[Full-Disclosure] Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104)

• Previous message: Irwan Hadi: "[Full-Disclosure] Flaw in Microsoft Word Could Enable Macros toRun Automatically (827653)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Wed, 3 Sep 2003 14:11:34 -0600

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-038.asp

    
Microsoft Security Bulletin MS03-038 Print

Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code
Execution (827104)
Originally posted: September 3, 2003

Summary
Who should read this bulletin: Customers who use Microsoft® Access or
who use the downloadable Microsoft Access Snapshot Viewer

Impact of vulnerability: Allow an attacker to execute code of their
choice

Maximum Severity Rating: Moderate

Recommendation: Customers who use Microsoft Access or who use the
downloadable Microsoft Access Snapshot Viewer should install the
security patch at their earliest opportunity.

End User Bulletin:
An end user version of this bulletin is available at:

http://www.microsoft.com/security/security_bulletins/ms03-038.asp.

Affected Software:

Microsoft Access 97
Microsoft Access 2000
Microsoft Access 2002

 Technical details
Technical description:

With Microsoft Access Snapshot Viewer, you can distribute a snapshot of
a Microsoft Access database that allows the snapshot to be viewed
without having Access installed. For example, a customer may want to
send a supplier an invoice that is generated by using an Access
database. With Microsoft Access Snapshot Viewer, the customer can
package the database so that the supplier can view it and print it
without having Access installed. The Microsoft Access Snapshot Viewer is
available with all versions of Access - though it is not installed by
default - and is also available as a separate stand-alone download. The
Snapshot Viewer is implemented by using an ActiveX control.

A vulnerability exists because of a flaw in the way that Snapshot Viewer
validates parameters. Because the parameters are not correctly checked,
a buffer overrun can occur, which could allow an attacker to execute the
code of their choice in the security context of the logged-on user.

For an attack to be successful, an attacker would have to persuade a
user to visit a malicious Web site that is under the attacker.s control.

Mitigating factors:

The Microsoft Access Snapshot Viewer is not installed with Microsoft
Office by default.
An attacker would need to persuade a user to visit a website under the
attacker.s control for an attack to be successful.
An attacker.s code would run with the same permissions as the user. If a
user.s permissions were restricted the attacker would be similarly
restricted.
Severity Rating: Microsoft Access (all versions) Moderate
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0665

Tested Versions:
Microsoft tested Access 2002, Access 2000, and Access 97 to assess
whether they are affected by this vulnerability. Previous versions are
no longer supported and may or may not be affected by this
vulnerability.

 Frequently asked questions
What.s the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully
exploited this vulnerability could run programs on another user.s
system. Such a program could take any action that the user could take,
such as adding, changing, or deleting any data or configuration
information. For example, the code could lower the security settings in
the browser or write a file to the hard disk. Because the code would run
as the user and not as the operating system, any security limitations on
the user's account would also be applicable to any code that is run by
successfully exploiting this vulnerability. In environments where user
accounts are restricted, such as enterprise environments, the actions
that an attacker's code could take would be limited by these
restrictions.

What causes the vulnerability?

The vulnerability results because of an unchecked buffer in the ActiveX
control that Microsoft Access Snapshot Viewer uses. By invoking a
specific function in a particular manner, an attacker could overflow the
buffer and gain the ability to run code in the user.s security context.

What is the Microsoft Access Snapshot Viewer?

The Microsoft Access Snapshot Viewer, you can distribute a snapshot of a
Microsoft Access database that allows the snapshot to be viewed without
having Access installed. For example, a customer may want to send a
supplier an invoice that is generated by using an Access database.the
Snapshot viewer would allow the customer to package the database. With
Microsoft Access Snapshot Viewer, the supplier can view it and print it
without having Access installed.

The Microsoft Access Snapshot Viewer is available with all versions of
Microsoft Office - though it is not installed by default - and is also
available as a separate stand-alone download. The Snapshot Viewer is
implemented by using an ActiveX control.

What is an ActiveX control?

ActiveX is a technology that allows developers to deploy programs in a
small, self-contained way. These programs are called controls and can be
used by Web pages, Visual Basic programs, or other applications.

ActiveX controls can be distributed in several ways, including
installing with software products or being offered for download from a
Web site. Regardless of how a user installs an ActiveX control, after it
is installed and registered on the user's system it is fully functional
and available to the user.

How could I get the ActiveX control that Microsoft Access Snapshot
Viewer uses?

There are several ways to get the Microsoft Access Snapshot Viewer:

It is included with all supported versions of Access - however it is not
installed by default.
It is available as a separate stand-alone download so that customers who
do not have Access installed can view Access database snapshots.

What is wrong with the ActiveX control that Microsoft Access Snapshot
Viewer uses?

There is an unchecked buffer in one of the functions that handles the
input of certain parameters to the control.

What could this vulnerability enable an attacker to do?

This vulnerability could enable an attacker to run the code of their
choice on a user.s system with the same level of permissions as the
user. This could allow the attacker to carry out any action that the
user can carry out, such as adding, changing, or deleting data,
communicating with a Web site, or formatting the hard disk.

How could an attacker exploit the vulnerability?

There are several ways that an attacker could exploit the vulnerability:

The attacker could host a page on a Web site that that they control. If
a user visited the site and opened the Web page, the page would try to
invoke the control.
The attacker could send a link to a malicious Web page in an e-mail
message. If the recipient clicked the link, the Web page would try to
invoke a control on the malicious Web site.

Could the old control still be downloaded?

If an attacker has cached the old vulnerable control and is hosting it
on a site that is under their control, the control could be reintroduced
to a user.s system. However, an attacker would have to persuade a user
to visit a malicious Web site that is under their control for the user
to download the old control.

To remove the ability for the old control to be reintroduced on a user.s
system, a kill bit will be issued for the old control in a forthcoming
Internet Explorer security patch.

What is a kill bit?

There is a security feature in Microsoft Internet Explorer that makes it
possible to prevent an ActiveX control from ever being loaded by the
Internet Explorer HTML-rendering engine. This is done by a making a
registry setting and is referred to as setting the kill bit. After the
kill bit is set, the control can never be loaded, even when it is fully
installed. Setting the kill bit makes sure that even if a vulnerable
component is introduced or is re-introduced to a system, it remains
inert and harmless. For more information about this feature, see the
following Microsoft Knowledge Base article: 240797.

What does the patch do?

The patch eliminates the vulnerability by making sure that the Microsoft
Access Snapshot Viewer ActiveX control correctly validates the
parameters that are sent to the affected function. Additionally, the
stand-alone download for Microsoft Access Snapshot Viewer has been
updated with the same revised version of the ActiveX control.

Patch availability
Download locations for this patch

Access 2002:
http://microsoft.com/downloads/details.aspx?FamilyId=B50D4863-1BBE-4009-9DF8-52D3A916D54F&displaylang=en

http://microsoft.com/office/ork/xp/journ/snpv1001a.htm (administrative
update only)

Access 2000:
http://microsoft.com/downloads/details.aspx?FamilyId=F6CB9C8E-16E3-422D-86DD-7ED5671FB8D4&displaylang=en.

http://microsoft.com/office/ork/2000/journ/snpv0901.htm (administrative
update only)

Access 97:
Install the updated stand-alone Snapshot Viewer control. To do so, visit
the following Microsoft Web site:
http://www.microsoft.com/AccessDev/Articles/snapshot.htm

Stand-alone Snapshot Viewer Control:
http://www.microsoft.com/AccessDev/Articles/snapshot.htm

 Additional information about this patch
Installation platforms:
The Microsoft Access 2002 patch can be installed on systems running
Microsoft Access 2002 with Office XP Service Pack 2 (The administrative
update can be installed on systems running Office XP Service Pack 1 as
well).
The Microsoft Access 2000 patch can be installed on systems running
Microsoft Access 2000 with Office 2000 Service Pack 3.
The updated updated stand-alone Snapshot Viewer control can be installed
on all supported systems.
Inclusion in future service packs:
The fix for this issue will be included in any future service packs that
are released for the affected products.

Reboot needed: No

Patch can be uninstalled: No

Superseded patches: None.

Verifying patch installation:

For all versions of Access, verify that the version number of the
Snapview.ocx file is 10.0.5529.0.
Caveats:
None

Localization:
Localized versions of this patch are available at the locations
discussed in .Patch Availability..

Obtaining other security patches:
Patches for other security issues are available from the following
locations:

Security patches are available from the Microsoft Download Center, and
can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web
site
Other information:
Acknowledgments
Microsoft thanks Oliver Lavery for reporting this issue to us and
working with us to protect customers.

Support:

Microsoft Knowledge Base article 827104 discusses this issue and will be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web
site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall Microsoft
Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.

Revisions:

V1.0 (September 3, 2003): Bulletin published.
 
 Contact Us | E-mail this Page | TechNet Newsletter
 © 2003 Microsoft Corporation. All rights reserved. Terms of Use
Privacy Statement Accessibility

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Irwan Hadi: "[Full-Disclosure] Flaw in Microsoft Word Could Enable Macros toRun Automatically (827653)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]