HighBlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, BlackICE Server Protection, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects an attempt to instantiate the Microsoft Access SnapShot ActiveX control.
BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, BlackICE Server Protection, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: It is not possible to determine if this ActiveX control falls within normal, non-malicious usage for your environment. This signature will trigger when the ActiveX control or Class IDs are accessed.
BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, BlackICE Server Protection, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: It is possible to evade this event by using obfuscation techniques.
High
BlackICE PC Protection: 3.6crc, RealSecure Server Sensor: XPU 28.090, RealSecure Network: XPU 28.090, Proventia Network MFS: XPU 28.090, Proventia-G 1.1 and earlier: XPU 28.090, Proventia Network IDS: XPU 28.090, BlackICE Server Protection: 3.6.crc, IBM Security Server Protection for Windows: 1.0.914.2230, IBM Security Server Protection for Windows: 2.0.300.2230, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Desktop: 2230, Proventia Network IPS: XPU 28.090, Proventia Server IPS for Linux technology: 28.090, Virtual Server Protection for Vmware: 1.0
Microsoft Access: 2000 SP3, Microsoft Access: 2002 SP3, Microsoft Access: 2003 SP2, Microsoft Snapshot Viewer, Microsoft Access: 2003 SP3
Suspicious Activity
The Microsoft Snapshot Viewer ActiveX control (snapview.ocx) for Microsoft Access could allow a remote attacker to execute arbitrary code on the system. By persuading a victim to visit a specially-crafted Web page that passes malicious data to the affected control, a remote attacker could exploit this vulnerability to download files and execute arbitrary code on a victim's system with privileges of the victim.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-041. See References.
Microsoft Security Advisory (955179)
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/955179.mspx
Microsoft Web site
Snapshot Viewer for Microsoft Access
http://www.microsoft.com/downloads/details.aspx?FamilyID=b73df33f-6d74-423d-8274-8b7e6313edfb&displaylang=en
IBM Internet Security Systems Protection Alert July 7, 2008
Microsoft ActiveX Snapshot Viewer for Microsoft Access RCE
http://www.iss.net/threats/297.html
Microsoft Security Bulletin MS08-041
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)
http://www.microsoft.com/technet/security/bulletin/ms08-041.mspx
ISS X-Force
Microsoft Snapshot Viewer ActiveX control code execution
http://www.iss.net/security_center/static/43613.php
CVE
CVE-2008-2463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2463