Microsoft Warns Of Attack Exploiting ActiveX Flaw
The ActiveX control for the Snapshot Viewer for Microsoft Access enables users to view an Access report snapshot without requiring the use of a standard version of Microsoft Office Access.
Altogether, the vulnerability affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002 and Microsoft Office Access 2003.
In a Web-based attack scenario, the error could open the door for remote code exploitation when an attacker creates a malicious Web page. When viewed, the infected site would unleash arbitrary code on a user's PC. Alternatively, the attacker could also launch malicious code to compromise legitimate Web pages or other sites that feature user-provided content.
Security researchers said in a blog posted Monday that the attack appears to be targeted and "not widespread."
There are some factors that mitigate the severity of the flaw, according to the advisory. In order for an attack to be successful, the attacker would have to lure victims to the infected page by enticing them to click a malicious URL -- typically through an e-mail link or Instant Messenger message -- which redirects users' browsers to the affected site. Once a viewer's PC becomes infected, the attacker could then achieve the same login rights as the local user.
Further reducing the threat level for those using Internet Explorer on Windows Server 2003 and Windows Server 2008 is a default function known as Enhanced Security Configuration, which sets the Internet zone security level to "high."
While Microsoft has not yet issued a fix for the flaw, the advisory highlights several workarounds users can apply that will impede or disable the ActiveX function.
Users can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry, which could potentially affect users relying on ActiveX to view a report snapshot without having Office Access 1997 through 2007 installed on their systems.
In addition, the advisory warns that users could also cause damage to their systems if the Registry Editor is accessed incorrectly, which could result in a complete reinstallation of the operating system.
Another workaround includes configuring the IE to prompt users before running the Active scripting or disabling Active Scripting in the Internet and local intranet security zones. Users can also set Internet and local intranet security zone settings to "high" before running ActiveX controls and Active scripting.
Microsoft said in a blog that the company was currently investigating the issue. Meanwhile, security experts recommend that users apply the suggested workarounds immediately until a patch repairing the error becomes available.
"We encourage affected customers to implement the manual workarounds included in the Advisory, which Microsoft has tested" said Bill Sisk, security response communications manager for Microsoft, in a blog post. "Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors."