, Symantec Security Response 2008-08-06
Recently, we came across a rather unfortunate exploit case for the Access Snapshot Viewer ActiveX Vulnerability that took advantage of a property of the ActiveX system to exploit IE users who did not have the vulnerable control installed. How does one exploit a vulnerability that does not exist on a system you say? Sadly, attackers have found a way to install the vulnerable Access Snapshot Viewer ActiveX control through Internet Explorer prior to exploiting it.
Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim's computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.
While this silent installation ability obviously poses some interesting security considerations, it is actually fairly core to ActiveX operation. For example, a site that wants to provide an Access report for its users may want to install the trusted control and permit the users to simply view the report. This would provide a cleaner experience for the site's users, rather than forcing them to go to the Microsoft site to download and install the control.
This silent install attack is specifically detected by IPS (NIS, NAV, N360, SEP, and SCS) products as HTTP Snapshot Viewer ActiveX Download Request. If the subsequent exploit is encoded, it will be detected by Symantec Browser Protection (NIS 2008, NAV 2008, N360 v2) as MSIE MS Snapshot ActiveX File Download. If the exploit is not encoded, IPS will detect is as HTTP SnapShot Viewer ActiveX File Download. Additionally, Symantec antivirus programs will detect this attack as Downloader.