Microsoft issued an advisory Monday warning customers of active, targeted attacks using a zero-day flaw in the Snapshot Viewer ActiveX control for Microsoft Access.
The Snapshot Viewer is used to view database report snapshots that are created with any version of Microsoft Access. The flaw could allow an attacker to gain user rights on a system, Microsoft said.
The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007, according to Microsoft. The vulnerability affects the Snapshot Viewer in Microsoft Office Access 2000, Microsoft Office Access 2002 and Microsoft Office Access 2003.
Microsoft said websites, such as blogs which accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have to lure users through an email or instant message to visit a malicious website to pull off a successful attack.
Danish vulnerability clearinghouse Secunia rated the flaw "extremely critical" in its 30883 advisory, becuase the vulnerability is currently being actively exploited in the wild.
As a workaround Microsoft said IT admins can use a feature in Internet Explorer to prevent an ActiveX control from ever being loaded by the Internet Explorer HTML-rendering engine. To do this the admin must set the kill bit for the control in the registry.
"We encourage affected customers to implement the manual workarounds included in the Advisory, which Microsoft has tested," Bill Sisk, the response communications manager for the Microsoft Security Response Center, (MSRC) said in the MSRC blog. "Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors.
Sisk said Microsoft is investigating the attack, which is targeted and not widespread.
The United States Computer Emergency Readiness Team (US-CERT) also issued an advisory. It said upgrading Internet Explorer to version 7 or later may help mitigate the vulnerability through its ActiveX opt-in feature.