Microsoft Snapshot Viewer ActiveX control code execution (HTML_Access_Snapshot_Viewer_ActiveX)

About this signature or vulnerability

BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, BlackICE Server Protection, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects an attempt to instantiate the Microsoft Access SnapShot ActiveX control.


False positives

BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, BlackICE Server Protection, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: It is not possible to determine if this ActiveX control falls within normal, non-malicious usage for your environment. This signature will trigger when the ActiveX control or Class IDs are accessed.

False negatives

BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, BlackICE Server Protection, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: It is possible to evade this event by using obfuscation techniques.

Default risk level

High risk vulnerability  High

Sensors that have this signature

BlackICE PC Protection: 3.6crc, RealSecure Server Sensor: XPU 28.090, RealSecure Network: XPU 28.090, Proventia Network MFS: XPU 28.090, Proventia-G 1.1 and earlier: XPU 28.090, Proventia Network IDS: XPU 28.090, BlackICE Server Protection: 3.6.crc, IBM Security Server Protection for Windows: 1.0.914.2230, IBM Security Server Protection for Windows: 2.0.300.2230, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Desktop: 2230, Proventia Network IPS: XPU 28.090, Proventia Server IPS for Linux technology: 28.090, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Access: 2000 SP3, Microsoft Access: 2002 SP3, Microsoft Access: 2003 SP2, Microsoft Snapshot Viewer, Microsoft Access: 2003 SP3

Type

Suspicious Activity

Vulnerability description

The Microsoft Snapshot Viewer ActiveX control (snapview.ocx) for Microsoft Access could allow a remote attacker to execute arbitrary code on the system. By persuading a victim to visit a specially-crafted Web page that passes malicious data to the affected control, a remote attacker could exploit this vulnerability to download files and execute arbitrary code on a victim's system with privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-041. See References.

References

Microsoft Security Advisory (955179)
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/955179.mspx

Microsoft Web site
Snapshot Viewer for Microsoft Access
http://www.microsoft.com/downloads/details.aspx?FamilyID=b73df33f-6d74-423d-8274-8b7e6313edfb&displaylang=en

IBM Internet Security Systems Protection Alert July 7, 2008
Microsoft ActiveX Snapshot Viewer for Microsoft Access RCE
http://www.iss.net/threats/297.html

Microsoft Security Bulletin MS08-041
Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)
http://www.microsoft.com/technet/security/bulletin/ms08-041.mspx

ISS X-Force
Microsoft Snapshot Viewer ActiveX control code execution
http://www.iss.net/security_center/static/43613.php

CVE
CVE-2008-2463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2463