Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code ExecutionPublished: July 7, 2008
Microsoft is investigating active, targeted attacks leveraging a potential vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.
The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.
Mitigating Factors
• | In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger message that takes users to the attacker's Web site.
|
• | An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
|
• | By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
|
General Information
| Overview |
Purpose of Advisory: Notification of active, targeted attacks affecting the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.
Advisory Status: Advisory published
Recommendation: Review the suggested actions and configure as appropriate.
ReferencesIdentification
CERT Reference
VU#837785
CVE Reference
CVE-2008-2463
This advisory discusses the following software.
Related SoftwareSnapshot Viewer for Microsoft Access
Microsoft Office Access 2000
Microsoft Office Access 2002
Microsoft Office Access 2003
Top of section
| Frequently Asked Questions |
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the ActiveX control for the Snapshot Viewer for Microsoft Access. This affects the software that is listed in the “Overview” section.
Is this a security vulnerability that requires Microsoft to issue a security update?
Microsoft will take appropriate action to protect our customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
What causes this threat?
This threat is caused by a vulnerability in the ActiveX control for Snapshot Viewer. A specially crafted Web site that is especially designed to exploit the ActiveX control through Internet Explorer could allow remote code execution. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
What is the Snapshot Viewer for Microsoft Access?
The Snapshot Viewer enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access.
What is a kill bit?
A security feature in Microsoft Internet Explorer makes it possible to prevent an ActiveX control from ever being loaded by the Internet Explorer HTML-rendering engine. This is done by making a registry setting and is referred to as setting the kill bit. After the kill bit is set, the control can never be loaded, even when it is fully installed. Setting the kill bit makes sure that even if a vulnerable component is introduced or is re-introduced to a system, it remains inert and harmless.
For more information on a kill bit, see
Microsoft Knowledge Base Article 240797: How to stop an ActiveX control from running in Internet Explorer.
If I don’t have the control installed should I set the killbit?
Yes. Setting the kill bit will block the vulnerable control from running in Internet Explorer.
How do I know if the control is installed?
One or more of the following registry keys will be set:
HKEY_CLASSES_ROOT\CLSID\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}
HKEY_CLASSES_ROOT\CLSID\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}
HKEY_CLASSES_ROOT\CLSID\{F2175210-368C-11D0-AD81-00A0C90DC8D9}
Top of section
| Suggested Actions |
Workarounds
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, this is stated in the entry.
• | Prevent COM objects from running in Internet Explorer
You can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
For information on how to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. This article also shows you how to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400
You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:
Note You must restart Internet Explorer for your changes to take effect.
Impact of Workaround: The ActiveX control will no longer instantiate in Internet Explorer. Customers who rely on this control to view a report snapshot without having the standard or run-time versions of Microsoft Office Access 97 through Microsoft Office Access 2007 installed may see that their reports may not be displayed if using the ActiveX control for Snapshot Viewer through Internet Explorer.
|
• | Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
You can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:
1.
| In Internet Explorer, click Internet Options on the Tools menu.
| 2.
| Click the Security tab.
| 3.
| Click Internet, and then click Custom Level.
| 4.
| Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
| 5.
| Click Local intranet, and then click Custom Level.
| 6.
| Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
| 7.
| Click OK two times to return to Internet Explorer.
| Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.
Add sites that you trust to the Internet Explorer Trusted sites zone
After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.
To do this, follow these steps:
1.
| In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
| 2.
| In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
| 3.
| If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
| 4.
| In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
| 5.
| Repeat these steps for each site that you want to add to the zone.
| 6.
| Click OK two times to accept the changes and return to Internet Explorer.
| Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.
Impact of Workaround: There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone”.
|
• | Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones
You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.
To raise the browsing security level in Internet Explorer, follow these steps:
1.
| On the Internet Explorer Tools menu, click Internet Options.
| 2.
| In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
| 3.
| Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.
| Note If no slider is visible, click Default Level, and then move the slider to High.
Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.
Add sites that you trust to the Internet Explorer Trusted sites zone
After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.
To do this, follow these steps:
1.
| In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
| 2.
| In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites
| 3.
| If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
| 4.
| In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
| 5.
| Repeat these steps for each site that you want to add to the zone.
| 6.
| Click OK two times to accept the changes and return to Internet Explorer.
| Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.
Impact of Workaround: There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone”.
|
Top of section
Resources:
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.