MS-ISAC ADVISORY NUMBER:
2008-025 Updated

DATE(S) ISSUED:
7/8/2008
8/12/2008 - Updated

SUBJECT:
Vulnerability in Snapshot Viewer for Microsoft Access May Allow Remote Compromise

ORIGINAL OVERVIEW:
A new vulnerability has been discovered in the Microsoft Access Snapshot Viewer ActiveX Control. The Snapshot Viewer enables you to view a report generated with a database product, Microsoft Access, without requiring the product to be installed on the user's computer.

Microsoft Access Snapshot Viewer is included with most installations of Microsoft Office. ActiveX controls are small programs or animations that are downloaded or embedded in Web pages which will typically enhance functionality and user experience.

The vulnerability can be exploited through a specially crafted web page that uses the vulnerable ActiveX control. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data; or create new accounts with full privileges.

This vulnerability is reportedly being actively exploited on the Internet.

UPDATED OVERVIEW:

Microsoft has released patches that address the vulnerability in Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

Please Note, there is still NO patch available for Snapshot Viewer for Microsoft Access, which is a stand-alone application for users without the standard version of Microsoft Access.

SYSTEMS AFFECTED:

  • Snapshot Viewer for Microsoft Access
  • Microsoft Office Access 2000
  • Microsoft Office Access 2002
  • Microsoft Office Access 2003

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
A new vulnerability has been identified in the Microsoft Access Snapshot Viewer ActiveX Control which could facilitate remote compromise. Microsoft has confirmed reports of active exploitation of this vulnerability.

The vulnerability is contained in the Microsoft Access Snapshot Viewer ActiveX control that can be triggered from a malicious web page and used to place files in arbitrary locations on a victim's computer. An attacker can specify an arbitrary file location as the 'SnapshotPath' property of the ActiveX Control. The specified file will be saved to a location of the attacker's choosing and is determined by the 'CompressedPath' property also passed to the Control. Both of these values can be controlled from a web page.

Reports indicate that remote compromise is possible if the Snapshot Viewer ActiveX Control for Microsoft Access 2000, Microsoft Access 2002, and Microsoft Access 2003 is installed. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data; or create new accounts with full privileges.

It is advised to set the kill bit on the vulnerable ActiveX controls.

It should be noted that there is currently no patch for this vulnerability. Symantec Deepsight has reported that malicious content which exploits this vulnerability is hosted by servers at the following IP addresses:

  • 83.149.98.139

UPDATED DESCRIPTION:

Microsoft has released Security Bulletin MS08-041, which includes additional information about the vulnerability, and patches for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

Please Note, there is still NO patch available for Snapshot Viewer for Microsoft Access, which is a stand-alone application for users without the standard version of Microsoft Access.

ORIGINAL RECOMMENDATIONS:
Until a patch is issued, we recommend considering the following actions:

  • Set the kill bit on the Class Identifier (CLSID) {F0E42D50-368C-11D0-AD81-00A0C90DC8D9}, {F0E42D60-368C-11D0-AD81-00A0C90DC8D9} and {F2175210-368C-11D0-AD81-00A0C90DC8D9} ; further instructions on how to set the kill bit can be found at the following location ( http://support.microsoft.com/kb/240797(New Window) )
  • Ensure that all Microsoft Internet Explorer clients are configured to prompt before executing Active Scripting. If Active Scripting is not required it should be disabled completely.
  • Ensure that all Microsoft Outlook and Outlook Express clients are configured to either display all incoming email in plain text format, or that HTML email messages are opened in the Restricted Sites security zone.
  • Blocking access to the IP addresses listed above unless there is a business need to do otherwise. Be advised that this is a temporary fix as the IP address may change.
  • Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX controls in the Internet Zone.
  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing.

UPDATED RECOMMENDATIONS:

  • Apply the appropriate patches provided by Microsoft to Office Access 2000, Office Access 2002, and Office Access 2003 immediately after appropriate testing. Continue to consider the original recommendations for Snapshot Viewer for Microsoft Access.

ORIGINAL REFERENCES:

Advisory Reference:
http://support.microsoft.com/kb/240797(New Window)
http://www.microsoft.com/technet/security/advisory/955179.mspx(New Window)
http://blogs.technet.com/msrc/archive/2008/07/07/snapshot-viewer-activex-control-vulnerability.aspx(New Window)

UPDATED REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS08-041.mspx(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.