Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 7th, 2008

Microsoft Office Snapshot Viewer ActiveX Control Vulnerability

The Microsoft Office Snapshot Viewer ActiveX control contains a vulnerability, which can allow a remote, unauthenticated attacker to download arbitrary files to arbitrary locations.

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could download arbitrary files to a vulnerable system within the security context of the user running IE. These files could contain code that could be executed through other means. The user may click the file inadvertently, or the file may be placed in a sensitive location, such as the Windows Startup folder where it will automatically execute the next time the user logs onto the system.

The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.

Currently there is no practical solution to this problem. Microsoft Security Advisory 955179 has issued the following workarounds:

Disable the Microsoft Snapshot Viewer ActiveX control in Internet Explorer

Upgrade to Internet Explorer 7

Do not run Windows with administrator privileges

Disable ActiveX

Share this item with others:

More on CyberInsecure:
  • Remote Code Execution Vulnerability In The ActiveX Control For The Microsoft Access Snapshot Viewer Added Into Neosploit
  • Microsoft’s Patch Fix Critical Vulnerabilities In IE And Office
  • ActiveX Control Flaw In BlackBerry Leads To Code Execution Attacks
  • Microsoft Office Web Components ActiveX Control ‘msDataSourceObject’ Vulnerability Allows Remote Code Execution
  • ActiveX bugs Are Targeted In A New Attack Kit

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Microsoft Office Snapshot Viewer ActiveX Control Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.