User Security
  • Awareness and Education
  • SANS Partnership Series
• About
  • Contact Information
  • ITSO Staff
  • Mission Statement
  • Recent Changes
  • Site Index
  • Colophon
• Search

Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Being Exploited

Initial release: July 16, 2008

Background

The second Tuesday of each month is well known as Microsoft Patch Tuesday since that is the day Microsoft releases monthly bulletins and associated patches. Microsoft also releases security advisories without patches, as the need arises. Microsoft has already released four advisories in the month of July. Since these advisories receive less publicity than the monthly bulletins, we would like to call these to your attention.

Of particular note is the vulnerability in the ActiveX control for the snapshot viewer for Microsoft Access, released July 7, 2008.

Impact

A user that is tricked into visiting a website with a malicious ActiveX control will allow an attacker to gain the same rights to the computer as the currently logged in user.

Software Affected

* Snapshot Viewer for Microsoft Access
* Microsoft Office Access 2000
* Microsoft Office Access 2002
* Microsoft Office Access 2003

Note that the Snapshot Viewer can be installed on a machine that does not have a vulnerable version of Microsoft Office.

Local Observations

The Information Technology Security Office has been receiving reports through security partnerships that websites are beginning to exploit this vulnerability.

ITSO Recommendations

At this time, users should prevent these unsafe controls from running in Internet Explorer. This is done by setting the killbit for each vulnerable control. All three killbits are listed in the "Workarounds" section of the advisory under the section "Prevent COM objects from running in Internet Explorer."

After setting these killbits, users that view report snapshots through Internet Explorer will need to install Microsoft Office Access 2007, available to the University on IUware online or at the bookstore, to continue to view these files using the ActiveX control.

Also note that successful exploitation of this vulnerability only gives the attacker the same rights as the logged on user. Users that browse the web and read e-mail as restricted users limit the damage that can be done through successful exploitation of the vulnerability.

Workarounds

Users can disable Active Scripting to prevent these ActiveX controls from running. While this will protect the user, this is more likely to cause websites to load incorrectly.

Another possibility is setting the Internet security level to high and set ActiveX controls and Active Scripting to prompt before running. This at least gives the user a warning that a script is about to run on the system. Unfortunately, the user may not realize that the script is malicious and allow it to run.

Further Reading

Windows system administrators should watch for Microsoft Security Advisories. This could be via the RSS feed, or by signing up for e-mail alerts when a new advisory is published.

For more on the topic of using the computer as a restricted user, see: Running with Scissors.