MS08-041 : The Microsoft Access Snapshot Viewer ActiveX control

MS08-041 fixes a vulnerability in the Microsoft Access Snapshot Viewer ActiveX control. It’s an interesting vulnerability so we wanted to go into more detail about platforms at reduced risk and also more about the servicing strategy for this vulnerability.

Windows Vista at reduced risk?

We first heard about this vulnerability from customers sending in reports of active attacks. We issued security advisory 955179 in response to those attacks. Attackers had found a race condition that tricked this legitimate ActiveX control into downloading a file from any internet URL and writing it to any path on the local disk. The first attacks placed a trojan malware executable in the user’s startup folder to be run on next reboot. Later, attackers figured out how to overwrite core system files and then immediately cause those files to be loaded. The most recent attacks we have seen will even prompt the potential victim to download the ActiveX control if they do not have it already installed.

There is some good news, however. Windows Vista has a great defense-in-depth protection about these types of attacks. The IE7 “Protected Mode” feature of Windows Vista does not allow ActiveX controls (or anything running inside the browser) to write out to sensitive areas of the file system. So Vista users are at a substantially reduced risk from infection through the normal IE attack vectors that we have seen used in these attacks.

MSRC ActiveX control servicing strategy

There is one wrinkle in our servicing strategy for this vulnerability. You might recall from previous ActiveX control cases that the MSRC typically ships an updated binary along with a killbit for the old binary and phoenix bit pointing to the new binary. The new binary, the killbit, and the phoenix bit will all be installed by a single package ensuring that legitimate use of the ActiveX control will not be disrupted. One or two months later, the MSRC will ship a stand-alone killbit to block any instantiation of the old control. The idea is that any legitimate users of the control by then would have the phoenix bit pointing to the new binary so killing the old clsid entirely will not disrupt legitimate use of the binary.

MS08-041 is the package that ships the updated Snapshot Viewer ActiveX control, the killbit for the old clsids, and the phoenix bit pointing the old clsids to their new clsid equivalents. So if you install MS08-041, you will be safe from attacks leveraging this vulnerability in snapview.ocx. However, keep in mind that if you don’t already have Microsoft Office installed, you likely won’t be offered MS08-041 by Microsoft Update. It makes sense because if you don’t have the control installed, you wouldn’t want Microsoft to push it down onto your computer. From the previous paragraph, recall that the MSRC will follow the initial package with a stand-alone killbit. That will ship with the next ActiveX killbit package after users who legitimately use and need the Snapshot Viewer ActiveX control have installed the new binary. In the meantime, if the computers you control do not have Office installed, you should consider setting the killbit on those computers to be sure you’re safe. You can find the steps to do so in the bulletin workaround section.

– Security Vulnerability Research & Defense Bloggers
*Postings are provided “AS IS” with no warranties, and confers no rights.*