Severity: High
8 July, 2008
Summary:
§ These vulnerabilities affect: Microsoft Access 2000, 2002, and 2003
§ How an attacker exploits them: By enticing one of your users to a malicious web site
§ Impact: An attacker can execute code, potentially gaining complete control of your user’s computer
§ What to do: Implement workarounds described in the “Solution Path” section below
Severity: High
8 July, 2008
Summary:
§ These vulnerabilities affect: Microsoft Access 2000, 2002, and 2003
§ How an attacker exploits them: By enticing one of your users to a malicious web site
§ Impact: An attacker can execute code, potentially gaining complete control of your user’s computer
§ What to do: Implement workarounds described in the “Solution Path” section below
Exposure:
In a security advisory released late yesterday, Microsoft warns of a serious unpatched Access vulnerability which attackers have begun exploiting on the Internet. The vulnerability specifically involves the Snapshot Viewer ActiveX control that ships with all versions of Microsoft Access, with the exception of Access 2007. Since they’ve just discovered this vulnerability in the wild, Microsoft doesn’t describe it in any technical detail. However, they do describe how an attacker might leverage the new vulnerability. By enticing one of your users to a maliciously crafted web page, an attacker could exploit this flaw to execute code on that user’s machine, with that user’s privileges. If the user has local administrator rights, the attacker would gain full control of the user’s machine.
Since attackers have already begun leveraging this flaw in the wild (in what Microsoft describes as targeted attacks), we highly recommend you implement one of the workarounds suggested below.
Solution Path:
Microsoft has not had time to release a patch for this vulnerability yet; we will update this alert as soon as they do. Until that time, you can mitigate the risk by setting the killbits for Access’ Snapshot Viewer ActiveX controls. Doing this prevents the flawed ActiveX controls from instantiating in Internet Explorer (IE), which should prevent malicious web sites from exploiting this vulnerability against you. To do this, cut and paste the following text into a new Notepad text file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9}]
“Compatibility Flags”=dword:00000400
Save the text file as SnapshotViewerkillbits.reg. Once you’ve saved the file, double-click it. Windows will automatically add those changes to your registry. Keep in mind that setting the killbits in this way will prevent Snapshot Viewer from working on legitimate web sites as well.
For All WatchGuard Users:
Many of WatchGuard’s Firebox models ship with an HTTP proxy policy that you can configure to block ActiveX applets. Blocking these ActiveX applets could mitigate the risk of this unpatched vulnerability. However, doing so could also prevent some legitimate web sites from working properly. If you’d like to block ActiveX applets, here’s how:
§ For WFS administrators: If you don’t already have an HTTP proxy policy, add one. The WFS HTTP proxy blocks ActiveX by default. However, you can verify its settings by double-clicking your HTTP proxy policy and clicking Properties => Settings. In the HTTP Proxy dialog, make sure “Deny ActiveX applets” is checked. Finally, save these changes to your Firebox.
§ For Fireware administrators: You’ll have to create or adjust a custom proxy action based on the default HTTP-Client action in order to block ActiveX applets. In Fireware Policy Manager, click Setup => Actions => Proxies… If you already have a custom proxy action based on the HTTP-Client action, highlight it and select Edit. Otherwise, double-click the existing HTTP-Client action. In the proxy action configuration dialog, click on Body Content Types under the HTTP Response section. Click the Change View button then click Add. In the new rules dialog, give your rule a name, such as Block_ActiveX_applet_1. In the empty box next to Pattern Match, cut and paste the following pattern:
%0x5a4d00900003000000040000ffff0000%*
Finally, change the Action to Deny and click OK. Repeat those same steps to add a second pattern, except give this rule a different name, such as Block_ActiveX_applet_2. Cut and paste the following pattern into the new rule:
%0x4d53434600000000%*
Press OK twice and close the Proxy Actions window. Now you can apply this new proxy action to your HTTP policy to ensure that Active X applets are blocked. Make sure to save the configuration to your Firebox when you are finished.
Status:
Microsoft hasn’t had time to release a patch for this zero day vulnerability. We will inform you when they do.