Microsoft issued an advisory Monday warning customers of active, targeted attacks using a zero-day flaw in the Snapshot Viewer ActiveX control for Microsoft Access.
The Snapshot Viewer is used to view database report snapshots that are created with any version of Microsoft Access. The flaw could allow an attacker to gain user rights on a system, Microsoft said.
The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007, according to Microsoft. The vulnerability affects the Snapshot Viewer in Microsoft Office Access 2000, Microsoft Office Access 2002 and Microsoft Office Access 2003.
Microsoft said websites, such as blogs which accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have to lure users through an email or instant message to visit a malicious website to pull off a successful attack.
Danish vulnerability clearinghouse Secunia rated the flaw "extremely critical" in its 30883 advisory, becuase the vulnerability is currently being actively exploited in the wild.
As a workaround Microsoft said IT admins can use a feature in Internet Explorer to prevent an ActiveX control from ever being loaded by the Internet Explorer HTML-rendering engine. To do this the admin must set the kill bit for the control in the registry.
"We encourage affected customers to implement the manual workarounds included in the Advisory, which Microsoft has tested," Bill Sisk, the response communications manager for the Microsoft Security Response Center, (MSRC) said in the MSRC blog. "Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors.
Sisk said Microsoft is investigating the attack, which is targeted and not widespread.
The United States Computer Emergency Readiness Team (US-CERT) also issued an advisory. It said upgrading Internet Explorer to version 7 or later may help mitigate the vulnerability through its ActiveX opt-in feature.
PATCH TUESDAY
Microsoft plans to issue four updates this week to repair flaws in Windows and SQL Server that could be exploited to conduct spoofing attacks and execute code remotely.
In its advance notification issued last week on its TechNet site, Microsoft said the flaws affected software in Windows, SQL Server and Exchange Server. The bulletins have been rated important by the software maker and will be issued Tuesday afternoon as part of Mircosoft's Patch Tuesday bulletins.
The flaws are in Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database Service Pack 2. Microsoft said the Windows Server 2008 server core installation is affected by the updates.
Bill Sisk, the response communications manager for the Microsoft Security Response Center, (MSRC) said the update will include improvements to the infrastructure of the Update Agent. The new agent will be improved to shorten the length of time it takes Windows Update to scan and receive updates.
Last month Microsoft issued three updates to address critical flaws affecting Bluetooth, DirectX and Internet Explorer. The software maker also issued an update to correct a problem with the System Center Configuration Manager 2007, which was blocking some updates.