Launch Printer Friendly Page Security TechCenter > > Microsoft Security Bulletin MS08-041

Microsoft Security Bulletin MS08-041 - Critical

Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)

Published: | Updated:

Version: 2.1

General Information

Executive Summary

This security update resolves a privately reported vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

This security update is rated Critical for the Snapshot Viewer for Microsoft Access and for supported versions of Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

The security update addresses the vulnerability by correcting an error in the Microsoft Access Snapshot Viewer control. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 955179.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Office and Other SoftwareComponentMaximum Security ImpactAggregate Severity RatingBulletins Replaced by this Update
Snapshot Viewer for Microsoft Access
(KB957198)
Not applicableRemote Code ExecutionCriticalMS03-038
Microsoft Office 2000 Service Pack 3Microsoft Office Access 2000 Service Pack 3
(KB955441)
Remote Code ExecutionCriticalMS03-038
Microsoft Office XP Service Pack 3Microsoft Office Access 2002 Service Pack 3
(KB955440)
Remote Code ExecutionCriticalMS03-038
Microsoft Office 2003 Service Pack 2 and Microsoft Office 2003 Service Pack 3Microsoft Office Access 2003 Service Pack 2 and Microsoft Office Access 2003 Service Pack 3
(KB955439)
Remote Code ExecutionCriticalNone

Non-Affected Software

Office and Other SoftwareComponent
2007 Microsoft Office System and 2007 Microsoft Office System Service Pack 1Microsoft Office Access 2007 and Microsoft Office Access 2007 Service Pack 1

Frequently Asked Questions (FAQ) Related to This Security Update

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

Snapshot Viewer Arbitrary File Download Vulnerability - CVE-2008-2463

Update Information

Detection and Deployment Tools and Guidance

Security Update Deployment

Other Information

Support

  • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (August 12, 2008): Bulletin published.
  • V2.0 (October 14, 2008): Bulletin revised to include the update for standalone Snapshot Viewer for Microsoft Access.
  • V2.1 (October 15, 2008): Added reference to Microsoft Knowledge Base Article (KB957198) for SnapShot Viewer for Microsoft Access. Also, clarified that users who have successfully installed the update for Microsoft Office 2000 Service Pack 3, Office XP Service Pack 2, or Office 2003 Service Pack 2 or Office 2003 Service Pack 3 do not need to reinstall the update for the standalone Snapshot Viewer for Microsoft Access.