The Inquirer-Home

So you think your Microsoft software is up to date?

Always trust content from the Microsoft Corporation
Wed Sep 10 2003, 08:24
IF YOU READ the reports of the latest wave of security-related errors in various Microsoft products you probably scurried off to WindowsUpdate to get your installation up to date.

If you had had your second cup of coffee that morning, you were probably awake enough to remember to also scoot off to the Office page to check for updates there too.

So, assuming you could find your original Office installation CDs, necessary to perform the updates, you're probably feeling somewhat pleased with yourself. Assuming your virus software is up to date, no malware or emals can have their wicked way with your computer!

Unfortunately that may not be true. Doubts have emerged as to the effectiveness of Microsoft's fix for various Internet Explorer problems. That is an 'old' problem from August 20, but there also seems to be a problem with the more recent fix for a problem with the Microsoft Access Snapshot Viewer.

This rather obscure piece of software is a plug-in for the Vole's Internet Explorer software. It is designed to let you place Access databases on your website. With the help of this little virtual gadget, the users of your website are able to browse the Access database even if they don't have Access installed.

All very clever, at least if you are in the habit of putting entire databases on your web pages. Unfortunately the snapshot viewer doesn't check its input data very carefully, assuming that it is dealing with a regular Access database. If instead it is dealing with a handcrafted piece of malware it gets so confused that pretty soon it's running evil program code from the dark side of the net, rather than those blessed Volish lines it was supposed to be running. That malware can then get up to the usual dirty tricks like formatting your hard disk or helping an evil hacker to take over the world from the relative comfort of his damp basement.

This error was originally discovered by Oliver Lavery, who gets his reward (a note of thanks) at the bottom of the Microsoft Security Bulletin. Oliver is one of the good guys, a so-called "white hat". So when he found a security-relevant bug he didn't spread the news on to the world, but told Microsoft, and then sat still for months waiting for the Vole to come up with a fix. The good thing about this, of course, is that no 'black hats' need know about this before Microsoft has a fix ready. The bad thing about this is that the black hats might discover the same problem independently and start abusing it while the backroom boys in Redmond take their sweet time coming up with a fix.

Unfortunately, it seems that Microsoft have now combined the worst of both worlds, by taking some time coming up with a solution, only to come up with a half-baked solution that tells the black hats exactly what they have to do to attack your computer. Buried in the Security Bulletin is the note:

To remove the ability for the old control to be reintroduced on a user's system, a kill bit will be issued for the old control in a forthcoming Internet Explorer security patch.

Which begs the question of how difficult it is for the "old control" (ie the version of the plugin with the error) to be introduced onto your system. It's pretty simple. If some evil mail or website tries to introduce it to your system you'll get the standard popup, much like the one you get on Office Update:

alt='activex'

Except that the name of the program will be "Microsoft Access Snapshot Viewer". Doesn't look too threatening, in fact it looks like the sort of thing you might need to look at lewd pictures, which we gather are quite widespread on the net. Click 'Yes', and your computer is ripe for a reinstallation. You can save that click if you on a previous occasion checked the box that says "Always trust content from Microsoft Corporation" (what were you thinking?).

Now you may be wondering why your visit to the Office update site didn't innoculate your PC against this virtual disease. Perhaps it did. If you have a version of Office that includes Access then you are probably safe. Your PC will have downloaded the new version and will prefer the local fixed version to the buggy one from the net.

However if you don't have Access installed (and it's a pretty expensive piece of software, not part of all Office versions, so you may well not have it) then you don't get the fix from the Windowsupdate site. And you don't get it from the Officeupdate page either. But you are likely still vulnerable.

The "Stand-alone Snapshot Viewer Control" from the Security Bulletin will install even if you don't have Access. According to MS it will protect you, so you should probably go install it now.

Unless you are one of those smug Unix types.

Linq: Oliver Lavery's post on Bugtraq

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?