6.8 - TA08-189A

Executive Summary

Summary
Title	Microsoft Office Snapshot Viewer ActiveX Vulnerability

Informations
Name	TA08-189A	First vendor Publication	2008-07-07
Vendor	US-CERT	Last vendor Modification	2008-07-07
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score	6.8	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

An unpatched vulnerability in the Microsoft Office Snapshot Viewer ActiveX control is being used in attacks.

I. Description

Microsoft has released Security Advisory (955179) to describe attacks on a vulnerability in the Microsoft Office Snapshot Viewer ActiveX control.
Because no fix is currently available for this vulnerability, please see the Security Advisory and US-CERT Vulnerability Note VU#837785 for workarounds.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code.

III. Solution

Apply workarounds

Microsoft has provided workarounds for this vulnerability in Security Advisory (955179). Additional details and workarounds are provided in US-CERT Vulnerability Note VU#837785.

The most effective workaround for this vulnerability is to set kill bits for the Snapshot Viewer ActiveX control, as outlined in the documents noted above. Other workarounds include disabling ActiveX, as specified in the Securing Your Web Browser document, and upgrading to Internet Explorer 7, which can help mitigate the vulnerability with its ActiveX opt-in feature.

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA08-189A.html

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-94	Failure to Control Generation of Code ('Code Injection')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6120

Oval ID:	oval:org.mitre.oval:def:6120
Title:	Snapshot Viewer Arbitrary File Download Vulnerability
Description:	The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message, probably involving use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method. NOTE: this can be leveraged for code execution by writing to a Startup folder.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2008-2463	Version:	6
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003	Product(s):	Microsoft Access 2000 Microsoft Access 2002 Microsoft Access 2003
Definition Synopsis:
IF Access 2000 SP3 or greater is installed AND Access 2002 SP3 or greater is installed AND Access 2003 SP2 or greater is installed AND Snapview.ocx version is less than 11.0.8228.0

CPE : Common Platform Enumeration

Type	Description	Count
Application	Microsoft Office Snapshot Viewer Activex cpe:2.3:a:microsoft:office_snapshot_viewer_activex:office2000:::::::* cpe:2.3:a:microsoft:office_snapshot_viewer_activex:office_xp:::::::* cpe:2.3:a:microsoft:office_snapshot_viewer_activex:office_2003:::::::*	3

SAINT Exploits

Description	Link
Microsoft Access Snapshot Viewer file download vulnerability	More info here

OpenVAS Exploits

Date	Description
2008-08-19	Name : Microsoft Access Snapshot Viewer ActiveX Control Vulnerability File : nvt/secpod_ms_access_snapshot_viewer_actvx_vuln_900004.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
46749	Microsoft Access Snapshot Viewer ActiveX (snapview.ocx) PrintSnapshot Method ... A code execution flaw exists in Office. The Access Snapshot Viewer ActiveX control fails to validated unspecified content when saving files resulting in a code execution. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

Information Assurance Vulnerability Management (IAVM)

Date	Description
2008-08-14	IAVM : 2008-A-0056 - Microsoft Office Access Snapshot Viewer ActiveX Control Vulnerability Severity : Category I - VMSKEY : V0016740

Snort® IPS/IDS

Date	Description
2014-01-10	Snapshot Viewer General Property Page Object ActiveX clsid unicode access RuleID : 7982 - Revision : 11 - Type : WEB-ACTIVEX
2014-01-10	Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 7981 - Revision : 19 - Type : BROWSER-PLUGINS
2017-08-23	Microsoft Access Snapshot Viewer ActiveX function call access attempt RuleID : 43606 - Revision : 3 - Type : BROWSER-PLUGINS
2017-08-23	Microsoft Access Snapshot Viewer ActiveX function call access attempt RuleID : 43605 - Revision : 2 - Type : BROWSER-PLUGINS
2014-01-10	Microsoft Access Snapshot Viewer ActiveX function call access RuleID : 27793 - Revision : 3 - Type : BROWSER-PLUGINS
2014-01-10	Microsoft Access Snapshot Viewer ActiveX function call access attempt RuleID : 27792 - Revision : 4 - Type : BROWSER-PLUGINS
2014-01-10	Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 27791 - Revision : 4 - Type : BROWSER-PLUGINS
2014-01-10	Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 27790 - Revision : 4 - Type : BROWSER-PLUGINS
2014-01-10	Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 27789 - Revision : 4 - Type : BROWSER-PLUGINS
2014-01-10	Microsoft Access Snapshot Viewer ActiveX function call access RuleID : 27788 - Revision : 3 - Type : BROWSER-PLUGINS
2014-01-10	Eleanore exploit kit post-exploit page request RuleID : 21071 - Revision : 5 - Type : EXPLOIT-KIT
2014-01-10	Eleanore exploit kit pdf exploit page request RuleID : 21070 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10	Eleanore exploit kit exploit fetch request RuleID : 21069 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10	Eleanore exploit kit landing page RuleID : 21068 - Revision : 4 - Type : EXPLOIT-KIT
2014-01-10	Microsoft Access Snapshot Viewer 2 ActiveX function call unicode access RuleID : 13910 - Revision : 7 - Type : WEB-ACTIVEX
2014-01-10	Microsoft Access Snapshot Viewer 2 ActiveX function call access RuleID : 13909 - Revision : 7 - Type : WEB-ACTIVEX
2014-01-10	Microsoft Access Snapshot Viewer 2 ActiveX clsid unicode access RuleID : 13908 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10	Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 13907 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10	Microsoft Access Snapshot Viewer 1 ActiveX function call unicode access RuleID : 13906 - Revision : 9 - Type : WEB-ACTIVEX
2014-01-10	Microsoft Access Snapshot Viewer ActiveX function call access attempt RuleID : 13905 - Revision : 18 - Type : BROWSER-PLUGINS
2014-01-10	Microsoft Access Snapshot Viewer 1 ActiveX clsid unicode access RuleID : 13904 - Revision : 8 - Type : WEB-ACTIVEX
2014-01-10	Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 13903 - Revision : 15 - Type : BROWSER-PLUGINS

Nessus® Vulnerability Scanner

Date	Description
2008-08-13	Name : Arbitrary code can be executed on the remote host through the web client. File : smb_nt_ms08-041.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	1
CPE ID(s)	3
Saint Exploit(s)	1
osvdb(s)	1
Openvas Exploit(s)	1
IAVM(s)	1
Snort® Rule(s)	22
Nessus® Exploit(s)	1

	Related
6.8	VU#837785
6.8	KB955179
6.8	CVE-2008-2463
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)