Attackers pushing ActiveX control just to exploit it

Stephen Withers
Friday, 08 August 2008 03:08

Your IT - Home IT

Symantec has warned that the bad guys have started using drive-by downloads of a genuine Microsoft software component to open a security hole for subsequent exploit.

The item in question is the Access Snapshot Viewer ActiveX control, which is the subject of a critical update that Microsoft plans to release next week.

The control allows reports created in Access to displayed in Internet Explorer, even if Access itself is not installed.

Since the Viewer is signed by Microsoft, a web site can install the control without the user being aware that anything is happening. The vulnerability in the Snapshot Viewer then allows remote code execution.

According to Websense Security Labs, the vulnerability is easy to exploit.

While the Snapshot Viewer is not part of a normal Windows installation, it is part of Office 2000, 2002 and 2003, which means it is widely present. But the latest development means it the flaw can potentially be exploited whether or not the control is already installed.

Both Symantec and Websense recommend setting the killbit for the control as advised by Microsoft on July 7.

The downside is that this will completely prevent the use of the control - even for legitimate purposes - until the new version is installed.