ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft warns of "active, targeted" ActiveX control attacks

By | July 7, 2008, 10:29am PDT

Microsoft has issued a pre-patch security advisory to warn about “active, targeted attacks” against an ActiveX control for the  Snapshot Viewer for Microsoft Access.

The skinny:

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.

The advisory contains information on setting the killbit to avoid the attack.  More information in this US-CERT advisory.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Vulnerability, ActiveX Control, Microsoft Corp., Attack, ActiveX/COM/COM+/DCOM, Microsoft Office, Security, Software Development, Software/Web Development, Office Suites, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
14
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft warns of
TFW38@... 8th Jul 2008
ZZZZZZZZZz... Is it over yet
View in thread
0 Votes
+ -
An activeX attack. WHAT a suprise...
BitTwiddler 7th Jul 2008
NT
0 Votes
+ -
Windows only technolgy
Richard Flude 7th Jul 2008
Why haven't others picked up on it? wink

Reminds me of their patent for web technology controls without security.
0 Votes
+ -
yup
TedKraan 8th Jul 2008
Being able to format your drive through a website, that's really a Microsoft invention and might i dare say it, innovation? happy lol
0 Votes
+ -
Almost as common as Quicktime exploits
mdemuth 7th Jul 2008
No surprise there either. Just folks like you hold MS to an imposable standard, while giving Apple every forgiveness.

No surprise there either.
0 Votes
+ -
ActiveX exists?
cmdrrickhunter@... 7th Jul 2008
Truly amazing. I'd have assumed that, after nearly 15 years of holding the title of "worst exploit ridden API ever designed," people might actually learn not to use it.
0 Votes
+ -
Makes me wonder, ....
Mike Hunt 7th Jul 2008
... keep using Active X, invest in AV company stock, write malware using Active X, make money. Is that why MS loves X?
0 Votes
+ -
Is the users fault, of course
theo_durcan 7th Jul 2008
and lazy developers that don't follow strict MS guidelines.

PF
0 Votes
+ -
IIf you had read the story closer and understood it
Intellihence 7th Jul 2008
you wouldn't be here going off on a tangent blaming the
user. The lazy developers you are referring to are Microsofts
own. This ActiveX sploit is part of Microsoft Office.

Please re-read this story.
0 Votes
+ -
Sarcasm?
zkiwi 7th Jul 2008
0 Votes
+ -
This is a threat to big business from Microsoft
BALTHOR 7th Jul 2008
Microsoft has the monopoly and this might even be extortion.
0 Votes
+ -
RE: Microsoft warns of
samp_z 8th Jul 2008
Uh..they will fix it and move on...
0 Votes
+ -
RE: Microsoft warns of
stevepast@... 8th Jul 2008
Much like government.......Nobody is responsible.
0 Votes
+ -
RE: Microsoft warns of
stevepast@... 8th Jul 2008
Much like government.....nobody is responsible.
0 Votes
+ -
RE: Microsoft warns of
TFW38@... 8th Jul 2008
ZZZZZZZZZz... Is it over yet

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix