Yet another critical ActiveX exploit
Just before Microsoft’s monthly Patch Tuesday, Microsoft has published a warning about targeted attacks that exploit a security flaw in an ActiveX control for Access database snapshots. Apparently, a buffer overflow can be exploited so that arbitrary code is executed with the user’s rights. Users who have one of the affected versions of Access need only open a web site in Internet Explorer to be under attack. In light of the hundreds of thousands of compromised web sites, this danger should not be taken lightly. The versions of the Snapshot Viewer installed with Microsoft Office Access 2000, Microsoft Office Access 2002 and Microsoft Office Access 2003 are vulnerable; the current Access 2007 was not mentioned in the list.
In the security advisory, Redmond is careful not to say which browsers are affected, much less which operating systems. It therefore remains unclear whether one of the protection measures implemented in Internet Explorer 7 or Vista at least reduces the risk. It is unlikely that the updates to be published this evening will close this hole since the advisory was published separately on the same day.
* Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution Security Advisory from Microsoft