MS03-038 - Unchecked Buffer in Microsoft Access Snapshot Viewer May Permit Code Execution

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
With Microsoft Access Snapshot Viewer you can distribute a snapshot of a Microsoft Access database that permits you to view the snapshot without Access installed.

For example, you may want to send a supplier an invoice that is generated by using an Access database. Access Snapshot Viewer permits you to package the invoice in a way that your supplier can view the invoice and can print the invoice, and the supplier does not have to have Access installed.

By default, Access Snapshot Viewer is installed with all versions of Access. Access Snapshot Viewer is also available as a separate stand-alone download. Access Snapshot Viewer is implemented by using an ActiveX control.

A vulnerability results because of a flaw in the way a function in Access Snapshot Viewer validates parameters. Because the parameters are not correctly checked, a buffer overrun can result. This may potentially permit an attacker to run code of their choice in the security context of the logged-on user.

Mitigating Factors
  • For an attack to be successful, the attacker must persuade a user to visit a malicious Web site that is under the control of the attacker.
  • The code of the attacker runs with the same permissions as the code of the user. If the permissions of the user are restricted, the permissions of the attacker are similarly restricted.
RESOLUTION

Security Patch Information

Download and Installation Information

Access 2002

If you run Access 2002, you must install the Access 2002 Runtime Security Patch. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
827430 Overview of the Access 2002 Runtime Security Patch: September 3, 2003
back to the top

Access 2000

If you run Access 2000, you must install the Access 2000 Runtime Security Patch. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
827431 Overview of the Access 2000 Runtime Security Patch: September 3, 2003
back to the top

Access 97

If you run Access 97, you must install the updated stand-alone Snapshot Viewer control. For additional information, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=B73DF33F-6D74-423D-8274-8B7E6313EDFB&displaylang=en

back to the top

Security Patch Removal

You cannot remove this security patch.

Security Patch Replacement Information

This security patch does not replace any other security patches.
REFERENCES
For additional information about Microsoft Security Bulletin MS03-038, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-038.mspx
Properties

Article ID: 827104 - Last Review: 10/26/2013 19:35:28 - Revision: 3.3

  • Microsoft Access 2002 Standard Edition
  • Microsoft Access 2000 Standard Edition
  • Microsoft Access 97 Standard Edition
  • kbnosurvey kbarchive kbqfe kbbug kbfix kbsecvulnerability kbsecurity kbsecbulletin KB827104
Feedback