Archived Blog

Snapshot Viewer ActiveX Exploit In The Wild

08.01.2008 - 2:29 PM

This is an update to the Microsoft Access Snapshow Viewer ActiveX vulnerability announced on July 7, 2008 in Microsoft Security Advisory 955179. This vulnerability allows an attacker to gain the privileges of the logged-on user account. Working exploit code was posted to milworm on July 24, 2008: www.milw0rm.com/exploits/6124

We've been closely monitoring this exploit since its release, and are now tracking several hundred occurrences in the wild, found mostly in China. There is currently no patch available, but Microsoft has several workarounds listed in their advisory. We recommend setting the killbit for this ActiveX control on all workstations where it is installed.

Vulnerable ActiveX CLSIDs:

  • F0E42D50-368C-11D0-AD81-00A0C90DC8D9
  • F0E42D60-368C-11D0-AD81-00A0C90DC8D9
  • F2175210-368C-11D0-AD81-00A0C90DC8D9

This vulnerability is a simple design flaw, and does not require any complicated exploit code. Attackers are able to compromise remote systems simply by calling methods provided by the Snapshot Viewer ActiveX control. This is very similar to the November 9, 2005 ADODB.Stream vulnerability, which was widely taken advantage of because it was easy to exploit.

Luckily, the vulnerable ActiveX control does NOT appear in a default Microsoft Windows installation. It does appear, however, to be included by default with Microsoft Office 2000 - 2003.

Bookmark This Post: