Recently, we came across a ratherunfortunate exploit case for the Access SnapshotViewer ActiveX Vulnerability that took advantage of a property ofthe ActiveX system to exploit IE users who did not have the vulnerable controlinstalled. How does one exploit a vulnerability that does not exist on a systemyou say? Sadly, attackers have found a way to install the vulnerable AccessSnapshot Viewer ActiveX control through Internet Explorer prior to exploitingit.
Because the control is Microsoft signed,its installation is silent, and does not require any user interaction. Oncethis vulnerable control is installed on the victim’s computer, it is exploitedin the same way as if the control was installed all along. To top it off, thisattack is carried out as a drive-by attack, so the unprotected user may neverknow that they were vulnerable, or had been targeted, let alone infected.
While this silent installation abilityobviously poses some interesting security considerations, it is actually fairlycore to ActiveX operation. For example, a site that wants to provide an Accessreport for its users may want to install the trusted control and permit theusers to simply view the report. This would provide a cleaner experience forthe site's users, rather than forcing them to go to the Microsoft site todownload and install the control.
This silent install attack isspecifically detected by IPS (NIS,NAV, N360, SEP, and SCS) products as HTTPSnapshot Viewer ActiveX Download Request. If the subsequentexploit is encoded, it will be detected by Symantec Browser Protection (NIS2008, NAV 2008, N360 v2) as MSIEMS Snapshot ActiveX File Download. If the exploit is not encoded,IPS will detect is as HTTPSnapShot Viewer ActiveX File Download. Additionally, Symantecantivirus programs will detect this attack as Downloader.