Yet another critical ActiveX exploit

Just before Microsoft’s monthly Patch Tuesday, Microsoft has published a warning about targeted attacks that exploit a security flaw in an ActiveX control for Access database snapshots. Apparently, a buffer overflow can be exploited so that arbitrary code is executed with the user’s rights. Users who have one of the affected versions of Access need only open a web site in Internet Explorer to be under attack. In light of the hundreds of thousands of compromised web sites, this danger should not be taken lightly. The versions of the Snapshot Viewer installed with Microsoft Office Access 2000, Microsoft Office Access 2002 and Microsoft Office Access 2003 are vulnerable; the current Access 2007 was not mentioned in the list.

Microsoft recommends setting the kill bit for the ActiveX control. Web sites then cannot have Internet Explorer launch the vulnerable object, though local use is not affected. To do so, you will, however, have to make a change directly in the registry. Otherwise, you can also disable ActiveScripting – VBScript and JavaScript – for the internet zone or require a prompt before it is enabled. The heise Security UK browsercheck describes the details of Internet Explorer’s internet zones and how they can be changed.

In the security advisory, Redmond is careful not to say which browsers are affected, much less which operating systems. It therefore remains unclear whether one of the protection measures implemented in Internet Explorer 7 or Vista at least reduces the risk. It is unlikely that the updates to be published this evening will close this hole since the advisory was published separately on the same day.

See also:

* Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution Security Advisory from Microsoft

(trk)