Microsoft Warns Active X Control Attacks in Access

Microsoft issued a security advisory specific to its database program in Microsoft Office. The exploit permits “limited targeted attacks leveraging a potential vulnerability in the ActiveX control” for certain components of Microsoft Access.

The problem, once again, is with a faulty ActiveX control. ActiveX is a Windows technology that works through IE and allows Web sites to add software to the user’s computer or interact with components in the Windows operating system. In this case, the insecure component is an ActiveX control called “Snapshot Viewer,” which ships with all versions of Microsoft Office 2000, Office 2002, and Office 2003. The flawed ActiveX control is also shipped with the standalone Snapshot Viewer.

The Snapshot Viewer interface component comprises a compound file binary format mechanism and is used by Access to store screen shots of data reports into usable files. Those files can be printed from the program and/or transferred to Excel, PowerPoint and other Office applications.

Active X is a component object model (COM) control used for data object transfer and processing within the Windows enterprise environment. It allows for object creation and editing in any just about computer programming language.

Microsoft has offered a workaround for this vulnerability via its enhanced security configuration mode, which is available by default in Internet Explorer programs sitting on Windows Server 2003 and Windows Server 2008 operating systems. The enhanced security configuration mode sets the security level for the Internet zone to “High.” It helps manage risks from Web sites that users have not pegged as “trusted,” as indicated in the Internet Explorer trusted sites zone settings file.

“We encourage affected customers to implement the manual work-arounds included in the Advisory, which Microsoft has tested,” Sisk said. “Although these work-arounds will not correct the underlying vulnerability, they help block known attack vectors.”

Source: Washington Post

Filed under Enterprise Software, Security | Tags: , , , , , , , | Comment Below

Leave a Reply

Protected by Comment Guard Pro