Archived Blog
Snapshot Viewer ActiveX Exploit In The Wild
08.01.2008 - 2:29 PMWe've been closely monitoring this exploit since its release, and are now tracking several hundred occurrences in the wild, found mostly in China. There is currently no patch available, but Microsoft has several workarounds listed in their advisory. We recommend setting the killbit for this ActiveX control on all workstations where it is installed.
Vulnerable ActiveX CLSIDs:
- F0E42D50-368C-11D0-AD81-00A0C90DC8D9
- F0E42D60-368C-11D0-AD81-00A0C90DC8D9
- F2175210-368C-11D0-AD81-00A0C90DC8D9
This vulnerability is a simple design flaw, and does not require any complicated exploit code. Attackers are able to compromise remote systems simply by calling methods provided by the Snapshot Viewer ActiveX control. This is very similar to the November 9, 2005 ADODB.Stream vulnerability, which was widely taken advantage of because it was easy to exploit.
Luckily, the vulnerable ActiveX control does NOT appear in a default Microsoft Windows installation. It does appear, however, to be included by default with Microsoft Office 2000 - 2003.