Microsoft has re-released a security bulletin with updates for Snapshot Viewer for Microsoft Access to address the Snapshot Viewer ActiveX control to address the arbitrary file upload vulnerability.
Description
Microsoft Snapshot Viewer ActiveX control contains a vulnerability that could allow an unauthenticated, remote attacker to download arbitrary files on the affected system.
The vulnerability is due to an error in the Snapshot ActiveX control when processing user-supplied input for the snapshot filename. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to view an HTML document that contains a crafted filename. An exploit could allow the attacker to download arbitrary files to arbitrary locations on the affected system. This capability could lead to code execution with user privileges if the malicious file is downloaded into the startup directory for that user.
Functional exploit code is available to download an arbitrary file.
Microsoft has confirmed the vulnerability in a security bulletin and released updated software.
Warning Indicators
The following Microsoft products are vulnerable:
Microsoft Snapshot Viewer Microsoft Access versions 2000 SP3 and prior Microsoft Access versions 2002 SP3 and prior Microsoft Access versions 2003 SP3 and prior
IntelliShield Analysis
To exploit this vulnerability, an attacker must convince a user to view a crafted HTML document while running a browser that supports ActiveX controls, such as Internet Explorer. An attacker may employ social engineering tactics, likely by providing the crafted document in an e-mail or another form of messaging. An exploit could allow the attacker to download arbitrary files to arbitrary locations on the affected system. This file download could allow code execution the next time the same user logs in if the malicious file is downloaded to the user's startup directory. Code execution would take place with the privileges of the affected user and could lead to a full system compromise if the user holds administrative rights.
This vulnerability is being exploited in the wild.
Event data from Cisco Remote Management Services has detected continued intrusion prevention system signature activity that is related to this vulnerability. The data, which was captured September 9, 2008, could indicate exploit attempts. This signature may also be triggered by benign activities.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in its August 2008 security bulletin. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, has been re-released at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for August 2008
Microsoft has resolved this vulnerability by improving the way the Office Snapshot Viewer ActiveX Control handles file saving.
Vendor Announcements
Microsoft has re-released a security bulletin at the following link: MS08-041
Microsoft has released a security advisory at the following link: 955179
US-CERT has released a vulnerability note at the following link: VU#837785
Impact
An unauthenticated, remote attacker could exploit this vulnerability to download files to arbitrary locations on the affected system with the privileges of the user. If a file is downloaded into the startup folder, code execution could take place the next time that user logs in to the system.
Technical Information
The vulnerability is due to an error in the Snapshot ActiveX control (snapview.ocx) when processing the certain string values. The ActiveX control fails to properly sanitize user-supplied input entered to the SnapshotPath and CompressedPath properties. An attacker can use the SnapshotPath property to specify a file and the CompressedPath property to place a file in a known location.
An unauthenticated, remote attacker could exploit this vulnerability by crafting an HTML document and convincing a user to view the crafted document. An exploit could allow the attacker to download arbitrary files to the affected system in the security context of the user who is running the browser.
Safeguards
Administrators are advised to apply the appropriate updates.
Administrators may consider disabling ActiveX and Active Scripting for untrusted sites.
Administrators may consider setting the kill bit on the following CLSIDs:
Users are advised not to open e-mail from untrusted sources.
Users are advised not to follow unsolicited links. Users should verify the authenticity of an unexpected link from a trusted source prior to following it.
Patches/Software
Microsoft has released updates at the following links:
Version 8, September 10, 2008, 4:31 PM: Cisco has re-released the Applied Mitigation Bulletin that addresses the Microsoft Security Bulletin for August 2008 due to continuing intrusion prevention system activity that is related to the Microsoft Snapshot Viewer ActiveX control arbitrary file upload vulnerability.
Version 7, August 27, 2008, 2:44 PM: Cisco has re-released the Applied Mitigation Bulletin that addresses the Microsoft Security Bulletin for August 2008 due to intrusion prevention system activity that is related to the Microsoft Snapshot Viewer ActiveX control arbitrary file upload vulnerability.
Version 6, August 20, 2008, 3:31 PM: Cisco has re-released the Applied Mitigation Bulletin that addresses the Microsoft Security Bulletin for August 2008 due to intrusion prevention system activity that is related to the Microsoft Snapshot Viewer ActiveX control arbitrary file upload vulnerability.
Version 5, August 15, 2008, 6:09 PM: Cisco has re-released the Applied Mitigation Bulletin that addresses the Microsoft Security Bulletin for August 2008 due to intrusion prevention system activity related to the Microsoft Snapshot Viewer ActiveX control arbitrary file upload vulnerability.
Version 4, August 12, 2008, 5:48 PM: Microsoft has released a security bulletin and updated software to address the Microsoft Snapshot Viewer ActiveX Control arbitrary file upload vulnerability.
Version 3, July 24, 2008, 3:44 PM: Additional technical information is available to describe the Microsoft Snapshot Viewer ActiveX control arbitrary file upload vulnerability.
Version 2, July 8, 2008, 3:32 PM: Cisco has released an Applied Mitigation Bulletin to address the Microsoft Snapshot Viewer ActiveX control arbitrary file upload vulnerability.
Version 1, July 7, 2008, 4:27 PM: Microsoft Snapshot Viewer contains a vulnerability in the ActiveX control that could allow an unauthenticated, remote attacker to download arbitrary files on the affected system. Updates are not available.
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
