Microsoft Security Bulletin MS03-038

Technical description:

With Microsoft Access Snapshot Viewer, you can distribute a snapshot of a Microsoft Access database that allows the snapshot to be viewed without having Access installed. For example, a customer may want to send a supplier an invoice that is generated by using an Access database. With Microsoft Access Snapshot Viewer, the customer can package the database so that the supplier can view it and print it without having Access installed. The Microsoft Access Snapshot Viewer is available with all versions of Access - though it is not installed by default - and is also available as a separate stand-alone download. The Snapshot Viewer is implemented by using an ActiveX control.

A vulnerability exists because of a flaw in the way that Snapshot Viewer validates parameters. Because the parameters are not correctly checked, a buffer overrun can occur, which could allow an attacker to execute the code of their choice in the security context of the logged-on user.

For an attack to be successful, an attacker would have to persuade a user to visit a malicious Web site that is under the attacker's control.

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0665 

Tested Versions:

Microsoft tested Access 2002, Access 2000, and Access 97 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could run programs on another user's system. Such a program could take any action that the user could take, such as adding, changing, or deleting any data or configuration information. For example, the code could lower the security settings in the browser or write a file to the hard disk. Because the code would run as the user and not as the operating system, any security limitations on the user's account would also be applicable to any code that is run by successfully exploiting this vulnerability. In environments where user accounts are restricted, such as enterprise environments, the actions that an attacker's code could take would be limited by these restrictions.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the ActiveX control that Microsoft Access Snapshot Viewer uses. By invoking a specific function in a particular manner, an attacker could overflow the buffer and gain the ability to run code in the user's security context.

What is the Microsoft Access Snapshot Viewer?
The Microsoft Access Snapshot Viewer, you can distribute a snapshot of a Microsoft Access database that allows the snapshot to be viewed without having Access installed. For example, a customer may want to send a supplier an invoice that is generated by using an Access database-the Snapshot viewer would allow the customer to package the database. With Microsoft Access Snapshot Viewer, the supplier can view it and print it without having Access installed.
The Microsoft Access Snapshot Viewer is available with all versions of Microsoft Office - though it is not installed by default - and is also available as a separate stand-alone download. The Snapshot Viewer is implemented by using an ActiveX control.

What is an ActiveX control?
ActiveX is a technology that allows developers to deploy programs in a small, self-contained way. These programs are called controls and can be used by Web pages, Visual Basic programs, or other applications.
ActiveX controls can be distributed in several ways, including installing with software products or being offered for download from a Web site. Regardless of how a user installs an ActiveX control, after it is installed and registered on the user's system it is fully functional and available to the user.

How could I get the ActiveX control that Microsoft Access Snapshot Viewer uses?
There are several ways to get the Microsoft Access Snapshot Viewer:

What is wrong with the ActiveX control that Microsoft Access Snapshot Viewer uses?
There is an unchecked buffer in one of the functions that handles the input of certain parameters to the control.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to run the code of their choice on a user's system with the same level of permissions as the user. This could allow the attacker to carry out any action that the user can carry out, such as adding, changing, or deleting data, communicating with a Web site, or formatting the hard disk.

How could an attacker exploit the vulnerability?
There are several ways that an attacker could exploit the vulnerability:

Could the old control still be downloaded?
If an attacker has cached the old vulnerable control and is hosting it on a site that is under their control, the control could be reintroduced to a user's system. However, an attacker would have to persuade a user to visit a malicious Web site that is under their control for the user to download the old control.
To remove the ability for the old control to be reintroduced on a user's system, a kill bit will be issued for the old control in a forthcoming Internet Explorer security patch.

What is a kill bit?
There is a security feature in Microsoft Internet Explorer that makes it possible to prevent an ActiveX control from ever being loaded by the Internet Explorer HTML-rendering engine. This is done by a making a registry setting and is referred to as setting the kill bit. After the kill bit is set, the control can never be loaded, even when it is fully installed. Setting the kill bit makes sure that even if a vulnerable component is introduced or is re-introduced to a system, it remains inert and harmless. For more information about this feature, see the following Microsoft Knowledge Base article: 240797.

What does the patch do?
The patch eliminates the vulnerability by making sure that the Microsoft Access Snapshot Viewer ActiveX control correctly validates the parameters that are sent to the affected function. Additionally, the stand-alone download for Microsoft Access Snapshot Viewer has been updated with the same revised version of the ActiveX control.

Download locations for this patch

Installation platforms:

•	The Microsoft Access 2002 patch can be installed on systems running Microsoft Access 2002 with Office XP Service Pack 2 (The administrative update can be installed on systems running Office XP Service Pack 1 as well).
•	The Microsoft Access 2000 patch can be installed on systems running Microsoft Access 2000 with Office 2000 Service Pack 3.
•	The updated updated stand-alone Snapshot Viewer control can be installed on all supported systems. Inclusion in future service packs: The fix for this issue will be included in any future service packs that are released for the affected products. Reboot needed: No Patch can be uninstalled: No Superseded patches: None. Verifying patch installation: • For all versions of Access, verify that the version number of the Snapview.ocx file is 10.0.5529.0. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations: • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". • Patches for consumer platforms are available from the WindowsUpdate web site

Top of section