Export (0) Print
Expand All

Microsoft Security Bulletin MS03-038 - Moderate

Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104)

Published: September 03, 2003 | Updated: September 04, 2003

Version: 1.1

Originally posted: September 3, 2003
Updated: September 4, 2003

Summary

Who should read this bulletin:
Customers who use Microsoft® Access or who use the downloadable Microsoft Access Snapshot Viewer

Impact of vulnerability:
Allow an attacker to execute code of their choice

Maximum Severity Rating:
Moderate

Recommendation:
Customers who use Microsoft Access or who use the downloadable Microsoft Access Snapshot Viewer should install the security patch at their earliest opportunity.

End User Bulletin:
An end user version of this bulletin is available at:

http://www.microsoft.com/athome/security/update/bulletins/default.mspx.

Affected Software:

  • Microsoft Access 97
  • Microsoft Access 2000
  • Microsoft Access 2002

General Information

Technical description:

With Microsoft Access Snapshot Viewer, you can distribute a snapshot of a Microsoft Access database that allows the snapshot to be viewed without having Access installed. For example, a customer may want to send a supplier an invoice that is generated by using an Access database. With Microsoft Access Snapshot Viewer, the customer can package the database so that the supplier can view it and print it without having Access installed. The Microsoft Access Snapshot Viewer is available with all versions of Access - though it is not installed by default - and is also available as a separate stand-alone download. The Snapshot Viewer is implemented by using an ActiveX control.

A vulnerability exists because of a flaw in the way that Snapshot Viewer validates parameters. Because the parameters are not correctly checked, a buffer overrun can occur, which could allow an attacker to execute the code of their choice in the security context of the logged-on user.

For an attack to be successful, an attacker would have to persuade a user to visit a malicious Web site that is under the attacker's control.

Mitigating factors:

  • The Microsoft Access Snapshot Viewer is not installed with Microsoft Office by default.
  • An attacker would need to persuade a user to visit a website under the attacker's control for an attack to be successful.
  • An attacker's code would run with the same permissions as the user. If a user's permissions were restricted the attacker would be similarly restricted.

Severity Rating:

Microsoft Access (all versions) Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0665

Tested Versions:

Microsoft tested Access 2002, Access 2000, and Access 97 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could run programs on another user's system. Such a program could take any action that the user could take, such as adding, changing, or deleting any data or configuration information. For example, the code could lower the security settings in the browser or write a file to the hard disk. Because the code would run as the user and not as the operating system, any security limitations on the user's account would also be applicable to any code that is run by successfully exploiting this vulnerability. In environments where user accounts are restricted, such as enterprise environments, the actions that an attacker's code could take would be limited by these restrictions.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the ActiveX control that Microsoft Access Snapshot Viewer uses. By invoking a specific function in a particular manner, an attacker could overflow the buffer and gain the ability to run code in the user's security context.

What is the Microsoft Access Snapshot Viewer?
The Microsoft Access Snapshot Viewer, you can distribute a snapshot of a Microsoft Access database that allows the snapshot to be viewed without having Access installed. For example, a customer may want to send a supplier an invoice that is generated by using an Access database-the Snapshot viewer would allow the customer to package the database. With Microsoft Access Snapshot Viewer, the supplier can view it and print it without having Access installed.
The Microsoft Access Snapshot Viewer is available with all versions of Microsoft Office - though it is not installed by default - and is also available as a separate stand-alone download. The Snapshot Viewer is implemented by using an ActiveX control.

What is an ActiveX control?
ActiveX is a technology that allows developers to deploy programs in a small, self-contained way. These programs are called controls and can be used by Web pages, Visual Basic programs, or other applications.
ActiveX controls can be distributed in several ways, including installing with software products or being offered for download from a Web site. Regardless of how a user installs an ActiveX control, after it is installed and registered on the user's system it is fully functional and available to the user.

How could I get the ActiveX control that Microsoft Access Snapshot Viewer uses?
There are several ways to get the Microsoft Access Snapshot Viewer:

  • It is included with all supported versions of Access - however it is not installed by default.
  • It is available as a separate stand-alone download so that customers who do not have Access installed can view Access database snapshots.

What is wrong with the ActiveX control that Microsoft Access Snapshot Viewer uses?
There is an unchecked buffer in one of the functions that handles the input of certain parameters to the control.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to run the code of their choice on a user's system with the same level of permissions as the user. This could allow the attacker to carry out any action that the user can carry out, such as adding, changing, or deleting data, communicating with a Web site, or formatting the hard disk.

How could an attacker exploit the vulnerability?
There are several ways that an attacker could exploit the vulnerability:

  • The attacker could host a page on a Web site that that they control. If a user visited the site and opened the Web page, the page would try to invoke the control.
  • The attacker could send a link to a malicious Web page in an e-mail message. If the recipient clicked the link, the Web page would try to invoke a control on the malicious Web site.

Could the old control still be downloaded?
If an attacker has cached the old vulnerable control and is hosting it on a site that is under their control, the control could be reintroduced to a user's system. However, an attacker would have to persuade a user to visit a malicious Web site that is under their control for the user to download the old control.
To remove the ability for the old control to be reintroduced on a user's system, a kill bit will be issued for the old control in a forthcoming Internet Explorer security patch.

What is a kill bit?
There is a security feature in Microsoft Internet Explorer that makes it possible to prevent an ActiveX control from ever being loaded by the Internet Explorer HTML-rendering engine. This is done by a making a registry setting and is referred to as setting the kill bit. After the kill bit is set, the control can never be loaded, even when it is fully installed. Setting the kill bit makes sure that even if a vulnerable component is introduced or is re-introduced to a system, it remains inert and harmless. For more information about this feature, see the following Microsoft Knowledge Base article: 240797.

What does the patch do?
The patch eliminates the vulnerability by making sure that the Microsoft Access Snapshot Viewer ActiveX control correctly validates the parameters that are sent to the affected function. Additionally, the stand-alone download for Microsoft Access Snapshot Viewer has been updated with the same revised version of the ActiveX control.

Download locations for this patch

Additional information about this patch

Installation platforms:

  • The Microsoft Access 2002 patch can be installed on systems running Microsoft Access 2002 with Office XP Service Pack 2 (The administrative update can be installed on systems running Office XP Service Pack 1 as well).
  • The Microsoft Access 2000 patch can be installed on systems running Microsoft Access 2000 with Office 2000 Service Pack 3.
  • The updated updated stand-alone Snapshot Viewer control can be installed on all supported systems.

    Inclusion in future service packs:

    The fix for this issue will be included in any future service packs that are released for the affected products.

    Reboot needed: No

    Patch can be uninstalled: No

    Superseded patches: None.

    Verifying patch installation:

    • For all versions of Access, verify that the version number of the Snapview.ocx file is 10.0.5529.0.

    Caveats:

    None

    Localization:

    Localized versions of this patch are available at the locations discussed in "Patch Availability".

    Obtaining other security patches:

    Patches for other security issues are available from the following locations:

    • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
    • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks  Oliver Lavery for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article 827104 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (September 3, 2003): Bulletin published.
  • V1.1 (September 4, 2003): Updated Download Link.

Built at 2014-04-18T13:49:36Z-07:00

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft