Contact Us Today! (215) 853-2266

Bardissi Enterprises Blog

Bardissi Enterprises has been serving the Hatfield area since 2000, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

WatchGuard:Attackers Leverage Zero Day Microsoft Access Vulnerability

Severity: High

8 July, 2008


Summary:

§ These vulnerabilities affect: Microsoft Access 2000, 2002, and 2003

§ How an attacker exploits them: By enticing one of your users to a malicious web site

§ Impact: An attacker can execute code, potentially gaining complete control of your user’s computer

§ What to do: Implement workarounds described in the “Solution Path” section below

Severity: High

8 July, 2008


Summary:

§ These vulnerabilities affect: Microsoft Access 2000, 2002, and 2003

§ How an attacker exploits them: By enticing one of your users to a malicious web site

§ Impact: An attacker can execute code, potentially gaining complete control of your user’s computer

§ What to do: Implement workarounds described in the “Solution Path” section below

Exposure:

In a security advisory released late yesterday, Microsoft warns of a serious unpatched Access vulnerability which attackers have begun exploiting on the Internet. The vulnerability specifically involves the Snapshot Viewer ActiveX control that ships with all versions of Microsoft Access, with the exception of Access 2007. Since they’ve just discovered this vulnerability in the wild, Microsoft doesn’t describe it in any technical detail. However, they do describe how an attacker might leverage the new vulnerability. By enticing one of your users to a maliciously crafted web page, an attacker could exploit this flaw to execute code on that user’s machine, with that user’s privileges. If the user has local administrator rights, the attacker would gain full control of the user’s machine.

Since attackers have already begun leveraging this flaw in the wild (in what Microsoft describes as targeted attacks), we highly recommend you implement one of the workarounds suggested below.

Solution Path:

Microsoft has not had time to release a patch for this vulnerability yet; we will update this alert as soon as they do. Until that time, you can mitigate the risk by setting the killbits for Access’ Snapshot Viewer ActiveX controls. Doing this prevents the flawed ActiveX controls from instantiating in Internet Explorer (IE), which should prevent malicious web sites from exploiting this vulnerability against you. To do this, cut and paste the following text into a new Notepad text file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9}]
“Compatibility Flags”=dword:00000400

Save the text file as SnapshotViewerkillbits.reg. Once you’ve saved the file, double-click it. Windows will automatically add those changes to your registry. Keep in mind that setting the killbits in this way will prevent Snapshot Viewer from working on legitimate web sites as well.

For All WatchGuard Users:

Many of WatchGuard’s Firebox models ship with an HTTP proxy policy that you can configure to block ActiveX applets. Blocking these ActiveX applets could mitigate the risk of this unpatched vulnerability. However, doing so could also prevent some legitimate web sites from working properly. If you’d like to block ActiveX applets, here’s how:

§ For WFS administrators: If you don’t already have an HTTP proxy policy, add one. The WFS HTTP proxy blocks ActiveX by default. However, you can verify its settings by double-clicking your HTTP proxy policy and clicking Properties => Settings. In the HTTP Proxy dialog, make sure “Deny ActiveX applets” is checked. Finally, save these changes to your Firebox.

§ For Fireware administrators: You’ll have to create or adjust a custom proxy action based on the default HTTP-Client action in order to block ActiveX applets. In Fireware Policy Manager, click Setup => Actions => Proxies… If you already have a custom proxy action based on the HTTP-Client action, highlight it and select Edit. Otherwise, double-click the existing HTTP-Client action. In the proxy action configuration dialog, click on Body Content Types under the HTTP Response section. Click the Change View button then click Add. In the new rules dialog, give your rule a name, such as Block_ActiveX_applet_1. In the empty box next to Pattern Match, cut and paste the following pattern:

%0x5a4d00900003000000040000ffff0000%*

Finally, change the Action to Deny and click OK. Repeat those same steps to add a second pattern, except give this rule a different name, such as Block_ActiveX_applet_2. Cut and paste the following pattern into the new rule:

%0x4d53434600000000%*

Press OK twice and close the Proxy Actions window. Now you can apply this new proxy action to your HTTP policy to ensure that Active X applets are blocked. Make sure to save the configuration to your Firebox when you are finished.

Status:

Microsoft hasn’t had time to release a patch for this zero day vulnerability. We will inform you when they do.

References:

§ Microsoft Access Security Advisory 07-08

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, 23 December 2024
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Blog Archive

Recent Comments

Tip of the Week: Which Headphones are Right for Your Needs?
23 April 2018
I will recommend Plantronics Backbeat Pro 2 SE Noise cancelling Headset with it's Great features.
Gamification: Make Business Fun for Everyone
27 January 2017
The world is based on the games. There are many types of games as per the aussie essay writing servi...
Let's Talk Tablets
12 January 2017
The concept of tablet is far better than that of PC because you can bring them with you everywhere a...
Tip of the Week: Tweak Your Workday in These 4 Ways and See Major Results
12 January 2017
The only thing will I will say regarding this blog is that it is very helpful at least for me. As I ...
WatchGuard Releases Version 10.2.7 for WSM, Edge, Fireware, and Fireware Pro
23 December 2016
I really needed to know about the fireware but i was confused that where can i find information abou...