ActiveX Bug Exposes Microsoft Access’ Soft Underbelly

Microsoft issued a warning Monday about targeted attacks attempting to exploit a bug in the ActiveX control for the Snapshot Viewer in its Access database management application.

The ActiveX control for the Snapshot Viewer for Microsoft Access enables users to view a snapshot of an Access report without having the standard or run-time versions of Microsoft Office Access, Microsoft said.

The vulnerability only affects ActiveX control for the Snapshot Viewer in Microsoft Office Access 2000, Microsoft Office Access 2002 and Microsoft Office Access 2003. While the ActiveX control was shipped with all supported versions of Microsoft Office Access as well as the standalone Snapshot Viewer, Microsoft Office Access 2007 is not affected.

The software maker is investigating these active attacks leveraging the potential security hole, it said.

Secure Access

An attack could exploit the vulnerability by constructing a specially crafted Web page, according to the security advisory. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.

A cybercriminal would have to entice a user to the Web site by clicking on a link in an e-mail or instant message. When the user goes to the site and views the Web page, that would trigger the malware and allow remote code execution that would enable the hacker to gain access to anything the user logged in at the time is able to access.

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as “Enhanced Security Configuration.” This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that the user has not added to his or her Internet Explorer Trusted sites zone.

Just Say No to Remote Code Execution

Security researchers in general consider any vulnerability that allows for remote code execution to be a high priority.

“This is a highly serious issue, as this bug allows remote code execution and may give the attacker administrator rights,” said Chris Rodriguez, a security analyst at Frost & Sullivan.

“The issue is as serious as any other client-side bug,” Michael Coulter, a virus researcher at SophosLabs, told TechNewsWorld. The issue will largely affect more business users than home users, he added.

“Home users are less likely to have Office installed,” he noted.

However, Rodriguez points out that “while many businesses use Access, the larger enterprises are more likely to use a more powerful database tool such as SQL Server or Oracle.”

Working Around the Problem

Users can avoid the threat by following basic, safe Web browsing habits, such as not opening attachments or clicking links from suspicious or unknown sources, according to Rodriguez.

“There are other threat mitigation options; however, this is the least intrusive, most convenient and effective method possible. Users with limited accounts would be less impacted than users with administrative user rights. However, most people use an administrator account with the exception of small children,” he explained.

“Legitimate Web sites that allow user-supplied content will be a viable medium for links to these attacks as well. This can be avoided by other mitigation efforts, such as setting IE security zone settings to high, adjusting registry settings or disabling ActiveX controls and COM objects,” Rodriguez continued.

“The average computer user is able to do these, however [they] may not be aware of how or why they should. These methods are intrusive or simply require too much effort for the average computer user to implement. Search engines that filter out or warn users of suspicious links will help lessen the chances of users being exposed to maliciously designed Web sites. Yahoo with McAfee Site Advisor is one such example,” he concluded.

While it researches the vulnerability, Microsoft recommends that users enact a workaround that will help block known attack vectors, although it will not correct the problem.

Among the workarounds suggested by the software maker, users can prevent COM objects from running in Internet Explorer or configure Internet Explorer to prompt before running Active Scripting. They can also disable Active Scripting in the Internet and Local intranet security zone.

Instructions for these workarounds are available here under the “Suggested Actions” heading.

1 Comment

  • Nice article, good advice there.

    What stunned me about it was the AM ount of "Set your internet zone in Internet Explorer" and "disable COM this or Scripting that"…

    Yeah, sure, those are all excellent ideas… However, anybody still using Internet Explorer by choice is probably defiantly sitting there in their stupid-chair saying "Oh yeah sure, it’ll never happen to me"

    Everybody who cares at all about computer security switched to a proper browser (Opera, Firefox, Safari…) long ago. Let alone anybody who cared for the poor sucker whose job it is to make things "just work" in Internet Explorer.

    Yes, so… Any reconfiguration of Virus Explorer is really only a symptomatic treatment. To solve the problem you have to stop using Internet Explorer and get a proper browser.

    So what we have to do is tell our bosses "Look, IE is reducing our productivity and could allow a hacker to compromise our system" — if you are half as good at your job as most people seem to think they are, then your boss will not sack you on the spot for making this suggestion.

    This is not simply my personal opinion. IE is a hunk of junk, it’s a simple fact. If your boss is skeptical that a bad browser can fly in the face of every security measure on the planet, cite the U.S. government’s Computer Emergency Readiness Team and the Department of Homeland Security.

    Idiot Explorer is for suckers. I’m not bashing Microsoft here. Hey, no way, I love Microsoft. Sure. Windows is excellent. It’s AM azing what a small team can accomplish.

    But IE is a bad browser and if you have to use it at work I tell you this:

    – Look for a new job, before your browser sends a malicious hacker all your sensitive information. Think about it, if the browser emails your accounts to a rival corporation and reveals all your trade secrets, who will get in trouble for that?

    YOU WILL.

    If I had to apply for a job tomorrow where I might be using the internet, I would be asking if I had to use Internet Explorer. It’d have to be a mighty big pay packet to make me comfortable with using such a dangerous, terrible, sloppy, buggy, infuriating product.

    I like to make web apps for a hobby. Very simple, humble, basic things.

    Back when I cared in the least what IE users thought of my stuff, I spent about 80% of my time just trying to work around bugs in IE.

    Internet Explorer is disgusting.

    So, back on topic… Rather than suggest that people work around the problem by spending hours tweaking settings in Internet Explorer, why not just tell them to download a proper browser in the first place and be done with it? What a waste of time.

    Other than that (in fact, partly because of it, as knowing how to "secure" IE could be very useful) it was a very interesting article.

    It even prompted me to register 😉 so thanks, once again.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

TechNewsWorld Channels