An ActiveX control used to view Microsoft Access report snapshots poses a potential avenue for exploitation.
Microsoft confirmed the existence of a flaw in one of its complementary products. Advisory 955179 highlighted the issue with the ActiveX control for the Snapshot Viewer for Microsoft Access.
The flaw leaves unprotected users at risk from specifically crafted web pages aimed at breaking in through the exploit. If attacked, people run the risk of arbitrary code being executed on their machines.
“The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003,” Microsoft said.
“The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007.”
US CERT said it knows of no “practical solution” for the problem. Instead, people may wish to try disabling the problematic ActiveX control by setting its kill bit in the registry. Such changes should be undertaken only by people who are comfortable with backing up and editing the Windows registry.
Running as a user with reduced privileges may mitigate the exploit until it is patched. However, Microsoft offered no guarantee that running with limited rights will completely protect against potential exploits against this vulnerability.
The recent holiday weekend also proved difficult from a security perspective from another avenue. Security vendor Symantec said it had blocked 3.5 million junk emails with 4th of July themes.
Since the Microsoft vulnerability could be exploited through an emailed link, people should continue to toss out suspicious emails, even from known senders, and avoid clicking links in messages.
