No security update as yet
By Elinor Mills
Published: 8 July 2008 08:49 GMT
Microsoft issued a security advisory on Monday warning about targeted attacks that exploit a hole in the ActiveX control for the Snapshot Viewer in the Microsoft Access database-management system.
An attacker would have to lure a victim, via a link in an email for example, to a specially crafted web page that could exploit the security hole to allow remote code execution. This would provide the attacker with as much access to and rights on the computer as the logged-in user has.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, 2002 and 2003.
The ActiveX control, which allows a user to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access, ships with the standalone Snapshot Viewer and with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007.
By default, Internet Explorer (IE) on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as Enhanced Security Configuration that sets the security level for the internet zone to 'high'. This is a mitigating factor for websites that a user has not added to the Internet Explorer Trusted sites zone, according to Bill Sisk, security response communications manager for Microsoft.
In addition, a security feature in IE can be set to prevent ActiveX controls from being loaded by the IE HTML-rendering engine, the advisory states.
Microsoft suggested that users adopt a workaround, such as configuring IE to disable Active Scripting or to prompt before running it, or setting internet and local intranet security zone settings to 'high', to prompt before running ActiveX controls and Active Scripting.
Eventually, Microsoft may provide a security update for the vulnerability, according to the FAQs section of the advisory.
Sisk said: "While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our MSRA [Microsoft Security Response Alliance] partners to help protect customers."
Original article: Microsoft probing ActiveX attacks targeting Access feature from CNET News.com
Ensure that procedures and controls followed to preserve the accuracy and completeness of code changes to systems. (Software Configuration ...
Responsibilities / Duties + To undertake Technical Health/Vulnerability Tests, individually or as part of a team. Check Team Leader - UK based CHECK ...
Responsibilities: - To undertake Technical Health/Vulnerability Tests, individually or as part of a team. Check Team Leader - UK based CHECK Team ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy