Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 19th, 2008

Remote Code Execution Vulnerability In The ActiveX Control For The Microsoft Access Snapshot Viewer Added Into Neosploit

More than two weeks ago Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. Microsoft began investigating active, targeted attacks leveraging this potential vulnerability. Recently, Symantec honeypots began detecting the vulnerability in the Access Snapshot Viewer ActiveX control exploited in a Neosploit wrapper. The Neosploit toolkit is an advanced exploit framework to compromise web site visitors.

The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

This vulnerability was recently added into a new version of Neosploit. The attack consists of an encrypted block that is similar to some of the Mpack variants. This primary encoder serves the Access Snapshot exploit. Once this exploit has been attempted, the user is presented with a malicious iframe, which redirects the user to a copy of Neosploit. This adds an Access Snapshot exploit to the Neosploit repertoire, albeit in an unusual way. According to Symantec, this method of adding an exploit to Neosploit was chosen because the author does not control the source of Neosploit.

As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated SQL injection attacks. Among those sites there are top-visited government, commercial, and hobby sites. The sites fall victim to SQL injection attacks and subsequently begin serving exploits to each of their visitors.

It is recommended that all Internet Explorer users, including those who do not have the Access Snapshot viewer installed, update their IPS signatures and set the kill bits mentioned in this Microsoft Security Bulletin. Switching from Internet Explorer to Firefox or Opera would also help you avoid this vulnerability (and probably many others).

Share this item with others:

More on CyberInsecure:
  • Microsoft Office Snapshot Viewer ActiveX Control Vulnerability
  • Microsoft’s Patch Fix Critical Vulnerabilities In IE And Office
  • Exploit Targeting Corporate Computer Associates Users
  • ActiveX Control Flaw In BlackBerry Leads To Code Execution Attacks
  • Microsoft Internet Information Services Vulnerability Gives Complete Server Control

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Remote Code Execution Vulnerability In The ActiveX Control For The Microsoft Access Snapshot Viewer Added Into Neosploit

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.