Tag Archive for ActiveX

Microsoft Access Warning

July 7, 2008, Redmond, WA — Microsoft issued a Security Advisory regarding targeted attacks against users of its Access 2000, Access 2002, and Access 2003 database software.

Access is not commonly found on home computers.  It is more common on business and office computers, and is part of the expensive “Microsoft Office Professional” software suite, which should not be confused with “Windows XP Professional”.

Do I Have Access 2000, 2002, or 2003?
Most home computers do not have Microsoft Access installed on them.  If you are unsure, or if you want to check, do the following:

  1. Click “Start”
  2. Click “Programs” or “All Programs”
  3. Click “Microsoft Office”
    1. If you don’t see Microsoft Office, then you don’t have to go any further; you’re safe.
    2. If you see and click Microsoft Office, but you don’t see Access 2000, 2002, or 2003, then you’re safe, too.

So if you can’t find Microsoft Office and Microsoft Access then you’re safe.  You are also safe if you have Access 95, 97, 98, and 2007. Those versions are unaffected.

What Attack?
The attack affects a flaw in the ActiveX control for the “Snapshot Viewer” for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

How To Avoid It?
Computer users who have one of the affected versions of Access should perform the following actions:

  1. Start Internet Explorer, then click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Internet, and then click Custom Level.
  4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  5. Click Local intranet, and then click Custom Level.
  6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  7. Click OK two times to return to Internet Explorer.

Every Tuesday evening Microsoft issues Windows Updates and Microsoft Updates to patch flawed software. No patch has been released for the Access problem at this time, and the procedure above is only offered as a workaround until the underlying problem can be solved.

Update: Patched on August 12, 2008

Need more information?

You can also post a question or comment by clicking the link below. You must register in order to leave a comment. Keep up to date with Skylarking by subscribing by RSS News Feed or by Email.