| VID |
28054 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Hotfix(827104) for 'Buffer Overflow Vulnerability due to unchecked buffer in MS Access Snapshot Viewer' has not been applied.
With Microsoft Access Snapshot Viewer, you can distribute a snapshot of a Microsoft Access database that allows the snapshot to be viewed without having Access installed. It is available with all versions of Access though it is not installed by default. The version 97, 2000 and 2002 of Microsoft Access is vulnerable to a buffer overflow, caused by improper bounds checking of buffer in an ActiveX control used by the Microsoft Access Snapshot Viewer. To exploit this vulnerability, a remote attacker can create a malicious Web page and hosting it on a Web site or sends it to a user as an HTML E-mail and then persuade a user to open this web page or E-mail. Once this web page is opened, it can cause a buffer to overflow, which can allow an attacker to execute the code of their choice in the security context of the logged-on user.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/security/bulletin/MS03-038.asp
* Softwares Affected:
Microsoft Access 97
Microsoft Access 2000
Microsoft Access 2002 |
| Recommendation |
Apply the appropriate patch as listed in Microsoft's security bulletin MS03-038 at http://www.microsoft.com/technet/security/bulletin/MS03-038.asp
1. Open the following page :
for Access 2002, http://microsoft.com/downloads/details.aspx?FamilyId=B50D4863-1BBE-4009-9DF8-52D3A916D54F&displaylang=en
http://microsoft.com/office/ork/xp/journ/snpv1001a.htm (administrative update only)
for Access 2000, http://microsoft.com/downloads/details.aspx?FamilyId=F6CB9C8E-16E3-422D-86DD-7ED5671FB8D4&displaylang=en.
http://www.microsoft.com/office/ork/xp/journ/snpv0901a.htm (administrative update only)
2. Select a different language from the drop-down list and click <Go> button.
3. Click <Download> button to download this patch file.
4. Run this file to install the patch.
for Access 97, Install the updated stand-alone Snapshot Viewer control. To do so, visit the following Microsoft Web site: http://www.microsoft.com/AccessDev/Articles/snapshot.htm
-- OR --
Patches for Windows platforms are also available from the Microsoft Windows Update Web ste, http://windowsupdate.microsoft.com.
Windows Update detects what version of Windows you are running and offers the appropriate patch. |
| Related URL |
CVE-2003-0665 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
13093 (ISS) |
|
