Tag Archive for Snapshot Viewer

Microsoft Updates (Aug. 12, 2008)

Windows Update Logo

Windows Update Logo

Microsoft issued its largest batch of updates in 18 months. I thought the Windows XP SP3 and Windows Vista SP1 update packs were big, but yesterday Microsoft released at least 14 updates for various Windows and Microsoft Office products. Included among the fixes were the Word 2002 “zero-day” bug I reported on July 11, 2008, and the Microsoft Access Snapshot Viewer flaw that I reported on July 8, 2008.

The patches released included:

  • Microsoft Access Snapshot Viewer vulnerability (Important for business and professional users)
  • Microsoft Office Word 2002 vulnerability
  • 2 x Windows Vista security patch
  • Microsoft Office Excel 2007 security patch
  • Daylight Savings Time revisions for Windows Vista
  • Malicious Software Removal tool (A monthly fix from Microsoft)
  • Microsoft Office 2007 security patch
  • Internet Explorer 7 security patch
  • Microsoft Office PowerPoint 2007 security patch
  • Windows Mail Junk E-mail (Spam) filter update
  • 2 x Windows Vista updates
  • Windows Vista ActiveX security update
  • Windows Mail security update for Vista
  • Microsoft Office Outlook 2007 security update

Most of these patches affect business users, as most home users with a computer over a year old don’t have Windows Vista or Microsoft Office 2007. Also, if the programs mentioned aren’t familiar to you, then they most likely aren’t a risk.

If you aren’t up to date on your Windows Updates you can always go to http://update.microsoft.com for the lastest fixes from Microsoft.  They are made available for free download and installation every Tuesday evening.

Check out Skylark NetWorks weekly Apple versus Microsoft Weekly Vulnerability Index compiled from the SANS Institute for past patches.

If anyone has a question, please email them to me using the Contact link, or, if it relates to today’s message, please use the Comment and Question link below. I’m looking forward to hearing from you.

Microsoft Access Warning

July 7, 2008, Redmond, WA — Microsoft issued a Security Advisory regarding targeted attacks against users of its Access 2000, Access 2002, and Access 2003 database software.

Access is not commonly found on home computers.  It is more common on business and office computers, and is part of the expensive “Microsoft Office Professional” software suite, which should not be confused with “Windows XP Professional”.

Do I Have Access 2000, 2002, or 2003?
Most home computers do not have Microsoft Access installed on them.  If you are unsure, or if you want to check, do the following:

  1. Click “Start”
  2. Click “Programs” or “All Programs”
  3. Click “Microsoft Office”
    1. If you don’t see Microsoft Office, then you don’t have to go any further; you’re safe.
    2. If you see and click Microsoft Office, but you don’t see Access 2000, 2002, or 2003, then you’re safe, too.

So if you can’t find Microsoft Office and Microsoft Access then you’re safe.  You are also safe if you have Access 95, 97, 98, and 2007. Those versions are unaffected.

What Attack?
The attack affects a flaw in the ActiveX control for the “Snapshot Viewer” for Microsoft Access. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

How To Avoid It?
Computer users who have one of the affected versions of Access should perform the following actions:

  1. Start Internet Explorer, then click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Internet, and then click Custom Level.
  4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  5. Click Local intranet, and then click Custom Level.
  6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  7. Click OK two times to return to Internet Explorer.

Every Tuesday evening Microsoft issues Windows Updates and Microsoft Updates to patch flawed software. No patch has been released for the Access problem at this time, and the procedure above is only offered as a workaround until the underlying problem can be solved.

Update: Patched on August 12, 2008

Need more information?

You can also post a question or comment by clicking the link below. You must register in order to leave a comment. Keep up to date with Skylarking by subscribing by RSS News Feed or by Email.