CVE-2008-2463

Name of the Vulnerable Software and Affected Versions: Microsoft Office Access versions 2000 through 2003 Microsoft Office Snapshot Viewer version 10.0.5529.0

Description: A remote code execution issue exists in the ActiveX control for the Snapshot Viewer, allowing attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message. This is likely related to the use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method. The issue can be leveraged for code execution by writing to a Startup folder. An attacker who successfully exploits this issue could gain the same user rights as the logged-on user.

Recommendations: For Microsoft Office Access versions 2000 through 2003, consider disabling the ActiveX control for the Snapshot Viewer until a patch is available. For Microsoft Office Snapshot Viewer version 10.0.5529.0, restrict access to the PrintSnapshot method and the SnapshotPath and CompressedPath properties to minimize the risk of exploitation.