Microsoft Snapshot Viewer ActiveX control code execution (HTML_Access_Snapshot_Viewer_ActiveX)

About this signature or vulnerability

Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IPS, Proventia Server IPS for Linux technology, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor:

This signature detects an attempt to instantiate the Microsoft Access SnapShot ActiveX control.


False positives

Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IPS, Proventia Server IPS for Linux technology, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor: It is not possible to determine if this ActiveX control falls within normal, non-malicious usage for your environment. This signature will trigger when the ActiveX control or Class IDs are accessed.

False negatives

Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IPS, Proventia Server IPS for Linux technology, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor: It is possible to evade this event by using obfuscation techniques.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Desktop: 2230, Proventia-G 1.1 and earlier: XPU 28.090, Proventia Network MFS: XPU 28.090, Proventia Network IPS: XPU 28.090, Proventia Server IPS for Linux technology: 28.090, BlackICE PC Protection: 3.6crc, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2230, Proventia Server IPS for Microsoft Windows technology: 2.0.300.2230, BlackICE Server Protection: 3.6.crc, RealSecure Network: XPU 28.090, RealSecure Server Sensor: XPU 28.090

Systems affected

Microsoft Access: 2000 sp3, Microsoft Access: 2002 sp3, Microsoft Access: 2003 sp2, Microsoft Snapshot Viewer, Microsoft Access: 2003 sp3

Type

Suspicious Activity

Vulnerability description

The Microsoft Snapshot Viewer ActiveX control (snapview.ocx) for Microsoft Access could allow a remote attacker to execute arbitrary code on the system. By persuading a victim to visit a specially-crafted Web page that passes malicious data to the affected control, a remote attacker could exploit this vulnerability to download files and execute arbitrary code on a victim's system with privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-041. See References.

References

Microsoft Security Advisory (955179)
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/955179.mspx

Microsoft Web site
Snapshot Viewer for Microsoft Access
http://www.microsoft.com/downloads/details.aspx?FamilyID=b73df33f-6d74-423d-8274-8b7e6313edfb&displaylang=en

IBM Internet Security Systems Protection Alert July 7, 2008
Microsoft ActiveX Snapshot Viewer for Microsoft Access RCE
http://www.iss.net/threats/297.html

Microsoft Security Bulletin MS08-041
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)
http://www.microsoft.com/technet/security/bulletin/ms08-041.mspx

ISS X-Force
Microsoft Snapshot Viewer ActiveX control code execution
http://www.iss.net/security_center/static/43613.php

CVE
CVE-2008-2463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2463