Microsoft Offers Bug Workaround for ActiveX Exploit

July 9, 2008 – 8:02 am by MintyIT News Bot
Tags: ActiveX, Exploiting, Microsoft

The ActiveX control for Snapshot Viewer is under attack and Microsoft has issued a rare workaround until the Microsoft Access tool can be patched. Attackers exploiting the ActiveX vulnerability could gain the same rights as a legitimate user. Microsoft says the safest workaround is to modify Active Scripting in Internet Explorer.

Microsoft on Monday issued a security advisory to warn users about attacks targeting a vulnerability in the ActiveX control for the Snapshot Viewer in the Microsoft Access database management system.

Microsoft said it is investigating active, targeted attacks. “When a user views the Web page, the vulnerability could allow remote code execution,” Microsoft said in its security advisory. “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.”

The ActiveX control for the Snapshot Viewer enables users to view a Microsoft Access report snapshot without having the standard or run-time versions of Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

How it Works

In a Web-based scenario, an attacker could host a Web site with a page used to exploit this vulnerability. Or compromised Web sites and sites that accept user-provided content could contain specially crafted code to exploit the vulnerability. An attacker would have to convince users to visit the corrupted Web site, typically by getting them to click a link in an e-mail or an instant message, Microsoft said.

A successful attacker could gain the same user rights as the real user. Users whose accounts have fewer rights could be less impacted than users who have administrative rights, according to Microsoft.

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to high and is a mitigating factor for Web sites not added to the trusted-sites zone, Microsoft said.

An Out-Of-Cycle Workaround

Microsoft isn’t in the habit of issuing out-of-cycle workarounds. But Carole Theriault, a security analyst at Sophos, is glad to see Redmond trying to help users with workarounds until the security team can issue a patch.

“This is particularly important when the vulnerability is targeted by malware or hackers. That said, some of the workarounds are not for the faint-hearted, and I hope anyone who proceeds with them knows what they are doing — otherwise, they can screw up the usability of their system,” Theriault said.

The safest workaround is “Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local Intranet security zone,” she said. The downside: Users will get a lot of warnings when they surf, making it a less than ideal solution.

Who Users Snapshot Viewer?

Some observers may wonder what about this bug makes an out-of-cycle workaround so urgent. Snapshot Viewer isn’t a program most people use as a mission-critical tool. Is this really that big of a threat?

Whether people use this viewer or not, it’s important, Theriault said. The problem begins when it’s installed. The ActiveX control is shipped with all supported versions of Microsoft Office Access, except Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer. That means thousands of systems have it.

Theriault hopes for a security patch soon. Installing third-party patches, she said, is risky. Microsoft makes sure its patches don’t interfere with other applications, she explained, but a third party might not take the time or have the resources to do so.

Theriault offers another potential solution: “A common problem on computers is that people install stuff they don’t use. If you don’t use this application, never have, and are unlikely to in the future, then why not get rid of it?” she asked. “You will get rid of this problem, and you will get more space on your computer — two birds with one stone.”