Microsoft Security Bulletin MS08-041 – Critical Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)

Microsoft Security Bulletin MS08-041 – Critical
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)
Published: August 12, 2008

Version: 1.0
General Information
Executive Summary

This security update resolves a privately reported vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

This security update is rated Critical for the Snapshot Viewer for Microsoft Access and for supported versions of Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

The security update addresses the vulnerability by correcting an error in the Microsoft Access Snapshot Viewer control. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 955179.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None
Top of sectionTop of section
Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software
Office and Other Software Component Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update

Snapshot Viewer for Microsoft Access*

Not applicable

Remote Code Execution

Critical

MS03-038

Microsoft Office 2000 Service Pack 3

Microsoft Office Access 2000 Service Pack 3
(KB955441)

Remote Code Execution

Critical

MS03-038

Microsoft Office XP Service Pack 3

Microsoft Office Access 2002 Service Pack 3
(KB955440)

Remote Code Execution

Critical

MS03-038

Microsoft Office 2003 Service Pack 2 and Microsoft Office 2003 Service Pack 3

Microsoft Office Access 2003 Service Pack 2 and Microsoft Office Access 2003 Service Pack 3
(KB955439)

Remote Code Execution

Critical

None

*Microsoft is currently working on the security update for this affected software and will release the security update as soon as possible. When the security update is released, Microsoft will also update this security bulletin.

Non-Affected Software
Office and Other Software Component

2007 Microsoft Office System and 2007 Microsoft Office System Service Pack 1

Microsoft Office Access 2007 and Microsoft Office Access 2007 Service Pack 1
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

Why is the Snapshot Viewer for Microsoft Access listed in the Affected Software table, if there is no update available?
An update is currently being produced and will be released upon completion. This bulletin will be revised once the update becomes available. Customers who believe they are affected should review the Workarounds for Snapshot Viewer Arbitrary File Download Vulnerability - CVE-2008-2463 section of this document.

Where are the file information details?
The file information details can be found in Microsoft Knowledge Base Article 955617.

I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.

Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information

Severity Ratings and Vulnerability Identifiers
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Snapshot Viewer Arbitrary File Download Vulnerability - CVE-2008-2463 Aggregate Severity Rating

Snapshot Viewer for Microsoft Access

Critical
Remote Code Execution

Critical

Microsoft Office Access 2000

Critical
Remote Code Execution

Critical

Microsoft Office Access 2002

Critical
Remote Code Execution

Critical

Microsoft Office Access 2003

Critical
Remote Code Execution

Critical
Top of sectionTop of section

Snapshot Viewer Arbitrary File Download Vulnerability - CVE-2008-2463

A remote code execution vulnerability exists in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-2463.

Mitigating Factors for Snapshot Viewer Arbitrary File Download Vulnerability - CVE-2008-2463

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
•

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger message that takes users to the attacker's Web site.
•

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•

By default, all supported releases of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps reduce the number of successful attacks that exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario.

Note It cannot be ruled out that this vulnerability could be exploited without Active Scripting. However, using Active Scripting significantly increases the chances of successful exploitation. As a result, this vulnerability has been given a severity rating of Critical on Windows Server 2003 and Windows Server 2008.
•

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
Top of sectionTop of section

Workarounds for Snapshot Viewer Arbitrary File Download Vulnerability - CVE-2008-2463

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
•

Prevent COM objects from running in Internet Explorer

You can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

For information on how to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. This article also shows you how to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9}]
"Compatibility Flags"=dword:00000400

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:
•

Group Policy collection
•

What is Group Policy Object Editor?
•

Core Group Policy tools and settings

Note You must restart Internet Explorer for your changes to take effect.

Impact of workaround. The ActiveX control will no longer instantiate in Internet Explorer. Customers who rely on this control to view a report snapshot, without the standard or run-time versions of Microsoft Office Access 2000 up to Microsoft Office Access 2007 installed, may see that their reports will not display using the ActiveX control for Snapshot Viewer through Internet Explorer.
•

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

You can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:

In Internet Explorer, click Internet Options on the Tools menu.

Click the Security tab.

Click Internet, and then click Custom Level.

Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.

Click Local intranet, and then click Custom Level.

Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.

Click OK two times to return to Internet Explorer.

Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

Add sites that you trust to the Internet Explorer Trusted sites zone

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.

In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

Repeat these steps for each site that you want to add to the zone.

Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

Impact of Workaround. There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in Add sites that you trust to the Internet Explorer Trusted sites zone.
•

Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones

You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Internet Explorer, follow these steps:

On the Internet Explorer Tools menu, click Internet Options.

In the Internet Options dialog box, click the Security tab, and then click the Internet icon.

Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Add sites that you trust to the Internet Explorer Trusted sites zone

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites

If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.

In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

Repeat these steps for each site that you want to add to the zone.

Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

Impact of Workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in Add sites that you trust to the Internet Explorer Trusted sites zone.
Top of sectionTop of section

FAQ for Snapshot Viewer Arbitrary File Download Vulnerability - CVE-2008-2463

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability?
This vulnerability is caused by a synchronization issue when saving files using the ActiveX control for Snapshot Viewer.

What is the Snapshot Viewer for Microsoft Access?
The Snapshot Viewer enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access.

What might an attacker use the vulnerability to do?
If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by hosting a specially crafted Web site that is designed to invoke the ActiveX control through Internet Explorer. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability?
Systems that have the Standalone Snapshot Viewer or an affected Microsoft Office version installed, are primarily at risk.

I am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability?
Yes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

I am running Internet Explorer 7. Does this mitigate this vulnerability?
Yes. Customers who are running Internet Explorer 7 with default settings are not at risk until the ActiveX control for Snapshot Viewer has been activated in the Internet Zone through the ActiveX opt-in feature. However, if a customer has used this ActiveX control in a previous version of Internet Explorer, then this ActiveX control is enabled to work in Internet Explorer 7, even if the customer has not explicitly approved it using the ActiveX opt-in feature.

What is the ActiveX opt-in feature in Internet Explorer 7?
Internet Explorer 7 includes an ActiveX opt-in feature, which means that nearly all pre-installed ActiveX controls are off by default. Users are prompted by the Information Bar before they can access a previously installed ActiveX Control that has not yet been used on the Internet. This enables a user to permit or deny access on a control-by-control basis. For more information about this and other new features, see the Windows Internet Explorer 7 features page.

What does the update do?
The update removes the vulnerability by modifying the way the Microsoft Office Snapshot Viewer ActiveX Control handles saving of files.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed and has been commonly referred to as “Microsoft Office Snapshot Viewer ActiveX Control Race Condition” and assigned Common Vulnerability and Exposure number CVE-2008-2463.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.

Does applying this security update help protect customers from the code, published publicly, that attempts to exploit this vulnerability?
Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2008-2463.

How could I get the ActiveX control that Microsoft Access Snapshot Viewer uses?
There are several ways to get the Microsoft Access Snapshot Viewer:
•

It is included with all supported versions of Access - however it is not installed by default
•

It is available as a separate stand-alone download so that customers who do not have Access installed can view Access database snapshots

Could the old control still be downloaded?
If an attacker has cached the old vulnerable control and is hosting it on a site that is under their control, the control could be reintroduced to a user's system. However, an attacker would have to persuade a user to visit a malicious Web site that is under their control for the user to download the old control. To remove the ability for the old control to be reintroduced on a user's system, a kill bit is being set with this update.

What is a kill bit?
A security feature in Microsoft Internet Explorer makes it possible to prevent an ActiveX control from ever being loaded by the Internet Explorer HTML-rendering engine. This is done by making a registry setting and is referred to as setting the kill bit. After the kill bit is set, the control can never be loaded, even when it is fully installed. Setting the kill bit makes sure that even if a vulnerable component is introduced or is re-introduced to a system, it remains inert and harmless.

For more information on a kill bit, see Microsoft Knowledge Base Article 240797: How to stop an ActiveX control from running in Internet Explorer.

Other Information
Support
•

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
•

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions
•

V1.0 (August 12, 2008): Bulletin published.