SAINT CorporationSAINT:3A126380AE3ABA4C84EA4E99B60B5166Microsoft Access Snapshot Viewer file download vulnerability
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.971 High
EPSS
Percentile
99.8%
Added: 07/11/2008
CVE: CVE-2008-2463
BID: 30144
OSVDB: 46749
Background
The Snapshot Viewer for Microsoft Access is used to display report snapshots without needing to fully invoke Access. It enables an ActiveX control in **snapview.ocx**.
Problem
The Snapshot Viewer ActiveX control allows remote files to be downloaded to arbitrary locations on the userβs computer. This could allow command execution by a malicious web page which downloads an executable file to the Startup folder. The file would then be executed the next time the user logs in.
Resolution
Set the kill bit on the ActiveX control as described in Microsoft Security Advisory 955179.
References
<http://www.kb.cert.org/vuls/id/837785>
Limitations
Exploit requires a user to load the exploit page into Internet Explorer. The connection is established after the user logs out and logs in again.
Platforms
Windows
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.971 High
EPSS
Percentile
99.8%