the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

Microsoft released Microsoft Security Advisory 955179 to warn of a security vulnerability in its Snapshot Viewer ActiveX control. The Snapshot Viewer allows a person to use Microsoft Internet Explorer to view a report online that was generated in Microsoft Office Access without having Access installed.

Microsoft, that is best known for its operating systems, is also well known for having security vulnerabilities found and patched in its operating systems on a regular basis. While dangerous, there are usually mitigating circumstances because many users of Microsoft’s operating systems perform regular operating system updates. The operating system is even capable of automating the update process. What is uncommon, however, is for Microsoft users to perform application updates.

As with your typical browser and brower plugin vulnerabily, an attacker will typically need to lure the victim to a malicious web page that hosts the attack code designed to exploit the vulnerability. This is typically done by injecting the malicious code into a victim’s web site that already has regular web site visitors, by injecting browser redirects to a malicious site in a victim’s web site that already has web site regular visitors, or by bulk e-mailing the link of one of these sites to many potential victims.

An additional factor that makes this attack dangerous is that the vulnerable ActiveX control is signed by a Microsoft digital certificate, verifying it’s authenticity as a Microsoft compiled application. If users have their web browsers already set to trust Microsoft signed ActiveX controls, even if they don’t currently have the ActiveX control installed, the attackers could simply have the control automatically loaded by the victim’s browser. Exploiting this vulnerability would allow the attacker to execute code as the current local user, to steal information or potentially taking control of the computer.

I would recommend that Microsoft Internet Explorer users disable Active Scripting and ensure that the browser doesn’t automatically trust applications signed by Microsoft’s digital certificate. Additionally, one should always operate under a user that has the least privileges necessary. ActiveX applications also have a built in failsafe for problems such as this called a “kill bit“. Activating this failsafe will allow a user to prevent a rogue application from ever running. Unfortunately enabling this failsafe is not for the average computer user, but one can find instructions in the security advisory. Theoretically, Microsoft could enable this kill bit in an upcoming operating system update.