Microsoft probing ActiveX attacks targeting Access feature
Microsoft issued a security advisory on Monday warning about targeted attacks being launched that exploit a hole in the ActiveX control for the Snapshot Viewer in the Microsoft Access database management system.
Basically, an attacker would have to lure a victim, via a link in an e-mail or IM for instance, to a specially crafted Web page that could exploit the security hole to allow remote code execution. This would provide the attacker with as much access to and rights on the computer as the logged-in user has.
The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, 2002 and 2003.
The ActiveX control, which allows a user to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access, ships with the standalone Snapshot Viewer and with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007.
By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 run in a restricted mode known as Enhanced Security Configuration that sets the security level for the Internet zone to "high." This is a mitigating factor for Web sites that a user has not added to the Internet Explorer Trusted sites zone, according to Bill Sisk, security response communications manager for Microsoft.
In addition, a security feature in Internet Explorer can be set to prevent ActiveX controls from being loaded by the IE HTML-rendering engine, the advisory says.
Microsoft suggests that users adopt a workaround, such as configuring IE to disable Active Scripting or to prompt before running it, or setting Internet and local intranet security zone settings to "high" to prompt before running ActiveX Controls and Active Scripting.
Eventually, Microsoft may provide a security update for the vulnerability, according to the frequently-asked-questions section of the advisory.
"While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our MSRA (Microsoft Security Response Alliance) partners to help protect customers," Sisk says.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
B) 'Targeted' attack means that people have spent a great deal of effort to create the code necessary to result in the vulnerabilty.
C) Even people with online pseudos that include 'Penguin' (Linux nerds) openly admit they use MSFT products, "MSFT products for anything I deem important" - what is important?
D) A socially engineeed attack is useless with proper controls in place and user training. This will only likely affect the small company who has hired a few dolts and lacks an enforced security model.
E) All software can be targeted. Just happens more people use and know MS products.
F) If you compared usage of Linux related products to the total vulnerabilities found (vs. other products), you would have a lop-sided number showing how truly lacking those products are in overall security.
1. Whose bright idea was it to publicize a not-dealt-with security hole?
2. Why is Microsoft still running this outdated security nightmare?
3. The entire OS and program-software industry needs to shore up security without making the programs unusable!