Watch Out for an IE Zero-Day Attack

Microsoft yesterday warned of a new attack underway against a flaw in the ActiveX control for the Snapshot Viewer for Microsoft Access, used by IE. There is not yet any patch available for the zero-day security hole, and the attacks likely focus on business targets.

In its security advisory, Redmond says the vulnerable control installs with "all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer." A poisoned Web page that exploits the hole could surreptitiously download malware to a victim PC.

"Active, targeted attacks" are underway on a relatively small scale, according to the advisory.  Targeted attacks typically involve more careful planning and crafting, and may use a victim's name and title in a socially engineered e-mail with a link to a malicious site, for example. I usually only see targeted attacks against businesses, which fits given the vulnerability in Microsoft Access.  So watch out for this while you're at work.

The US-CERT vulnerability report doesn't inspire hope: "We are currently unaware of a practical solution to this problem." You can set what's known as a kill bit for this particular ActiveX control to prevent it from running in IE, but doing so could prevent you from viewing Access report snapshots, and it involves mucking with the Windows Registry. See this Microsoft Support Page for kill bit instructions (the CLSID is in the security advisory).

The US-CERT report also says that IE 7's ActiveX opt-in feature should help mitigate the vulnerability, which the Microsoft advisory surprisingly doesn't mention. That should mean that you'd get a prompt before running the control on a poisoned page, and would have a chance to stop it before it attacked your computer.

If you have the choice, it may be a good idea to use Firefox until this hole is fixed.  And if you're still on IE 6 at work, hammer on your IT to get you upgraded.  Every security expert I talk to says you're basically asking for it if you surf the web with the outdated browser. If there's a particular in-house app that only works with IE 6, then use Firefox as your default Web browser, and only fire up IE 6 for that old app.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon