Microsoft issued a warning Monday about targeted attacks attempting to exploit a bug in the ActiveX control for the Snapshot Viewer in its Access database management application.
The ActiveX control for the Snapshot Viewer for Microsoft Access enables users to view a snapshot of an Access report without having the standard or run-time versions of Microsoft Office Access, Microsoft said.
The vulnerability only affects ActiveX control for the Snapshot Viewer in Microsoft Office Access 2000, Microsoft Office Access 2002 and Microsoft Office Access 2003. While the ActiveX control was shipped with all supported versions of Microsoft Office Access as well as the standalone Snapshot Viewer, Microsoft Office Access 2007 is not affected.
The software maker is investigating these active attacks leveraging the potential security hole, it said.
An attack could exploit the vulnerability by constructing a specially crafted Web page, according to the security advisory. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.
A cybercriminal would have to entice a user to the Web site by clicking on a link in an e-mail or instant message. When the user goes to the site and views the Web page, that would trigger the malware and allow remote code execution that would enable the hacker to gain access to anything the user logged in at the time is able to access.
By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as “Enhanced Security Configuration.” This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that the user has not added to his or her Internet Explorer Trusted sites zone.
Just Say No to Remote Code Execution
Security researchers in general consider any vulnerability that allows for remote code execution to be a high priority.
“This is a highly serious issue, as this bug allows remote code execution and may give the attacker administrator rights,” said Chris Rodriguez, a security analyst at Frost & Sullivan.
“The issue is as serious as any other client-side bug,” Michael Coulter, a virus researcher at SophosLabs, told TechNewsWorld. The issue will largely affect more business users than home users, he added.
“Home users are less likely to have Office installed,” he noted.
However, Rodriguez points out that “while many businesses use Access, the larger enterprises are more likely to use a more powerful database tool such as SQL Server or Oracle.”
Working Around the Problem
Users can avoid the threat by following basic, safe Web browsing habits, such as not opening attachments or clicking links from suspicious or unknown sources, according to Rodriguez.
“There are other threat mitigation options; however, this is the least intrusive, most convenient and effective method possible. Users with limited accounts would be less impacted than users with administrative user rights. However, most people use an administrator account with the exception of small children,” he explained.
“Legitimate Web sites that allow user-supplied content will be a viable medium for links to these attacks as well. This can be avoided by other mitigation efforts, such as setting IE security zone settings to high, adjusting registry settings or disabling ActiveX controls and COM objects,” Rodriguez continued.
“The average computer user is able to do these, however [they] may not be aware of how or why they should. These methods are intrusive or simply require too much effort for the average computer user to implement. Search engines that filter out or warn users of suspicious links will help lessen the chances of users being exposed to maliciously designed Web sites. Yahoo with McAfee Site Advisor is one such example,” he concluded.
While it researches the vulnerability, Microsoft recommends that users enact a workaround that will help block known attack vectors, although it will not correct the problem.
Among the workarounds suggested by the software maker, users can prevent COM objects from running in Internet Explorer or configure Internet Explorer to prompt before running Active Scripting. They can also disable Active Scripting in the Internet and Local intranet security zone.
Instructions for these workarounds are available here under the “Suggested Actions” heading.