Date: 08 July 2008
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2008.0079 -- AUSCERT ALERT
[Win]
Microsoft Office Snapshot Viewer ActiveX Vulnerability
8 July 2008
===========================================================================
AusCERT Alert Summary
---------------------
Product: Microsoft Office Snapshot Viewer
Microsoft Office Access 2000
Microsoft Office Access XP (2002)
Microsoft Office Access 2003
Publisher: US-CERT
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-2463
Original Bulletin: http://www.kb.cert.org/vuls/id/837785
Comment: This vulnerability is currently being exploited.
Please note that Snapshot viewer may be installed on a system that
does not have Microsoft Office installed.
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#837785
Microsoft Office Snapshot Viewer ActiveX control vulnerability
Overview
The Microsoft Office Snapshot Viewer ActiveX control contains a vulnerability,
which can allow a remote, unauthenticated attacker to download arbitrary files
to arbitrary locations.
I. Description
Microsoft Snapshot Viewer is a viewer for snapshots created with Microsoft
Access. Snapshot Viewer is available as an ActiveX control, which is provided
by snapview.ocx, or as a stand-alone application. Snapshot Viewer is provided
with Office 2000, Office XP, and Office 2003, and it may also be installed on
a system that does not have Microsoft Office.
The Snapshot Viewer ActiveX control contains a vulnerability, which can allow
an attacker to download files to arbitrary locations. We have received reports
of active exploitation of this vulnerability.
II. Impact
By convincing a victim to view an HTML document (web page, HTML email, or
email attachment), an attacker could download arbitrary files to a vulnerable
system within the security context of the user running IE. These files could
contain code that could be executed through other means. The user may click
the file inadvertently, or the file may be placed in a sensitive location,
such as the Windows Startup folder where it will automatically execute the
next time the user logs onto the system.
III. Solution
We are currently unaware of a practical solution to this problem. Please see
Microsoft Security Advisory 955179 and consider the following workarounds:
Disable the Microsoft Snapshot Viewer ActiveX control in Internet Explorer
The vulnerable ActiveX control can be disabled in Internet Explorer by setting
the kill bit for the following CLSIDs:
{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}
{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}
{F2175210-368C-11D0-AD81-00A0C90DC8D9}
More information about how to set the kill bit is available in Microsoft
Support Document 240797. Alternatively, the following text can be saved as a
.REG file and imported to set the kill bit for these controls:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}]
\"Compatibility Flags\"=dword:00000400
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}]
\"Compatibility Flags\"=dword:00000400
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{F2175210-368C-11D0-AD81-00A0C90DC8D9}]
\"Compatibility Flags\"=dword:00000400
Upgrade to Internet Explorer 7
Upgrading Internet Explorer to version 7 or later may help mitigate this
vulnerability through its ActiveX opt-in feature. This feature is designed to
prompt the user before using ActiveX controls that are already installed on
the system.
Do not run Windows with administrator privileges
Running Windows using an unprivileged regular user account may mitigate the
affects of this vulnerability. See the Microsoft Technet article Applying the
Principle of Least Privilege to User Accounts on Windows XP for more
information. This can prevent an attacker from being able to download files to
the Startup folder for \"All Users.\"
Disable ActiveX
Disabling ActiveX controls in the Internet Zone (or any zone used by an
attacker) appears to prevent exploitation of this and other ActiveX
vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can
be found in the \"Securing Your Web Browser\" document.
Systems Affected
Vendor Status Date Updated
Microsoft Corporation Vulnerable 7-Jul-2008
References
http://www.microsoft.com/technet/security/advisory/955179.mspx
http://blogs.technet.com/msrc/archive/2008/07/07/snapshot-viewer-activex-control-vulnerability.aspx
http://secunia.com/advisories/30883/
http://support.microsoft.com/kb/175274
http://www.us-cert.gov/reading_room/securing_browser/
http://technet.microsoft.com/en-us/library/bb456992.aspx
Credit
This document was written by Will Dormann.
Other Information
Date Public 07/07/2008
Date First Published 07/07/2008 01:08:22 PM
Date Last Updated 07/07/2008
CERT Advisory
CVE Name CVE-2008-2463
US-CERT Technical Alerts
Metric 18.76
Document Revision 26
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation\'s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT\'s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation\'s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author\'s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSHKcWyh9+71yA2DNAQILTQQAjxQ+PDnplx9HabxNd4Ff9/ni5d3AlfKT
bTQT5J8mL+cq2munLGG8nhepLpGoc1CO6B5T6sPE4Hbu027WJiTeT0vglEaAQCWv
vRxcLLMREMUaxZe4BMMGu6Arb2VR5eOHy8aHbeSdYfnu19myeJcxdJx1j6QEFk+6
CigLcjWaK+4=
=wcNn
-----END PGP SIGNATURE-----
|